- Home
- /
- Board Policy and Administrative Procedures
- /
- SECTION C: Business and Support Services
- /
- SECTION CN.1
- /
SECTION C: BUSINESS AND SUPPORT SERVICES
- SECTION CA | Appropriations and Revenue Sources
- SECTION CAA | Appropriations
- SECTION CAB | Bond Issue
- SECTION CAC | Time Warrants
- SECTION CAD | Certificates of Indebtedness
- SECTION CAE | Loans and Notes
- SECTION CAF | Ad Valorem Taxes
- SECTION CAG | Investments
- SECTION CAH | Sale, Trade or Lease of College Property
- SECTION CAH.1 | Sale, Trade or Lease of College Property
- SECTION CAI | Grants, Funds and Donations
- SECTION CAI.1 | Grant Management Procedures
- SECTION CAJ | Rentals and Service Charges
- SECTION CB | Depository of Funds
- SECTION CC | Annual Operating Budget
- SECTION CD | Accounting
- SECTION CD.1 | Accounting
- SECTION CD.2 | Cash Handling Procedures
- SECTION CD.3 | Fixed Assets
- SECTION CD.4 | Financial Reports and Statements
- SECTION CD.5 | Accounting Inventories
- SECTION CD.6 | Accounting Audits
- SECTION CD.7 | Accountability
- SECTION CD.8 | Travel Procedures
- SECTION CD.9 | Taxation of Gifts, Prizes, and Awards to Employees
- SECTION CE | Purchasing and Acquisitions
- SECTION CF | Safety Program
- SECTION CG | Site Management
- SECTION CH | Equipment, Supply and Records Management
- SECTION CI | Transportation Management
- SECTION CJ | Insurance and Annuities
- SECTION CK | Facilities Planning and Standards
- SECTION CL | College District Auxiliary Enterprises
- SECTION CM | Technology Resources
- SECTION CN | Information Security
- SECTION CO | Intellectual Property
SECTION CN.1
BUSINESS AND SUPPORT SERVICES
INFORMATION SECURITY
Procedure
SUMMARY
The Chief Information Officer establishes and acts as the College Information Security Officer. Various IT Department policies shall be maintained to ensure the security and integrity of IT resources. Users must comply with all applicable state and federal laws and may be subject to criminal prosecution for violation thereof under state and federal laws.
Navarro currently meets the State of Texas TAC202 Cyber Security requirements with Monthly reporting.
USAGE MONITORING
Use of IT resources may be monitored by the IT Department to ensure proper and efficient usage, identify problems or check for security violations.
PASSWORDS
All users of IT resources are required to take appropriate steps, as outlined below, to select and secure their passwords.
|
1. Passwords must be at least 8 characters and contain uppercase and lowercase letters, at least one number, and at least one special character. |
|
2. Passwords must be complex and difficult to guess. |
|
3. Passwords must not be reused. |
All passwords shall be treated as secret data and therefore must be protected as such. Personal account passwords in production environments may not be shared with any individual to whom the account does not belong. System passwords in any environment and personal account passwords in test environments passwords may not be shared with any individual whose use of the password is not appropriate for completing their authorized duty.
LOCK SCREEN POLICY
All employees must log out of devices and/or applications which are not in active use. Computer workstations may not be left unattended without being locked, logged out, or shut down.
PHYSICAL ACCESS CONTROL
All employees must be aware of the financial investment and data security considerations of IT facilities, including IT offices, data centers, and network closets.
The following areas defined below are considered IT Restricted Areas
Level 1: Server Room
A “Server Room” is any area or locked container that houses one or more servers which houses internal, confidential, and/or secret data.
These areas are identified and designated by the Chief Information Officer.
All entrances to an area with this designation must be secured with a lock which can be unlocked by no more than four individuals designed by the Chief Information Officer.
All entrances to these areas must be marked with prominent signage with the following messages:
All entries into the room must be logged with the times and names of the individual entering the area.
|
|
|
|
|
Anyone not designated as a keyholder by the Chief Information Officer must be escorted by a keyholder when inside a Server Room. The escort must be present. The purpose for entry must be legitimate and approved by the keyholder. A record of all escorts must be kept with the following information: entry time, name of escort, name of visitor, purpose of visit, company or organization of individual.
Level 2: Technical Work Area
A “Technical Work Area” is any area where technical work is commonly done, or where IT employees are stationed. These areas may contain technical equipment which may be in various repair states or sensitive data.
These areas are identified and designated by the Chief Information Officer.
Entrance into these areas by any individual who is not an IT employee must be approved by an IT employee and such entrance must be relevant and appropriate to college business. Individuals who are not IT employees must be always escorted by an IT employee when inside of these areas.
All entrances to these areas must be kept closed and locked, except for individual employee offices, which must be kept closed when unoccupied.
All entrances to these areas must be keyed with keys available only to IT employees and Campus Police.
All entrances to these areas must be marked with prominent signage with the following messages:
|
|
|
|
|
INFORMATION AND EQUIPMENT DISPOSAL
Employees must delete any files on their issued devices once it is clearly no longer needed.
Employees must return any storage media, such as hard drives, solid state drives, removable storage devices, compact discs, or other storage media to the IT department for proper disposal and destruction.
All data stored on paper must be shredded by an approved shredding company.
ENCRYPTION OF DEVICES
Newly issued computers must be configured to be encrypted when powered off. The IT department will maintain a database of the decryption keys necessary to recover data from each device issued.
Publicly accessible computers such as kiosk computers and lab computers are exempt from the encryption requirement.
Approved: 2015
Updated: 2021, 2024
Reviewed: