XVI. BANNER Security Policy

I. Purpose:

To establish policies, procedures and guidelines for accessing and using the
College's BANNER data.

II. Scope:

These policies affect all users with access to any BANNER data.

III. Introduction:

Metropolitan State College of Denver places a premium value on the
data collected, created by and used by the institution. These data are vital to
the on-going operation of the College. Everyone associated with the College has
an obligation to protect this vital asset from unauthorized or inappropriate
access, unauthorized or inappropriate use, and unauthorized or inappropriate
alteration or destruction.

Metropolitan State College of Denver recognizes and values the
privacy of its students and employees. Everyone associated with the College has
an obligation to protect the privacy of students, employees and College
associates.

Metropolitan State College of Denver recognizes the need for
institutional data to be shared in a timely, efficient and secure manner amongst
various departments with a demonstrable official need for the data.

Metropolitan State College of Denver will take all reasonable and
prudent measures to protect the confidentiality, integrity and availability of
its information processing assets. Such measures will, in addition to technical
and physical controls, include administrative policies, procedures, guidelines
and training.

IV. Definitions:

BANNER Managers: A committee comprised of BANNER module owners, department
managers, end-users, and IT personnel responsible for coordinating the
development, implementation, maintenance, and general stewardship of the SunGard
SCT BANNER information system at Metropolitan State College of Denver.

BANNER module owner: The individual responsible for the administrative
oversight of a given BANNER system (i. e. Student, Finance, Financial Aid, etc.)
and ultimately responsible for the data within said system.

V. Policy Statements:

  1. BANNER data is the property of Metropolitan State College of Denver. Access
    to BANNER data is restricted to authorized personnel only. Unauthorized access
    is prohibited.
  2. BANNER data will be used for official College business only. Specific
    non-College business use of BANNER data may be authorized under other official
    College policy. Unless specifically permitted by another official College
    policy, the use of BANNER data for personal gain or curiosity, or another’s
    personal gain or curiosity, is prohibited.
  3. Persons, and processes, accessing BANNER data will uphold the
    confidentiality and privacy of individuals whose data they access and observe
    any laws, regulatory requirements, policies and ethical restrictions that may
    apply with respect to their accessing, using or disclosing such information.
  4. Persons, and processes, with access to BANNER data, regardless of its form
    (electronic or print), will insure that all reasonable and prudent measures are
    taken to protect the data from theft and unauthorized or accidental viewing,
    copying, downloading, modification or destruction. The data must be protected
    while in use, in transit and in storage. The Division of Information Technology
    is to be notified immediately in the event the security of any BANNER or other
    administrative data is compromised.
  5. Anyone in the service of the College, with a genuine business or educational
    need, may be authorized to access the BANNER data necessary to perform their
    duties. An individual's access to BANNER data will be removed when the
    individual leaves the service of the College or during an extended absence.
    Supervisors are to notify the Division of Information Technology at
    1-877-35AskIT (1-877-352-7548) or visit www.mscd.edu/AskITand the Office of Human Resources (556-3120)
    immediately when an individual, including student employees, leaves their
    service or begins an extended absence.
  6. BANNER Module Owners have the sole authority to authorize access to the data
    within the modules they administer. Module Owners are encouraged to use the
    principle of least privilege when authorizing access to their module data.

VI. Reporting Violations:

Any suspected violations of these policies, or unauthorized access to
computing resources, or any other condition which could compromise the security
of BANNER data or other college computing resources must be reported to the
Division of Information Technology, Security and Disaster Recovery Coordinator,
http://www.mscd.edu/infotech/security/, 1-877-35AskIT (1-877-352-7548) or visit
www.mscd.edu/AskIT

VII. Remedies for non compliance:

Failure to comply with these policies may result in one or more of the
following actions: a) suspension of access to the network for the individual or
unit violating the policy, b) when appropriate, disciplinary action ranging from
warning to termination and (for students) expulsion from the College, depending
on circumstances, in accordance with applicable policies and procedures, c) when
appropriate, initiation of civil or criminal proceedings.

VIII. Authority:

The Office of the President grants authority to the Vice President of
Information Technology, in conjunction with the BANNER Managers committee, to
oversee compliance with this policy. The BANNER Managers will review this policy
annually and recommend revisions as necessary.

XI. Related documents and policies:

Family Educational Rights and Privacy Act
      http://www.mscd.edu/policies/federal_policies/ferpa.shtml

Responsible
Use of Information Technology Resources
      http://www.mscd.edu/infotech/policies/policy2.shtml

Ad
Hoc access to BANNER Databases v2.0
     http://www.mscd.edu/infotech/services/policies/AdHocAccessPolicy(v2.0).doc

X. APPROVAL

Approved May 11, 2005 by the Metro State President's
Cabinet.

[This policy will be reviewed as needed, but particularly when there are
significant changes in voice or e-mail systems or policies, and/or underlying
information systems or services.