XVI. BANNER Security Policy

I. Purpose:

To establish policies, procedures and guidelines for accessing and using the College's BANNER data.

II. Scope:

These policies affect all users with access to any BANNER data.

III. Introduction:

Metropolitan State College of Denver places a premium value on the data collected, created by and used by the institution. These data are vital to the on-going operation of the College. Everyone associated with the College has an obligation to protect this vital asset from unauthorized or inappropriate access, unauthorized or inappropriate use, and unauthorized or inappropriate alteration or destruction.

Metropolitan State College of Denver recognizes and values the privacy of its students and employees. Everyone associated with the College has an obligation to protect the privacy of students, employees and College associates.

Metropolitan State College of Denver recognizes the need for institutional data to be shared in a timely, efficient and secure manner amongst various departments with a demonstrable official need for the data.

Metropolitan State College of Denver will take all reasonable and prudent measures to protect the confidentiality, integrity and availability of its information processing assets. Such measures will, in addition to technical and physical controls, include administrative policies, procedures, guidelines and training.

IV. Definitions:

BANNER Managers: A committee comprised of BANNER module owners, department managers, end-users, and IT personnel responsible for coordinating the development, implementation, maintenance, and general stewardship of the SunGard SCT BANNER information system at Metropolitan State College of Denver.

BANNER module owner: The individual responsible for the administrative oversight of a given BANNER system (i. e. Student, Finance, Financial Aid, etc.) and ultimately responsible for the data within said system.

V. Policy Statements:

1. BANNER data is the property of Metropolitan State College of Denver. Access to BANNER data is restricted to authorized personnel only. Unauthorized access is prohibited.
2. BANNER data will be used for official College business only. Specific non-College business use of BANNER data may be authorized under other official College policy. Unless specifically permitted by another official College policy, the use of BANNER data for personal gain or curiosity, or another’s personal gain or curiosity, is prohibited.
3. Persons, and processes, accessing BANNER data will uphold the confidentiality and privacy of individuals whose data they access and observe any laws, regulatory requirements, policies and ethical restrictions that may apply with respect to their accessing, using or disclosing such information.
4. Persons, and processes, with access to BANNER data, regardless of its form (electronic or print), will insure that all reasonable and prudent measures are taken to protect the data from theft and unauthorized or accidental viewing, copying, downloading, modification or destruction. The data must be protected while in use, in transit and in storage. The Department of Information Technology is to be notified immediately in the event the security of any BANNER or other administrative data is compromised.
5. Anyone in the service of the College, with a genuine business or educational need, may be authorized to access the BANNER data necessary to perform their duties. An individual's access to BANNER data will be removed when the individual leaves the service of the College or during an extended absence. Supervisors are to notify the Department of Information Technology at 1-877-35AskIT (1-877-352-7548) or visit www.mscd.edu/AskITand the Office of Human Resources (556-3120) immediately when an individual, including student employees, leaves their service or begins an extended absence.
6. BANNER Module Owners have the sole authority to authorize access to the data within the modules they administer. Module Owners are encouraged to use the principle of least privilege when authorizing access to their module data.

VI. Reporting Violations:

Any suspected violations of these policies, or unauthorized access to computing resources, or any other condition which could compromise the security of BANNER data or other college computing resources must be reported to the Department of Information Technology, Security and Disaster Recovery Coordinator, http://www.mscd.edu/~infotech/security/, 1-877-35AskIT (1-877-352-7548) or visit www.mscd.edu/AskIT

VII. Remedies for non compliance:

Failure to comply with these policies may result in one or more of the following actions: a) suspension of access to the network for the individual or unit violating the policy, b) when appropriate, disciplinary action ranging from warning to termination and (for students) expulsion from the College, depending on circumstances, in accordance with applicable policies and procedures, c) when appropriate, initiation of civil or criminal proceedings.

VIII. Authority:

The Office of the President grants authority to the Vice President of Information Technology, in conjunction with the BANNER Managers committee, to oversee compliance with this policy. The BANNER Managers will review this policy annually and recommend revisions as necessary.

IX. Related documents and policies:

Family Educational Rights and Privacy Act
      http://www.mscd.edu/policies/student/federal/ferpa.htm

Responsible Use of Information Technology Resources
      http://www.mscd.edu/~Einfotech/policies/manual/itpolicy2.htm

Ad Hoc access to BANNER Databases v2.0
      http://www.mscd.edu/~infotech/services/policies/AdHocAccessPolicy(v2.0).doc

X. APPROVAL

Approved May 11, 2005 by the MSCD President's Cabinet.

[This policy will be reviewed as needed, but particularly when there are significant changes in voice or e-mail systems or policies, and/or underlying information systems or services.