Requests for Access to Information Systems Containing Sensitive Data Procedure

 

Introduction

This procedure designates Hudson County Community College's (HCCC) System/Data Owners. These individuals oversee access to information systems containing sensitive data, such as the Colleague ERP System. Oversight is necessary to protect and preserve the confidentiality, integrity, and availability of HCCC's data and to comply with information technology standards and regulations applicable to HCCC.

The designated System/Data Owners for Hudson County Community College's information systems containing sensitive data shall have the authority to approve individuals, access to these systems.

Designation of System/Data Owners

The following Executive Staff members are designated as System/Data Owners for information systems containing sensitive data.

Colleague ERP System

Student Module

Vice President for Student Affairs and Enrollment

Student Financials Module

Vice President for Business and Finance/CFO

Financial Aid Module

Associate Dean of Financial Aid

Human Resources Module

Vice President for Human Resources

Document Imaging System

Enrollment Services, Admissions, and Advising Documents

Vice President for Student Affairs and Enrollment

Student Financial Aid Documents

Associate Dean of Financial Aid

Financial Documents

Vice President for Business and Finance/CFO

Requests for Access to Information Systems Containing Sensitive Data

Requests for access to information systems containing sensitive data shall be granted on a "least privilege" basis, meaning access only to such information and systems necessary to perform the individual's regular work duties.

Executive staff members designated as System/Data Owners or designated managers in functional areas shall review requests for access to information systems containing sensitive data from staff members under their administrative authority. They shall validate that users are granted access on a "least privilege" basis to only those privileges necessary to perform their regular work duties. They shall approve requests by submitting a system access request form located on the portal. If the access is not warranted, the request will be denied.

Removal of Access to Information Systems Containing Sensitive Data

Executive Staff members shall ensure that supervisors promptly notify Information Technology Services (ITS) when user access to an information system is no longer required and when a user's access must be modified because of a change in the employee's core duties.

ITS will be notified immediately by phone call, followed by an email to the Chief Information Officer (CIO), upon the termination of a superuser employee or in the event of an employee's involuntary termination. Routine terminations, transfers to another college department, or changes in duties must be submitted within five business days using the system access request form located on the portal.

Review of Access to Information Systems Containing Sensitive Data

An annual review of all user accounts for sensitive IT systems shall be conducted by ITS to assess the accounts' continued need and associated access level.

Responsibilities

The CIO shall have overall responsibility for developing and maintaining the technical procedures consistent with this procedure, and shall comply with the applicable standards of Hudson County Community College.

Appendix A describes the form's location for requesting access to college information systems.

Definitions

Data includes any information within HCCC's purview, including student record data, personnel data, financial data (budget and payroll), student life data, departmental administrative data, legal files, institutional research data, proprietary data, and all other data that pertain to or support the administration of the College.

Information System comprises the total components and operations of a record-keeping process, including information collected or managed using computer networks and the Internet, whether automated or manual, containing personal information and the name, personal number, or other identifying particulars of a data subject.

Sensitive data – includes any information that could adversely affect the College's interests, the conduct of agency programs, or the privacy to which individuals are entitled if compromised in confidentiality, integrity, or availability. Data are classified as sensitive if compromise of those data results in a material and significant adverse effect on the College's interests, the affected agency's inability to conduct its business, breach of privacy expectations, or is required by law to be kept confidential.

Superuser – is an employee who has enrollment panel or elevated privileged access; e.g., a security administrator.

 References

  • Family Educational Rights and Privacy Act (FERPA) (20 USC § 1232g; 34 CFR Part 99)
  • Financial Services Modernization Act (Gramm-Leach-Bliley Act) (15 USC § 6801 et seq.)
  • Health Insurance Portability and Accountability Act (HIPAA) (Public Law 104-191)

Review Periodicity and Responsibility

The CIO shall review this procedure annually, and, if necessary, recommend revisions.

APPENDIX "A"

System Access Request Forms:

Colleague Access

https://myhudson.hccc.edu/ellucian

Account Creation Request or Disable Request

https://myhudson.hccc.edu/its

 

Approved by Cabinet: July 2021
Related Board Policy: ITS

Return to Policies and Procedures