PURPOSE
This policy provides the expectations and guidelines of Hudson County Community College
(“College”) to all who use and manage the College’s Information Technology Services
and Resources (“ITS Resources”).
The College provides ITS Resources to advance the College’s educational, service,
business, and student success objectives. Any access or use of the College’s ITS Resources
that interferes, interrupts, or conflicts with these purposes will be considered a
violation of this policy. They will be subject to consequences, including revocation
of ITS access.
POLICY
This policy applies to all members of the College community, including faculty, students,
administrators, staff, alumni, authorized guests, and independent contractors who
use, access, or otherwise employ, locally or remotely, the College’s ITS Resources,
whether individually controlled, shared, stand-alone, or networked.
The Board delegates to the President the responsibility to develop procedures and
guidelines for the implementation of this policy. The Information Technology Services
and Finance Office will be responsible for implementing the policy.
Approved: June 2021
Approved by: Board of Trustees
Category: Information Technology Services
Scheduled for Review: June 2024
Responsible Office(s): Information Technology Services and Finance Office
Procedures
Acceptable Use for Information Technology Systems Procedure
Introduction
This procedure aims to ensure that the College’s Information Technology Systems (ITS)
are used to further the College’s mission. This procedure conforms to the HCCC Information
Technology Services Policy approved by the HCCC Board of Trustees.
Applicability
This procedure applies to all individual users accessing and using computing, networking,
and information resources through any College facility. These users include all Hudson
County Community College staff, faculty, administrators, and other persons hired or
retained to perform College work.
This procedure covers all of the College’s Information Technology Systems, including
computing, networking, and other information technology resources owned or operated
by, procured through, or contracted by the College. Such resources include the College’s
computing and networking systems (including those connected to the College’s telecommunications
infrastructure, the College-wide backbones, local area networks, and the Internet),
public-access sites, shared computer systems, desktop computers, mobile devices, other
computer hardware, software, databases stored on or accessible through the network,
ITS/Enterprise Applications facilities, and communications systems and services.
Accountability
The Chief Information Officer (CIO) and Directors/Managers of ITS/Enterprise Applications
shall implement this procedure. User reports of suspected abuse and other complaints
shall be directed to the CIO. The CIO shall report the incident to the Vice President
for Business and Finance/CFO. Specifics of the procedure are outlined below under
“Non-compliance and Sanctions.”
Privacy
The College places a high value on privacy and recognizes its critical importance
in an academic setting. In limited circumstances, including but not limited to technical
issues or failures, law enforcement requests, or government regulations, the College
may determine that other interests outweigh the value of a user’s privacy expectation.
Only then will the College access relevant IT Systems without the consent of the user.
The College is committed to protecting user privacy as long as this does not compromise
institutional resources. Circumstances under which the College may need to gain access
are discussed below. Procedural safeguards have been established to ensure access
is attained only when appropriate.
Conditions – In accordance with state and federal law, the College may access all aspects of
IT Systems, without the consent of the user, in the following circumstances:
-
-
- When necessary to identify or diagnose systems or security vulnerabilities and problems,
or otherwise preserve the integrity of the College’s IT Systems;
- When required by federal, state, or local law or administrative rules;
- When there are reasonable grounds to believe that a violation of law or a significant
breach of College policy or procedure may have taken place, and access and inspection
or monitoring may produce evidence related to the misconduct;
- When such access to IT/Enterprise Applications Systems is required to carry out essential
business functions of the College; and,
- When required to preserve public health and safety.
Under the New Jersey Open Public Records Act, the College reserves the right to access
and disclose data. This disclosure may include messages, data, files, and email backup
or archives. Disclosure to law enforcement authorities and others shall be made as
required by law, to respond to legal processes, and to fulfill its obligations to
third parties. Even deleted email is subject to legal discovery during litigation
through message archives, backup tapes, and un-deleting messages.
Process – The College will access data without the consent of the user only with the approval
of the CIO and the Vice President for Business and Finance/CFO. This process will
be circumvented only when emergency data access is necessary to preserve facilities’
integrity and preserve public health and safety. The College, through the CIO, will
log all instances of access without consent. A user will be notified of College access
to relevant IT Systems without consent. Depending on the circumstances, such notification
will occur before, during, or after the access at the College’s discretion.
General Principles
- Access to information technology is vital to the College’s mission of providing its
students with the highest quality educational services.
- The College owns its computing, networking, and other communications systems.
- The College also has various license-related rights to the software and information
residing on or developed on these computers and networks. The College has the responsibility
for the security, integrity, maintenance, and confidentiality of its communication
systems.
- The College’s IT Systems exist to support staff, faculty, administrators, consultants,
and students as they carry out the mission of the College. Toward these ends, the
College encourages and promotes the use of these resources by the College community
for their intended purposes. Access to and use of these resources outside of the College’s
mission is subject to regulation and restriction to ensure that they do not interfere
with legitimate work. Access and use of resources and services that interfere with
the College’s mission and goals are prohibited.
- When the demand for information technology resources exceeds available capacity, ITS
establishes priorities for allocating the resources. ITS gives a higher priority to
activities essential to the mission of the College. In conjunction with the Chief
Information Officer, the Vice Presidents shall recommend these priorities to the President.
- The College has the authority to control or refuse access to anyone who violates this
procedure. Threatening other users’ rights, the availability and integrity of the
systems, and information is a violation of this procedure. Consequences of procedure
violation include deactivating accounts, access codes or security clearances, stopping
processes, deleting affected files, and disabling access to information technology
resources.
Rights of Users
- Privacy and confidentiality: As described more fully in section IV (above), the College
will generally respect users’ rights to privacy and confidentiality. However, by their
technological nature, electronic communications, especially email connected to the
Internet, may not be secure from unauthorized access, viewing, or infringement. Although
the College employs technologies to secure electronic messages, the confidentiality
of email and other electronic documents cannot always be assured. Therefore, good
judgment dictates crafting electronic documents that may become public without embarrassment
or harm.
- Safety: The use by College faculty, staff, or administrators of the College’s IT Systems
to transmit threatening, harassing, or offensive communication (or the display of
offensive images or materials) is a violation of College procedure and may subject
the violator to severe sanction. College personnel should report threatening, harassing,
or offensive communications received over the network to the CIO as soon as possible.
Responsibilities of Users
- Individuals with access to the College’s computing, networking, and information resources
are responsible for using them professionally, ethically, and legally and consistently
with all applicable College policies. Users must take reasonable and necessary measures
to safeguard the operational integrity and accessibility of the College’s systems.
Users should maintain an academic and work environment conducive to efficiently and
productively carrying out the College’s mission. Specifically, the responsibilities
of users include:
-
- Respecting the rights of others, including their rights to intellectual property,
privacy, and freedom from harassment;
- Safeguarding the confidentiality of sensitive College information and the privacy
of student information following FERPA and College policy and procedures;
- Using systems and resources so as not to interfere with or disrupt the College’s normal
daily operations;
- Protecting the security and the integrity of information stored on College IT/Enterprise
Applications Systems;
- Knowing and obeying College and unit-specific policies and procedures governing access
to, and use of, College IT Systems and information on those systems.
Specific Proscriptions on Network Use
- Individuals may not share passwords or log-in IDs or otherwise give others access
to any system for which they are not the individual responsible for the data or system.
Users are responsible for any activity conducted with their computer accounts and
their password security. Only authorized persons may use the College’s IT/Enterprise
Applications Systems.
- Individuals may not use another person’s network account or attempt to obtain passwords
or access codes to another’s network account to send or receive messages.
- Individuals must identify themselves and their affiliation accurately and appropriately
in electronic communications. They may not disguise the identity of the network account
assigned to them or represent themselves as someone else.
- Individuals may not use the College’s systems to harass, intimidate, threaten or insult
others; to interfere with another’s work or education; to create an intimidating,
hostile, or offensive working or learning environment; or to conduct illegal or unethical
activities, including plagiarism and invasion of privacy.
- Individuals may not use the College’s systems to gain or attempt to gain unauthorized
access to remote networks or computer systems.
- Individuals may not deliberately disrupt the normal operations of the College’s computers,
workstations, terminals, peripherals, or networks.
- Individuals may not run or install programs on any College computer system that may
damage the College’s data and systems (e.g., computer viruses, personal programs).
Users must not use the College’s network to disrupt external systems. If a user suspects
that a program they intend to install or use may cause such an effect, they must first
consult with ITS/Enterprise Applications.
- Individuals may not circumvent or avoid using authentication systems, data-protection
mechanisms, or other security safeguards.
- Individuals must not violate any applicable copyright laws and licenses, and they
must respect other intellectual property rights. Information and software accessible
on the Internet are subject to copyright or additional intellectual property-right
protection. College policy, procedures, and the law forbid the unauthorized copying
of software that has not been placed in the public domain and distributed as “freeware.”
Therefore, nothing should be downloaded or copied from the Internet without express
permission from the owner of the material. Users must observe the material owner’s
requirements or limitations on the material. The use of software on more than the
licensed number of computers and unauthorized installation of unlicensed software
are also prohibited.
“Shareware” users must abide by the requirements of the shareware agreement.
- Activities that waste or unfairly monopolize computing resources and do not promote
the College’s mission are prohibited. Examples of such activities include unauthorized
mass e-mailings; electronic chain letters, junk mail, and other types of broadcast
messages; unnecessary multiple processes, output, or traffic; exceeding network directory
space limitations; game-playing, “surfing” the Internet for recreational purposes,
or other non-work-related applications during business hours; and excessive printing.
- Reading, copying, changing, or deleting programs or files that belong to another person
or the College without permission is prohibited.
- Individuals must not use the College’s computing resources for commercial purposes
or personal financial gain.
- Use of the College’s IT Systems that violates local, state, or national laws or regulations
or College policies, standards of conduct, or guidelines is prohibited.
- Email Communications:
-
- The College’s email system exists to support the College’s work, and email use must
be related to College business. However, incidental personal, noncommercial use without
direct cost to the College that does not interfere with legitimate College business
is also permitted.
- Electronic communications whose meaning, transmission, or distribution is illegal,
unethical, fraudulent, defamatory, harassing, or irresponsible are prohibited. College
email systems must not be used to communicate content that may be considered inappropriate,
offensive, or disrespectful to others.
- Individuals should observe appropriate professional standards of civility and decency
in all electronic communication.
- All email correspondence relating to College business (including that sent to students
and prospective students) should be sent with a plain white background and should
not use any decorative stationery.
- Broadcast emails to the College Community will relate to College policy and procedures,
College news, a College-sponsored event, or items affecting the College Community.
Items for sale, donation requests, and other non-College business matters are prohibited.
Individuals may not send emails requesting this type of information via the College’s
mailing lists.
World Wide Web
- The Hudson County Community College Web site is an official publication of the College.
All information contained on the Web pages must be accurate and reflect the official
College policy and procedures.
- Official College Web pages conform to the same standards as any College print publication.
The CIO, Director of Marketing and College Relations, Web Services Manager and the
pertinent Vice President or their designee shall have the ultimate responsibility
for each page’s content and design.
- The Web Services Manager and College staff responsible for each division or department
will regularly review the currency and accuracy of official Hudson County Community
College web pages. Individual areas are responsible for communicating revisions and
updates, as they occur, to the Web Services Manager, who will review them and arrange
for their posting.
Non-compliance and Sanctions
Non-compliance with this procedure may result in denial or removal of access privileges
to the College’s electronic systems, disciplinary action under applicable College
policies and procedures, civil liability and litigation, and criminal prosecution
under appropriate state, federal, and local laws.
The process for an investigation into suspected abuses and non-compliance with this
procedure is as follows:
-
- Report suspected abuse to the CIO.
- If there is concurrence by the Vice President for Business and Finance/CFO, the CIO
shall investigate the report.
- CIO shall report any discovered abuse to the appropriate divisional Vice President,
who will determine appropriate disciplinary action.
Network, Email, and Internet Accounts Procedures
Eligible for Accounts are the following:
-
- All salaried Hudson County Community College full-time staff.
- All adjunct faculty and other consultants engaged by the College through letters of
agreement, memoranda of understanding, or contract.
- All members of the Board of Trustees.
- Hudson County Community College part-time staff who have a demonstrated need for computer
resources available from ITS/Enterprise Applications (other than general Internet
access), related to their work at the College, are eligible for temporary accounts.
- Employees of affiliated educational institutions that have relationships with Hudson
County Community College, and a demonstrated need for ITS/Enterprise Applications
computer resources (other than general Internet access), are eligible for temporary
accounts.
- Affiliated organizations with an academic mission whose activities related to the
College require computing resources that the affiliate cannot reasonably supply on
its own are eligible for temporary accounts.
ITS removes accounts when:
-
- The account holder no longer meets the eligibility requirements.
- The account is temporary, and the expiration date passes without renewal.
- The account holder has not accessed the account in 18 consecutive months.
Passwords
-
- Accounts are created with a pre-assigned password that account holders must change
upon logging in for the first time, and consistent with College procedures.
- It is strictly forbidden to share or divulge passwords.
Hudson County Community College Email Procedure
Individuals with access to the College’s IT Systems are responsible for using them
professionally, ethically, legally, and following applicable College policies and
procedures. Users should maintain an academic and work environment conducive to efficiently
and productively carrying out the College’s mission.
Electronic communications whose meaning, transmission, or distribution are illegal,
unethical, fraudulent, defamatory, harassing, irresponsible, or violate College policies
or procedures are prohibited. Electronic communications should not contain anything
that could not be posted on a bulletin board, seen by unintended viewers, or appear
in a College publication. Material that may be considered inappropriate, offensive,
or disrespectful to others should not be sent or received as electronic communications
using College facilities. The CIO will oversee the enforcement of this procedure.
A. Actions Considered Violations of this email procedure are as follows:
-
-
- Sending unauthorized bulk email messages (“junk mail” or “spam”).
- Using email for harassment, whether through language, frequency, content, or size
of messages.
- Forwarding or otherwise propagating chain letters and pyramid schemes, whether or
not the recipient wishes to receive such mailings.
- Malicious emails, such as “mail-bombing” or flooding a user site with very large or
numerous pieces of email.
- Forging of sender information other than accountname@hccc.edu or another preapproved
header address.
- Sending email for commercial purposes or personal financial gain.
The College has the right to remove access to accounts found in violation of this
procedure.
B. Email Rules and Controls:
-
-
- The College does not archive email.
- The College does filter email for spam and malicious content.
- The College blocks email accounts that send spam and malicious content.
Approved by Cabinet: July 2021
Related Board Policy: Information Technology Services
Computer Life Cycles Procedure
Introduction
This procedure aims to ensure access to the current computing technology required to promote student success
and fulfill employee job responsibilities. This procedure provides the Office of Information
Technology Services (ITS) scheduled replacement of computers for employee, classroom,
and lab use.
Purpose
The purpose of this procedure is to set the parameters and process for personal computer
replacements. This procedure excludes unique purpose workstations and terminals for
use with Virtual Desktop Infrastructure (VDI).
Scope
This procedure covers personal computers used by full-time faculty, full-time staff,
labs, and classrooms. Computers purchased under grants or for a dedicated use must
be handled separately by the parameters of their grants and purpose. This policy does
not apply to peripheral equipment, office phones, cell phones, printers, scanners,
Audio/Visual equipment, servers, or other IT-related equipment. That equipment is
replaced by ITS according to need, condition, and budgetary resources based on their
analysis, judgment, and support contracts.
Hardware Platforms
Each year, the College will determine standard specifications for desktop and laptop
computers based on job function to contain costs, maintenance, and support efficiencies.
ITS has developed the equipment standards, reviewed by the All College Council Technology
Committee, and approved by the Chief Information Officer and the Vice President for
Finance and Business/Chief Financial Officer. Since ITS supports one device per employee,
users will be assigned a laptop and docking station rather than a desktop computer.
Desktop computers will be given in areas where their use will be shared, such as reception
areas, classrooms, labs, and adjunct or workstudy work areas.
Procedure
-
- Personal computers will be maintained and supported by ITS through their designated
period of service. The current period of service for HCCC personal computers is five
years.
- Each year, ITS will replace a portion of personal computers on the inventory list.
ITS will deploy faculty and staff personal computers over the summer and fall. ITS
will also refresh part of the classroom, lab, and open-access computers each year.
Estimated replacement budgets will be presented at annual budget hearings. ITS recognizes
that some faculty, staff, and students have different computing needs. Academic labs
with specialized computers will be built into the replacement budget when possible.
Faculty and staff who require a non-standard machine that exceeds a standard personal
computer's cost will be required to obtain Office/School approval. Their Office/School
will fund the price difference.
- Part-time Faculty and staff who want to borrow a laptop will complete a request form
requiring the manager's approval. Upon manager approval, ITS will provision a laptop.
- ITS will work with the computer's user to migrate employee data to the replacement
computer. ITS will remove the older personal computer. ITS will hold the old computer's
hard drive for two weeks to 90 days to ensure that no data was lost during the deployment.
- Retirees may be given the option to purchase their old computer for a fair market
value determined by ITS. These purchases are "as is," and ITS will remove all HCCC
software and data before the transfer of ownership. Employees will write a check to
Hudson County Community College, which will be deposited in the College’s account.
- In some cases, computers may be reused or redeployed to other locations on campus
at ITS's discretion.
- When personal computers need to be moved, the Office/School must contact ITS. ITS
is responsible for an accurate inventory. Users should not relocate personal computers
themselves. Computers should not be reassigned or redistributed without notifying
ITS and obtaining approval.
- When an employee with a personal computer exits the College, ITS will be notified
by the Office/School and Human Resources. In most cases, this computer will be redistributed
to the next employee hired in that position.
- If a personal computer breaks and cannot be repaired, ITS will replace the computer
with a new machine. That computer then becomes the personal machine for that employee.
Approved by Cabinet: April 2023
Related Board Policy: Information Technology Services
Events Management Procedure
Introduction
This procedure aims to ensure successful events across the College that continue to
further the College’s mission. This procedure conforms to the HCCC Information Technology
Services Policy approved by the Board of Trustees.
Applicability
This procedure is applicable to all faculty and staff of the College who hold College
events.
Accountability
The Associate Vice President for Information Technology Services and Chief Information
Officer will implement this procedure in coordination with the Executive Director
of Facilities, Operations and Engineering, the Executive Director of Public Safety
and Security, and other college leaders.
Procedure
- Definition of an HCCC Event
- College Academic Activities: CAA are activities or events directly related to the instructional mission of the
College. Examples include credit-bearing classes, programmatic activities relating
to academic coursework, and faculty/administrative departmental meetings.
- College Events: CE are activities organized and run by faculty, staff, College offices, and registered
and approved student organizations planned primarily for members of the HCCC community
and the benefit of the College. Examples include student programming activities, faculty
and staff development, commencement, convocation, open houses, recruitment events,
guest lecturers, and others. Attendees of these events include members of the community,
faculty, staff, students, guests and alumni.
- College Hosted Events: CHE are academic programs, conferences, retreats, and meetings involving two entities:
a College entity (school, academic or administrative unit, or registered and approved
student organization) and an outside organization (such as a professional association
in which the College holds membership or maintains a relationship that directly benefits
the College community or community-based organization.)
- Non-College/External Events: NC/EE are defined as programs and activities organized by individuals, groups, businesses,
or organizations not included in the organizational structure of the College. Examples
are receptions, charity events, corporate meetings and events, youth camps, conferences,
social activities, exhibitions, etc. Non-University/External Events require a contractual
arrangement and proper proof of insurance with the College.
- Offices Supporting Events and What They Provide
- Information Technology Services
- Technology equipment
- Test presentations and media ahead of the event
- Meeting links and hybrid meeting/event support
- Guest WiFi
- Technology support during the event
- Facilities
- Furniture setup and breakdown
- Breaking down furniture
- Cleaning
- HVAC monitoring
- Security
- Security support during events
- Building openings and closings
- Parking and transportation support
- Flik
- Food and drink
- Servers and other support
- Coordination with outside groups
- Events Management Process
- Online requests must be entered through the College's Coursedog system.
- Approval will be required for special spaces and event types; e.g., President's Board
Room, Atrium, Gallery.
- Advance notice is required for all events.
- Priority will be given to college-wide, high-profile events.
- Event Type Guide
Event Type
|
Description
|
Academic Computer Lab |
Computer lab services, including the support of a Lab Assistant, require three days’
notice. These requests may be entered 180 days in advance. |
Administrative Services |
Meetings require one day’s advance notice. |
Continuing Education (CE) |
Continuing Education and Workforce Development events and classes require one day's
notice. These requests may be entered 180 days in advance. |
Enrollment Services / Admissions |
Enrollment Services and Admissions events require three days’ notice. These requests
may be entered 90 days in advance. |
Hospitality and Catering Services Priority 1 |
Priority 1 Events include campus-wide events, external participants, advertised events,
and cabinet-level events. These requests require 30 days’ notice and may be entered
180 days in advance. |
Hospitality and Catering Services Priority 2 |
Priority 2 Events include department-level events with more than 50 participants and
that are being recorded require 14 days’ notice. These requests may be entered 180
days in advance. |
Hospitality and Catering Services Priority 3 |
Priority 3 Events are small and more informal and require three days’ notice. These
requests may be entered 180 days in advance. |
North Hudson Campus Event |
Programs and events hosted on the North Hudson Campus require three days’ notice.
These requests may be entered 180 days in advance. |
North Hudson Office Space |
Meetings at the North Hudson Campus require one day’s notice. |
Registrar's Office |
Programs and events in Academic Affairs classrooms in Journal Square require one day’s
notice. These requests may be entered 180 days in advance. |
School of Nursing Testing / Guest Speaker |
Programs and events in the F129 Computer Lab require one day’s notice. These requests
may be entered 180 days in advance. |
Student Life |
All Student Life Events require two days’ notice. These requests may be entered 180
days in advance. |
Slide for more
- Responsibilities
- Organizers will provide all available information in the request, including contacts
for the event, email and phone numbers, etc.
- Organizers will communicate any changes in a timely manner, and in writing.
- Organizers will include the College’s Accessibility Statement in all communications
about the event.
- Organizers will attend walkthroughs and practice sessions as required by the event
type.
- College offices providing services will communicate in a timely manner with the organizers.
- Hybrid event links will be created exclusively by Information Technology Services
for HCCC events.
- Organizers will notify college offices in advance when there is a cancellation to
release the event space.
- HCCC Offices will notify organizers of any issues as soon as they are discovered.
Approved by Cabinet: December 2024
Related Board Policy: Information Technology Services
Requests for Access to Information Systems Containing Sensitive Data Procedure
Introduction
This procedure designates Hudson County Community College's (HCCC) System/Data Owners.
These individuals oversee access to information systems containing sensitive data,
such as the Colleague ERP System. Oversight is necessary to protect and preserve the
confidentiality, integrity, and availability of HCCC's data and to comply with information
technology standards and regulations applicable to HCCC.
The designated System/Data Owners for Hudson County Community College's information
systems containing sensitive data shall have the authority to approve individuals,
access to these systems.
Designation of System/Data Owners
The following Executive Staff members are designated as System/Data Owners for information
systems containing sensitive data.
Colleague ERP System
Student Module
Vice President for Student Affairs and Enrollment
Student Financials Module
Vice President for Business and Finance/CFO
Financial Aid Module
Associate Dean of Financial Aid
Human Resources Module
Vice President for Human Resources
Document Imaging System
Enrollment Services, Admissions, and Advising Documents
Vice President for Student Affairs and Enrollment
Student Financial Aid Documents
Associate Dean of Financial Aid
Financial Documents
Vice President for Business and Finance/CFO
Requests for Access to Information Systems Containing Sensitive Data
Requests for access to information systems containing sensitive data shall be granted
on a "least privilege" basis, meaning access only to such information and systems
necessary to perform the individual's regular work duties.
Executive staff members designated as System/Data Owners or designated managers in
functional areas shall review requests for access to information systems containing
sensitive data from staff members under their administrative authority. They shall
validate that users are granted access on a "least privilege" basis to only those
privileges necessary to perform their regular work duties. They shall approve requests
by submitting a system access request form located on the portal. If the access is
not warranted, the request will be denied.
Removal of Access to Information Systems Containing Sensitive Data
Executive Staff members shall ensure that supervisors promptly notify Information
Technology Services (ITS) when user access to an information system is no longer required
and when a user's access must be modified because of a change in the employee's core
duties.
ITS will be notified immediately by phone call, followed by an email to the Chief
Information Officer (CIO), upon the termination of a superuser employee or in the
event of an employee's involuntary termination. Routine terminations, transfers to
another college department, or changes in duties must be submitted within five business
days using the system access request form located on the portal.
Review of Access to Information Systems Containing Sensitive Data
An annual review of all user accounts for sensitive IT systems shall be conducted
by ITS to assess the accounts' continued need and associated access level.
Responsibilities
The CIO shall have overall responsibility for developing and maintaining the technical
procedures consistent with this procedure, and shall comply with the applicable standards
of Hudson County Community College.
Appendix A describes the form's location for requesting access to college information
systems.
Definitions
Data – includes any information within HCCC's purview, including student record data, personnel
data, financial data (budget and payroll), student life data, departmental administrative
data, legal files, institutional research data, proprietary data, and all other data
that pertain to or support the administration of the College.
Information System – comprises the total components and operations of a record-keeping process, including
information collected or managed using computer networks and the Internet, whether
automated or manual, containing personal information and the name, personal number,
or other identifying particulars of a data subject.
Sensitive data – includes any information that could adversely affect the College's interests, the
conduct of agency programs, or the privacy to which individuals are entitled if compromised
in confidentiality, integrity, or availability. Data are classified as sensitive if
compromise of those data results in a material and significant adverse effect on the
College's interests, the affected agency's inability to conduct its business, breach
of privacy expectations, or is required by law to be kept confidential.
Superuser – is an employee who has enrollment panel or elevated privileged access; e.g., a
security administrator.
References
- Family Educational Rights and Privacy Act (FERPA) (20 USC § 1232g; 34 CFR Part 99)
- Financial Services Modernization Act (Gramm-Leach-Bliley Act) (15 USC § 6801 et seq.)
- Health Insurance Portability and Accountability Act (HIPAA) (Public Law 104-191)
Review Periodicity and Responsibility
The CIO shall review this procedure annually, and, if necessary, recommend revisions.
APPENDIX "A"
System Access Request Forms:
Colleague Access
https://myhudson.hccc.edu/ellucian
Account Creation Request or Disable Request
https://myhudson.hccc.edu/its
Approved by Cabinet: July 2021
Related Board Policy: ITS
Information Security Plan Procedure
Introduction
The purpose of the development and implementation of this comprehensive written information
security plan procedure (“Plan”) is to create effective administrative, technical,
and physical safeguards for the protection of “personal information” of prospective
students, applicants, students, employees, alumni, and friends of Hudson County Community
College, and to comply with our obligations under New Jersey regulation 201 CMR 17.00.
The Plan sets forth our procedures for evaluating our electronic and physical methods
of accessing, collecting, storing, using, transmitting, and protecting “personal information”
of the College’s constituents.
For purposes of this Plan, “personal information” is defined as a person’s first name
and last name, or first initial and last name, in combination with any one or more
of the following data elements that relate to such resident: (a) Social Security Number;
(b) driver’s license number or state-issued identification card number; or (c) financial
account number or credit or debit card number, with or without any required security
code, access code, personal identification number or password that would permit access
to a resident’s financial account where Hudson County Community College is the custodian
of that data; provided, however, that “personal information” shall not include information
that is lawfully obtained from publicly available information, or from federal, state
or local government records lawfully made available to the general public.
Purpose
The purpose of this Plan is to:
-
- Ensure the security and confidentiality of personal information;
- Protect against any potential threats or hazards to the security or integrity of personal
information; and,
- Protect against unauthorized access to, or use of, personal information in a manner
that creates a substantial risk of identity theft or fraud.
Scope
In formulating and implementing the Plan, the institution will: (1) identify reasonably
foreseeable internal and external risks to the security, confidentiality, and integrity
of any electronic, paper, or other records containing personal information; (2) assess
the likelihood and potential damage of these threats, taking into consideration the
sensitivity of the personal information; (3) evaluate the sufficiency of existing
policies, practices, procedures, information systems, and other safeguards in place
to control risks; (4) design and implement a plan that puts safeguards in place to
minimize those risks, consistent with the requirements of 201 CMR 17.00; and (5) regularly
monitor the Plan.
Data Security Coordinator
HCCC has designated the Chief Information Officer (CIO) and Vice President for Business
and Finance/CFO to implement, supervise and maintain the Plan. The CIO and Vice President
for Business and Finance/CFO will be responsible for:
-
- Initial implementation of the Plan;
- Oversight of ongoing employee training on the elements and requirements of the Plan
for all owners, managers, employees, and independent contractors that have access
to personal information;
- Monitoring the Plan’s safeguards;
- Assessing Third Party Service providers that have access to and host/transmit/backup/maintain
personal information, and requiring those service providers by contract to implement
and maintain such appropriate security measures to protect personal information;
- Reviewing the scope of the security measures in the Plan annually, or whenever there
is a material change in HCCC’s business practices that may implicate the security
or integrity of records containing personal information; and,
- Reviewing legislation and laws and updating policies and procedures as required.
Internal Risks
To combat internal risks to the security, confidentiality, and integrity of any electronic,
paper, or other records containing personal information, and in order to evaluate
and improve, where necessary, the effectiveness of the current safeguards for limiting
such risks, the following measures are mandatory and effective immediately:
Administrative Measures
-
-
- A copy of the Plan shall be distributed to the President, the President’s Cabinet,
Information Technology Services (ITS) staff, and other designated staff members handling
personal information. Upon receipt of the Plan, each individual needs to acknowledge
in writing that they received a copy of the Plan.
- After training, all staff will be required to sign confidentiality agreements that
describe the handling of personal information. The confidentiality agreements will
require staff members to report any suspicious or unauthorized use of “personal information”
to the CIO or the Vice President for Human Resources.
- The amount of personal information collected must be limited to what is reasonably
necessary to accomplish legitimate business purposes. Personal information use is
addressed through audits in various areas.
- All data security measures shall be reviewed at least annually, or whenever there
is a material change in HCCC’s business practice or change in law that may reasonably
implicate the security or integrity of records containing personal information. The
CIO and Vice President for Business and Finance/CFO shall be responsible for this
review and shall fully apprise department heads of the results of that review and
any recommendations for improved security arising from that review.
- Whenever there is an incident that requires notification under N.J. Stat. § 56:8-163,
New Jersey’s personal information data breach reporting law, there shall be an immediate
mandatory post-incident review of events and actions taken, if any, to determine whether
any changes in HCCC’s security practices are required in order to improve the security
of personal information under the Plan.
- Each department shall develop rules (bearing in mind the business needs of that department)
that ensure reasonable restrictions upon physical access of personal information are
in place, including a written procedure that states how the record’s physical access
is restricted. Each department must store such records and data in locked facilities,
secure storage areas, or locked cabinets.
- Except for System Administration accounts, access to electronically stored personal
information shall be electronically limited to those employees having a unique login
ID, with appropriate access. Access will not be granted to employees whom the CIO
determines do not need access to electronically stored personal information.
- When a confidentiality agreement is not in place, visitor or contractor access to
sensitive data, including but not limited to passwords, encryption keys, and technical
specifications, when necessary, must be agreed to in writing. Access shall be limited
to the minimum amount necessary. If remote login is needed for access, that access
must also be approved through HCCC’s ITS Department.
Physical Measures
-
-
- Access to records containing personal information shall be limited to those who are
reasonably required to know such information to accomplish HCCC’s legitimate business
purpose. To mitigate against unneeded disclosure, sensitive and personal information
will be redacted, paper records will be stored in locked facilities, and data security
controls for electronic records will be implemented.
- At the end of the workday, all non-electronic files and other records containing personal
information must be stored in locked rooms, offices or cabinets.
- Paper records containing personal information shall be disposed in a manner that complies
with N.J. Stat. § 56:8-163, New Jersey’s personal information data breach reporting
law. This means records should be disposed of using a cross-cut shredder, or other
methods that render the information illegible.
Technical Measures
-
-
- HCCC does not allow employees to store personal information on portable media. This
includes laptops, USB, CDs, etc. When employees who have access to personal information
are terminated, HCCC shall terminate their access to network resources and physical
devices that contain personal information. This includes termination or surrender
of network accounts, database accounts, keys, badges, phones, and laptops or desktops.
- Employees are required to change their passwords on a routine basis for systems that
contain personal information.
- Access to personal information shall be restricted to active users, and active user
accounts only.
- Where technically possible, all HCCC maintained systems that store personal information
will employ automatic locking features that lock access after multiple unsuccessful
login attempts.
- Electronic records (including records stored on hard drives and other electronic media)
containing personal information shall be disposed of in accordance with and manner
that complies with N.J. Stat. § 56:8-163, New Jersey’s personal information data breach
reporting law. This requires that information be destroyed or erased so that personal
information cannot practicably be read or reconstructed.
External Risks
-
-
- To combat external risks to the security, confidentiality, and integrity of any electronic,
paper, or other records containing personal information, and in order to evaluate
or improve where necessary the effectiveness of the current safeguards for limiting
such risks, the following measures are mandatory and effective immediately:
a.) There are reasonably up-to-date firewall protection and operating system security
patches reasonably designed to maintain the integrity of personal information installed
on systems with personal information.
b.) There are reasonably up-to-date versions of system security agent software that
include malware protection, and reasonably up-to-date patches and virus definitions
installed on systems processing personal information.
c.)When stored on HCCC’s network shares, files containing personal information should
be encrypted. HCCC does not allow personal information to be stored on laptops, PCs,
USB devices, or other portable media. HCCC will deploy encryption software to comply
with this objective.
d.) Any personal information transmitted electronically to third-party vendors should
be sent via the vendor’s encrypted service or through HCCC’s designated encrypted
service for secure transmission.
e.) All new service providers that store HCCC’s personal information in electronic
form will need to adequately demonstrate security measures through the EDUCAUSE HECVAT
or similar instrument. These vendors must also be approved by HCCC’s Vice President
for Finance and Business/CFO.
f.) Human Resources and Information Technology Services personnel shall follow the
procedures outlined in the HCCC Acceptable Use Procedure for Information Technology
Systems related to the creation, transfer, or termination of accounts, along with
policies for password storage and role-based security.
g.) All personal information will be disposed of following HCCC Policies and Procedures.
h.) As resources and budget allow, HCCC will implement technology that will allow
the College to monitor databases for unauthorized use of, or access to, personal information,
and employ secure authentication protocols and access control measures pursuant to
HCCC’s procedures.
Approved by Cabinet: July 2021
Related Board Policy: Information Technology Services
Information Security Incident Response Plan Procedure
Purpose
This plan guides how to respond to information security incidents at Hudson County
Community College (HCCC). The plan identifies the roles and responsibilities of the
HCCC incident response team and the steps to be taken in the event of an incident.
The Information Security Incident Response Plan (ISIRP) aims to minimize the impact
of an incident, preserve evidence for investigation purposes, and restore normal operations
as quickly as possible.
Definitions
Incident: An event that results in a loss of confidentiality, integrity, or availability of
information or information systems.
Response: The actions that are taken to mitigate the impact of an incident and restore the
affected systems and data to their normal state.
Incident Response Team (IRT): The Incident Response Team (IRT) is responsible for implementing the ISIRP. The IRT
consists of representatives from relevant departments, including but not limited to
Information Technology Services (ITS), Finance (Risk Management), Legal Counsel, HR,
and Communications. The IRT is responsible for coordinating the response to an incident
and ensuring that all necessary resources are available.
Roles and Responsibilities
The IRT is responsible for the following:
- Responding to incidents and mitigating their impact.
- Investigating incidents and determining their cause.
- Restoring systems and data that have been affected by an incident.
- Communicating with stakeholders about incidents.
- Logging and reporting incidents.
Incident Reporting
All suspected or confirmed information security incidents must be reported to ITS
immediately. ITS will then assess the incident and determine if it is a security incident.
ITS will escalate the incident to the IRT if it is a security incident.
Response Steps
Incident Categorization:
The IRT will categorize the incident based on its severity and impact. The categories
are as follows:
Category 1: Minor Incident - No significant impact on the college or its operations.
Category 2: Moderate Incident - Limited impact on the college or its operations.
Category 3: Major Incident - Significant impact on the college or its operations.
Category 4: Critical Incident - Severe impact on the college or its operations.
Incident Response by Category:
The IRT will follow the below steps to respond to an incident:
Category 1: No formal response is required.
Category 2: The IRT will investigate the incident and take appropriate action to contain and
mitigate the incident.
Category 3: The IRT will coordinate with relevant departments and external resources, such as
law enforcement and cybersecurity experts, to investigate the incident and take appropriate
action to contain and mitigate the incident.
Category 4: The IRT will implement the HCCC Emergency Management Plan, which outlines the steps
to follow during a significant crisis.
ISIRP Steps for IRT to Follow
The IRT will follow these steps in the event of an incident:
- Respond to the incident report.
- Mitigate the impact of the incident.
- Categorize the effects on the above scale.
- Investigate the incident.
- Determine the cause of the incident.
- Restore systems and data that have been affected by the incident.
- Communicate with stakeholders about the incident.
- Log and report the incident.
Tools and Resources
The IRT will use the following tools and resources to respond to incidents:
- Security software: Sophos, Crowdstrike
- Data backup and recovery systems: Cohesity, Arcserve, OneDrive
- Communication channels: Email, Text, Social Media
- Third-party cybersecurity experts: NJ Edge, CyberSecOp, Cybersecurity Insurance consultants
Testing and Training
The IRT will test and train regularly on the procedures and tools in place.
Communication Plan
The IRT will communicate with the following stakeholders in the event of an incident:
- Students
- Faculty
- Staff
- Media
- Law enforcement
- Regulatory agencies
Metrics and Reporting
The IRT will document all aspects of the incident, including but not limited to the
incident type, severity, impact, response, and resolution. Documentation will be stored
securely and accessible only to authorized personnel.
The IRT will collect and analyze the following metrics related to incidents:
- Number of incidents
- Cost of incidents
- Time to recover from incidents
The Associate Vice President for Technology and CIO will report on these metrics to
the HCCC Board of Trustees.
Review and Update
The AVP CIO will review the ISIRP annually and update it to reflect the changing security
landscape and the HCCC's evolving needs.
Approved by Cabinet: May 2023
Related Board Policy: Information Technology Services
Portable Technology Accountability Procedure
- INTRODUCTION
This procedure aims to establish clear guidelines for accountability and responsibility
regarding the loss or damage of portable technology devices provided by Hudson County
Community College (HCCC) to employees and students. This procedure is in alignment
with the HCCC Information Technology Services Policy approved by the HCCC Board of
Trustees.
- APPLICABILITY
This procedure applies to all individuals, including employees and students, for whom
HCCC has issued portable technology devices.
- ACCOUNTABILITY
- Individual Responsibility
- All individuals issued portable technology devices are personally responsible for
the proper care and safekeeping of the equipment.
- Users must report any loss or theft of the portable technology device to the Office
of Public Safety and Security immediately. Any damage to the device must be reported
to the Office of Information Technology Services (ITS) immediately.
- Reporting Procedure
- Individuals reporting a lost or damaged device must provide detailed information about
the incident, including the date, time, and location.
- A written incident report must be submitted to the Office of Public Safety and Security
within 24 hours of an occurrence of loss or theft.
- Investigation
- The Office of Public Safety and Security will investigate the circumstances surrounding
the loss of the portable technology device.
- Individuals involved may be required to cooperate fully with the investigation, providing
any relevant information.
- Accountability Measures
- If the loss or damage is found to be due to negligence or intentional actions, the
individual may be held financially responsible for the repair or replacement cost
of the equipment.
- Individuals will be notified in writing of the outcome of the investigation and any
financial obligations.
- Financial Responsibility
- Individuals held responsible for the loss or damage will be required to reimburse
HCCC for the repair or replacement cost of the portable technology device. The repair
or replacement cost of employees' equipment could come from the office/school’s budget.
- Payment arrangements may be made with the Office of Accounting, and failure to fulfill
financial obligations may result in additional consequences, including holds on academic
records or other disciplinary actions.
- EXCEPTIONS
Cases involving loss or damage due to theft or other criminal activities will be handled
following local law enforcement procedures.
- COMMUNICATION
This policy will be communicated to all individuals receiving portable technology
devices through the distribution of written materials, inclusion in employee/student
handbooks, and electronic communication channels.
Approved by Cabinet March 2024
Associated Policy: ITS
Vendor Risk Management Plan Procedure
Introduction
This Vendor Risk Management Plan aims to establish a framework for effectively managing
and mitigating risks associated with third-party vendors at Hudson County Community
College. The procedure outlines the processes and procedures for vendor evaluation,
selection, and ongoing monitoring to ensure vendor relationships' security, compliance,
and reliability. The procedure primarily focuses on collecting and reviewing information
about the vendor's suitability and security and assessing terms and conditions and
contract language during initial contract signing and renewal.
- Vendor Selection Process
- Vendor Identification: Identify potential vendors based on the college's requirements
and needs.
- Initial Vendor Evaluation: Evaluate potential vendors using the following criteria:
- Qualifications and expertise
- Reputation and references
- Financial stability
- Security and compliance standards
- Service level agreements
- Request for Proposal (RFP): Prepare and issue an RFP, if necessary, to shortlisted
vendors outlining the college's expectations, requirements, and evaluation criteria.
- Vendor Evaluation: Evaluate vendor proposals based on predefined criteria and conduct
any necessary interviews or presentations.
- Vendor Selection: Select the vendor(s) based on evaluation results, considering factors
such as cost, capabilities, and risk profile.
- Higher Education Community Vendor Assessment Toolkit (HECVAT) Collection and Review
- HECVAT Form Requirement: All potential vendors must submit their completed HECVAT;
SOC 2 audit findings may be substituted for a HECVAT.
- Initial Review: Review the HECVAT to assess the vendors' security practices, data
protection measures, and compliance with relevant regulations.
- Risk Assessment: Conduct a risk assessment based on the information provided in the
HECVAT to identify potential risks associated with the vendor relationship.
- Mitigation Actions: Develop mitigation actions to address identified risks, such as
requesting additional information, conducting security audits, or establishing contractual
obligations for security and privacy.
- Terms and Conditions Review
- Contract Review: Review the terms and conditions of the proposed vendor contract,
focusing on areas related to data privacy, security, compliance, and intellectual
property.
- Legal Review: Engage legal counsel, if necessary, to ensure contract language adequately
protects the college's interests and aligns with applicable laws and regulations.
- Negotiation and Amendment: Collaborate with the vendor to negotiate and amend contract
language to address any identified concerns or gaps.
- Approval and Signing: Obtain necessary approvals for the contract and sign the agreement
once all parties are satisfied with the terms and conditions.
- Ongoing Vendor Management
- Regular Monitoring: Continuously monitor vendor performance, security practices, and
compliance throughout the contract duration.
- Contract Renewal Review: Contract Renewals are contingent upon Community College Contract
Law Statutes. Conduct a thorough review of vendor relationships, including re-evaluation
of new HECVAT, terms and conditions, and contract language, during the contract renewal
process.
- Vendor Performance Evaluation: Periodically assess vendor performance against established
service level agreements and expectations.
- Incident Response: Follow the Incident Response procedure to address any security
breaches or data incidents involving vendors promptly.
- Vendor Offboarding: Develop a process to ensure proper offboarding of vendors, including
returning sensitive information and terminating system access.
- Documentation and Reporting
- Documentation
- Contract Repository: All vendor contracts, including their terms and conditions, amendments,
and related documents, should be stored in the college's contract management system.
Ensure that the contract repository is organized, easily accessible, and regularly
updated.
- Completed HECVAT and Security Documentation: Maintain a record of all HECVATs and
security audits received from vendors, including any supporting documentation or clarifications
provided by the vendors.
- Risk Assessments: Document the results of risk assessments conducted based on the
HECVAT and any additional assessments or audits performed.
- Incident Reports: Keep a record of any security incidents or breaches involving vendors,
along with the corresponding incident response actions taken.
- Reporting
- Executive Reporting: Provide regular reports to executive management, including the
Chief Information Officer (CIO) and Cabinet, summarizing the vendor risk landscape,
mitigation efforts, and notable incidents or concerns.
- Contract Renewal Report: Prepare a comprehensive report highlighting the findings
from the contract renewal review, including any recommended changes or enhancements
to vendor relationships.
- Compliance Reporting: Generate periodic reports on vendors' compliance with applicable
regulations, contractual obligations, and agreed-upon security standards.
- Record Retention
- Retention Period: Vendor Risk Assessment documentation will follow record retention
schedules for vendor-related documentation, ensuring compliance with legal, regulatory,
and internal requirements.
- Data Privacy and Protection: Adhere to applicable data privacy and protection regulations
when storing and handling vendor-related documents, ensuring proper safeguards are
in place.
Approved by Cabinet: May 2023
Related Board Policy: Information Technology Services
Return to Policies and Procedures