Administrative Policies And Procedures
| Policy: | Smoke-Free Workplace |
| Scope: | Faculty and Staff |
| Policy Number: | 5.9 |
Lamar State College-Orange recognizes its commitment to the emotional and physical well being of its students, faculty, and staff. There is increasing concern, interest and, anxiety about the effects of secondary tobacco smoke on individuals exposed to it and the dangers associated with tobacco smoking. Lamar State College-Orange acknowledges the seriousness of this problem and recognizes its obligation to promote public health on this campus by protecting its students, faculty, and staff from hazardous conditions that are within the College's ability to regulate.
The following regulations have been adopted by Lamar State College-Orange:
1. ALL campus buildings are designated "smoke-free" with the exception of the "smoker’s pavilion" and outside areas away from doorways and steps. Included in this designation are all instructional facilities; faculty, staff, and administrative offices; and student services areas.
2. Each building coordinator, with the approval of the President, shall, if an appropriate area exists, designate a smoking area(s). There shall be posted at the entrance of every building on the campus a sign stating "This is a non-smoking facility except in designated areas." There will be no ashtrays in non-smoking areas or in any buildings.
3. The use of smokeless tobacco, including snuff and chewing tobacco, is prohibited on campus.
4. The sale of tobacco products on campus is prohibited.
5. Smoking is prohibited in those campus-owned vehicles that are available for general use.
6. As used in this policy, the term "smoking" shall include all of the following:
a. Carrying or holding a lighted pipe, cigar, cigarette, or any other lighted smoking equipment or device;
b. Lighting a pipe, cigar, cigarette, or any other smoking equipment or device;
c. Emitting or exhaling the smoke of a pipe, cigar, cigarette, or any other smoking equipment or device.7. This non-smoking policy applies to college facilities used by off-campus groups as well as college groups.
8. The terms of this policy will be distributed to all current employees and made available to all prospective employees prior to hiring. The terms of this policy will be distributed to all current students and published in all future editions of the Lamar State College-Orange Catalog.
| Policy: | Acquired Immune Deficiency Syndrome(AIDS) |
| Scope: | Faculty and Staff |
| Policy Number | 5.10 |
Acquired Immune Deficiency syndrome (AIDS) is a fatal disease which has become a nationwide public health problem.
Lamar State College-Orange acknowledges the seriousness of this problem. In health related matters such as this, the college follows the guidelines of recognized authorities including the National Center for Disease Control, the United States Public Health Service, the Texas Department of Health, and American College Health association. Further, the College shall conform its actions to the Texas Communicable Disease Prevention and Control Act and other law.
There is no current evidence that individuals infected with Human Immunodeficiency Virus (HIV), the "AIDS Virus," can infect other individuals by casual contact. Accordingly, there is no reason to exclude individuals with the Acquired Immunodeficiency Syndrome (AIDS), AIDS-Related Complex (ARC) or a positive test for antibody to HIV virus from campus academic, social, or cultural activities. Therefore, on the basis of current knowledge of the disease, individuals sharing common living space, work or study areas, libraries, classrooms, recreational facilities, and theaters do not represent a problem or public threat to the campus community.
Students and employees of the College who may become infected with the AIDS virus will not be excluded from enrollment or employment, or restricted in their access to College services or facilities, unless medically-based judgments in individual cases establish that exclusion or restriction is necessary to the welfare of the individual or of other members of the campus community.
When circumstances arise that require review, the President will seek the advice of the attending physician, knowledgeable medical personnel, and other relevant parties. An opportunity will be provided for any person involved to discuss his or her circumstances. A College Health Committee will be appointed to review the issues and provide recommendations to the President for resolution.
In the event of public inquiry concerning College policy, programs, problems, or statistics related to AIDS on campus, the President will serve as the official spokesperson for the College and will enlist the cooperation of the Coordinator of Pubic Information as necessary to prepare an appropriate response. All inquiries from the press, elected public officials, or the public in general will be referred to the spokesperson. The medical records of individuals shall remain confidential, but public information shall be disclosed upon request in accordance with the Texas Open Records Act, the Family Education Rights and Privacy Act, and the Texas Communicable Disease Prevention and Control Act. General information and national statistics considered public knowledge are not subject to restriction.
In the event an individual is identified with AIDS, ARC, or a positive test for HIV antibody, appropriate existing College resources for emotional, educational, social, and medical support will be made available to all concerned individuals.
Persons who know, or have reasonable basis for believing, that they are infected with the AIDS virus are expected to seek expert advice about their health circumstances and are obligated, ethically, legally, to conduct themselves responsibly in accordance with knowledge for the protection of other members of the College community.
The College shall carefully observe the safety guidelines established by the U.S. Public Health Services for the handling of blood and other body fluids and secretions, both in all health care facilities maintained on the campus and in other institutional contexts in which such fluids or secretions may be encountered (e.g. cleaning, teaching and experimental laboratories).
| Policy: | Information Resource Use |
| Scope: | Faculty, Staff, and Students |
| Policy Number: | 5.11 |
College Network – The College network is the data and communications infrastructure at Lamar State College-Orange. It includes the campus backbone, local area networks, and all equipment connected to those networks (independent of ownership).
Device – Any hardware component involved with the processing, storage, or forwarding of information making use of the Lamar State College-Orange information technology infrastructure or attached to the Lamar State College-Orange network. These devices include, but are not limited to, laptop computers, desktop computers, servers, and network devices such as routers, switches, wireless access points, and printers.
Device Registry – A database of College network devices maintained by IT Security to assist with incident response and alerts. This registry includes information about the device such as device name, function, operating system, and primary and secondary contact information.
Information Resources - Any and all devices capable of receiving, storing, managing, or transmitting electronic data including mainframes, servers, personal computers, notebook computers, hand-held computers, personal digital assistant (PDA), pagers, distributed processing systems, network connected display devices, network attached and computer-controlled medical and laboratory equipment (i.e. embedded technology), telecommunication resources, network environments, telephones, fax machines, printers, computer printouts, storage media, and service bureaus. Additionally, it includes the systems, procedures, equipment, facilities, software, and data that are designed, built, operated, and maintained to create, collect, record, process, store, retrieve, display, and transmit information.
LEA Account – stands for Lamar University Network Identification. This is the name used to identify a person or other entity when connecting to certain applications and services available on the Lamar University network. LEA accounts have an associated password that serves to authenticate the identity of the owner.
NetID – NetID stands for LSC-O Network Identification. This is the name used to identify a person or other entity when connecting to certain applications and services available on the Lamar State College-Orange network. NetID’s have an associated password that serves to authenticate the identity of the NetID owner.
Network Address – A unique number associated with a device used for the routing of traffic across the Internet or another network. It is also known as Internet Protocol Address or IP Address.
Server – A networked resource that is used to distribute data to other networked resources.
Server Administrator – is an individual with principal responsibility for the installation, configuration, security, and ongoing maintenance of an information technology device, including network registration.
Server Management – Functions associated with the oversight of server operations. These include controlling user access, establishing/maintaining security measures, monitoring server configuration and performance, and risk assessment and mitigation.
Server Owner – The department head charged with overall responsibility for the server asset in the College’s inventory records. The server owner must designate an individual to serve as the primary system administrator and may designate a backup system administrator.
System Compromise – A compromised system is any device that is no longer entirely under its owner's control. The two major forms of compromise are:
i. infection by a worm, virus or trojan horse
ii. Exploitation of an operating system or application vulnerability by another user giving that user remote control of the computer.
User – An individual or automated application or process that is authorized access to an information resource by its owner, in accordance with the owner’s procedures and rules.
VPN Account – stands for Lamar University Virtual Private Network (VPN) Account Identification. This is the name used to identify a person or other entity when connecting to certain applications and services available on the Lamar University network from the public Internet. LEA accounts have an associated password that serves to authenticate the identity of the owner.
Vulnerability Patch – An update provided by a vendor to correct a flaw or weakness in a system's design, implementation, or operation and management that could be exploited to violate the system's security policy. All software and hardware are subject to vulnerability and firmware patches.
1. Information Resources Security Policy
1.1. POLICY STATEMENTS
1.1.1. Title 1, Part 10, Chapter 202, Texas Administrative Code, commonly known as TAC 202, requires the chief executive of each Lamar State College-Orange agency and public institution of higher education to protect their institution’s information resources by establishing an Information Security Program consistent with the TAC 202 standards. In compliance with TAC 202, this policy statement and its references reflect the policies, procedures, standards and guidelines comprising the Information Security Program of Lamar State College-Orange. The terms and phrases in this policy statement shall have the meanings ascribed to them in TAC 202.1 unless otherwise provided herein.
The Lamar State College-Orange Information Security Program is positioned within the Department of Information Technology and administered by the College’s Information Security Officer (ISO). The Information Security Program is implemented by the ISO’s Information Technology (IT) Security team in collaboration with all College constituents that use and support the College’s information resources.
[TAC 202.70(2), TAC 202.71(d)]
1.1.2. Information resources residing at Lamar State College-Orange are strategic and vital assets belonging to the people of Texas. These assets must be available when needed and protected commensurate with their value. All members of the College community, regardless of position or role, share responsibility for protecting the College’s information resources. The Lamar State College-Orange community shall take appropriate measures to protect the College’s information resources against accidental or unauthorized disclosure, contamination, modification, or destruction, and to assure the confidentiality, authenticity, utility, integrity, and availability of College information.
[TAC 202.70(1)]
1.1.3. All individuals are accountable for their use of the College’s information resources. Individuals shall comply with applicable laws, Lamar State College-Orange Rules, and all College policies in their use of these resources.
[TAC 202.70(3)]
The following College IR policies are particularly relevant and noteworthy:
i. Information Resources Security Policy [this section];
ii. Network Use Policy [describes policy and procedures for administration, maintenance, and operation of the College’s network infrastructure];
iii. Appropriate Use of Information Resources Policy [describes both intended and prohibited uses of information resources];
iv. Disclosure of Information [provides guidance related to proper and improper information disclosure];
1.1.4. Information that is Sensitive or Restricted/Confidential must be protected from unauthorized access or modification. Data that is essential to critical College functions must be protected from loss, contamination, or destruction.
[TAC 202.75]
1.1.5. Risks to information resources must be managed. The expense of security safeguards must be appropriate to the value of the assets being protected, considering value of the asset to the College, regulatory agencies, the public, potential intruders, and any other person or organization with an interest in the assets.
[TAC 202.70(4)]
1.1.6. The integrity of data, its source, its destination, and processes applied to it are critical to its value. Changes to data must be made only in authorized and acceptable ways.
[TAC 202.70(5)]
1.1.7. Information resources must be available when needed. Continuity of information systems supporting critical College functions must be ensured in the event of a disaster or disruption in normal operations.
TAC 202.70(6)]
1.1.8. Security requirements shall be identified, documented, and addressed in all phases of development or acquisition of information resources.
[TAC 202.70(7) and TAC 202.75(6)]
1.1.9. Security awareness of employees must be continually emphasized and reinforced at all levels of management. All individuals must be accountable for their actions relating to information resources.
[TAC 202.77(d) and (e)]
1.1.10. The information security program must be responsive and adaptable to changing vulnerabilities and technologies affecting information resources. Its components shall be reviewed and modified in a timely fashion to meet emerging and evolving threats.
[TAC 202.71 (e)]
1.1.11. The College must ensure adequate controls and separation of duties for tasks that are susceptible to fraudulent or other unauthorized activity.
[TAC 202.70(8)]
1.2. INFORMATION SECURITY ORGANIZATION
1.2.1. The Coordinator of Information Resources is the College’s Information Resources Manager (IRM) as defined in the Information Resources Management Act (IRMA) (TEX.GOV'T CODE § 2054). The Information Resources Manager oversees the acquisition and use of information technology within a state agency or College.
The IRMA and the Texas Administrative Code (TAC, Tile 1, Part 10, Ch 201§201.3) establish rules and responsibilities for the designated IRM that include executive level oversight for security and risk management of the College’s information resources. Consequently, the Coordinator of Information Resources directs the College’s Information Technology Security function.
1.2.2. The Information Security Officer (ISO) is the designated administrator of the Lamar State College-Orange Information Security Program. As such, the ISO is responsible for all aspects of the College’s information security program.
The ISO is specifically charged with the following responsibilities:
i. Develop, recommend, and establish policies, procedures, and practices as necessary to protect the College’s information resources against unauthorized or accidental modification, destruction, or disclosure;
ii. Identify and implement proactive and reactive technical measures to detect vulnerabilities and to defend against external and internal security threats;
iii. Provide consulting and technical support services to owners, custodians, and users in defining and deploying cost effective security controls and protections;
iv. Establish, maintain, and institutionalize security incident response procedures to ensure that security events are thoroughly investigated, documented, and reported, that damage is minimized, that risks are mitigated, and that remedial actions are taken to prevent recurrence;
v. Establish and publicize a security awareness program to achieve and maintain a security conscious user community;
vi. Document, maintain, and obtain ongoing support for all aspects of the Information Security Program;
vii. Monitor the effectiveness of strategies, activities, measures, and controls designed to protect the College’s information resources;
viii. Assure executive management awareness of legal and regulatory changes that might impact the College’s information security and privacy policies and practices;
ix. Serve as the College’s internal and external point of contact for information security matters; and
x. Report frequently (at least annually) on the status and effectiveness of the Information Security Program
[TAC 202.71(e)]
1.2.3. As stated above in policy statement 1.1.2, all members of the College community share responsibility for protecting the College’s information resources and as such, are essential components of the College’s information security organization. Nonetheless, individual responsibilities can vary significantly according to an individual’s relationship with any given information resource. In recognition of those variances, the College has defined and assigns three generic roles with respect to the security of information resources: 1) the Owner role, 2) the Custodian role, and 3) the User role. Each individual assumes one or more of these roles with respect to each information resource they use, and as a result are accountable for the responsibilities attendant to their role(s). While each role is more fully described in Section 1.4 Information Asset Management of this policy, responsibilities associated with each role are noted throughout this policy document.
1.3. RISK ASSESSMENT
1.3.1. Risk assessment is a vehicle for systematically identifying and evaluating the vulnerabilities of an information system and its data to the threats facing it in its environment. It is an essential component of any security and risk management program. Absolute security that assures protection against all threats is unachievable. Risk assessment provides a framework for weighing losses that might occur in the absence of an effective security control against the costs of implementing the control. Risk management is intended to ensure that reasonable measures are employed to protect against the most probable and impactful threats.
1.3.2. Owners and their designated custodians shall annually complete or commission a comprehensive risk assessment of their assigned information resources, including departmentally assigned computing resources that store, process and access information. The assessment must include a classification of their information according to its need for security protection, i.e., its need for confidentiality, integrity, and availability (see Section 1.4.10, Data Classification).
1.3.3. The assessment should also identify reasonable, foreseeable, internal, and external risks to the security, confidentiality, integrity, and availability of those resources. Owners and custodians should assess the sufficiency of safeguards in place to control these risks and document their level of risk acceptance (i.e., the exposure remaining after implementing appropriate protective measures, if any). Additional mitigation measures should be taken as necessary to protect the resources from risks considered unacceptable. The risk assessment should include consideration of employee training and management, information systems architecture and processes, business continuity planning, and prevention, detection and response to intrusion and attack. The assessment results shall be documented in a written report, protected from unauthorized disclosure, modification, or destruction, and retained until superseded by a subsequent documented assessment, plus one year.
[TAC 202.72 and TAC 202.74]
1.3.4. The ISO shall periodically (at least annually) complete or commission a risk assessment of the information resources considered essential to the College's critical mission and functions, and shall recommend, to the owners and custodians of these resources, appropriate risk mitigation measures, technical controls, and procedural safeguards. The assessment may incorporate self-assessment questionnaires, vulnerability scans, scans for Sensitive and Restricted/Confidential information, and penetration testing. Findings and recommendations shall be provided to the owners and custodians of the information assets and shall also be presented to the President as appropriate.
[TAC 202.72(c)]
1.4. INFORMATION ASSET MANAGEMENT
1.4.1. As stated in policy statement 1.1.2 above, the College’s information resources are strategic and vital assets that must be available when needed and protected commensurate with their value. In this policy, the College has identified specific actions required to achieve these objectives. The College has also articulated the Owner, Custodian, and User roles to clearly distinguish the parties responsible and accountable for taking those actions.
1.4.2. The Owner role. The College (and consequently the state of Texas) is the legal owner of all the College’s information assets. As a practical matter, the College delegates specific ownership responsibilities to those with day-to-day oversight of the information asset. For example, for a shared file system hosted on a departmental server, both the file share and the computer are owned by the department. Conversely, ownership is split for departmental file shares hosted on Technology Resources servers in the data center, i.e., the shared directories and their contents are owned by the department(s) and the host computer(s) and related disk storage is owned by Technology Resources.
1.4.3. Owners have been designated for data assets based upon the general subject matter of the data.
1.4.3.1. Human Resources data – Human Resources Director
1.4.3.2. Student Records data – Vice President of Student Services
1.4.3.3. Financial Records data – Vice President of Finance and Operations
1.4.4. Ownership responsibility for network, hardware, and software assets is assigned to the party accountable for the assets, as documented in the College’s inventory, procurement, and licensing records.
Owners are specifically responsible for:
i. Keeping abreast of laws and policies related to the information assets they own and classifying these assets according to their need for security protection (see Section 1.4.10, Data Classification).
ii. Determining the value of, authorizing user access to, and establishing procedures for authorized disclosure of, their information assets;
iii. Specifying data control requirements for their information assets and conveying those requirements to co-owners, custodians, and users;
iv. Specifying appropriate controls, based on risk assessment, to protect their information assets from unauthorized use, modification, deletion, or disclosure;
v. Selecting and assigning custody of information assets, in consultation with appropriate IT division staff, to custodians capable of implementing the necessary security controls and procedures;
vi. Contractually binding non-College custodians to implement and comply with their specified security controls and procedures;
vii. Confirming the implementation of and compliance with the specified controls by the custodians; and
viii. Reviewing and maintaining access authorization lists based on documented security risk management decisions.
[TAC 202.71(c)(1)]
1.4.5. The Custodian role. Custodians provide information asset services to both owners and users. A custodian may be a person (such as a departmental system support specialist), a team or department (such as Technology Resources), or a third party provider of information resource management services (such as a web site or application hosting firm). Regardless of how the role is filled, custodians are expected to:
i. Assist the owner(s) in identifying cost-effective controls, along with monitoring techniques and procedures for detecting and reporting control failures or violations;
ii. Implement the controls and monitoring techniques and procedures specified by the owner(s); and
iii. Provide and monitor the viability of physical and procedural safeguards for the information resources.
[TAC 202.71(c)(2)]
1.4.6. The User role. The user role is the default role possessed by all users of Lamar State College-Orange information resources. Users of information resources shall use those resources for defined purposes that are consistent with their institutional responsibilities and always in compliance with established controls. Users are expected to comply with the College’s published security policies and procedures, as well as with security bulletins and alerts that may be issued by IT Security or other IT units in response to specific risks or threats. The use of Lamar State College-Orange information resources implies that the user has knowledge of and agrees to comply with the College’s policies governing such use.
[TAC 202.71(c)(3) and TAC 202.77(a)]
Employee users are responsible for ensuring the privacy and security of the information they access in the normal course of their work. Employees are also responsible for the security of any terminal, workstation, printer or similar electronic device utilized in the normal course of their work. Employees are authorized to use only those resources and materials that are appropriate and consistent with their job functions and must not violate or compromise the privacy or security of any data or systems accessible via the College computer network. See Section 3, Appropriate Use of Information Resources, for additional information about acceptable and prohibited uses of Lamar State College-Orange’s information resources
Except as provided in Sections 1.4.7 and 1.4.8 below, users may not attempt to violate the security or privacy of other computer users on any system accessible via the College computer network. The attempted violation of information security or privacy is grounds for revocation of computer access privileges, suspension or discharge of employees, suspension or expulsion of students, and prosecution to the full extent of the law.
Users are responsible for the security of any computer account (e.g., LSC-O network username or Administrative System(s) username) issued to them and are accountable for any activity that takes place in their account. Users who discover or suspect that the security of their account has been compromised must immediately change their password and report the incident to the Information Security Officer (ISO) for initial investigation. The ISO shall escalate the incident to IT Security if the compromise may increase the risk to other College information resources. Any suspected or attempted violation of system security should be reported immediately to the ISO at (409-882-3998, iso@lsco.edu) or IT Security (409-882-3354, itsecurity@lsco.edu).
1.4.7. Privileged roles. By virtue of their job duties (e.g., the review and monitoring activities described in Section 1.4.8 below), designated employees may require and may be entrusted with elevated access privileges to specified information assets. These employees normally function in custodial or security-related roles with respect to the specified information assets.
Users entrusted with elevated access privileges shall:
i. use those privileges solely for the purpose intended by the asset owner; and
ii. access, disclose, and discuss the information only to the extent required to perform the job duty for which the privileges were granted.
1.4.8. Review and Monitoring. Lamar State College-Orange’s information resources are subject to monitoring, review, and disclosure in accordance with:
i. the Texas Public Information Act and other pertinent laws and policies;
ii. other legal requirements, such as subpoenas and court orders;
iii. efforts to protect and sustain their operational integrity;
iv. security reviews or audits; and
v. other purposes, as determined by the Coordinator of Information Resources in consultation with the College President, required to protect and support the College’s legitimate interests and the legitimate interests of other users.
Users of Lamar State College-Orange’s information resources expressly consent to monitoring by the College for these purposes and are advised that if such monitoring reveals possible evidence of criminal activity, College administration may provide that evidence to law enforcement officials. Further, all users should understand that while the College takes reasonable precautions, as evidenced by its information security program, it is unable to guarantee the protection of electronic files, data, or e-mails from unauthorized or inappropriate access or disclosure.
In consideration of the above provisions, users should not expect privacy in their use of Lamar State College-Orange's information resources except as otherwise provided by applicable privacy laws.
[TAC 202.75(7)(O) and TAC 202.75(9)(D)]
1.4.9. Interagency operations. When Sensitive or Restricted/Confidential information from another College, University or State Agency is received by Lamar State College-Orange in connection with the transaction of official business, Lamar State College-Orange shall maintain the confidentiality or sensitivity of the information in accordance with the conditions imposed by the providing agency or College.
[TAC 202.75(2)(B)]
1.4.10. Data Classification. Prior to releasing, publishing, or disclosing any College information, the designated College owner of the information shall classify the information as Public, Sensitive, or Restricted/Confidential, according to its need for confidentiality. Moreover, the information’s owner should ensure that disclosure controls and procedures are implemented and followed to afford the degree of protection required by the assigned classification.
Information shall be assigned one of the following 3 classifications:
i. Public (Level 1) Information is by its very nature designed to be shared broadly, without restriction, at the complete discretion of the owner. It may or may not have been explicitly designated as public. Public information may be freely disseminated without potential harm to the College, individuals, or affiliates. From the perspective of confidentiality, public information may be disclosed or published by any person at any time.
Examples of Public Information include: advertising and marketing literature, degree program descriptions, course offerings and schedules, campus maps, job postings, press releases, descriptions of College products and services, and certain types of unrestricted directory information as specified by the Family Educations Rights and Privacy Act of 1974 (FERPA) and the Health Insurance Portability and Accountability Act (HIPAA).
ii. Sensitive (Level 2) Information can be difficult to classify as it often presents attributes of both Public and Restricted/Confidential information. Sensitive information may be deemed "public" in the sense that, under certain circumstances, disclosure may be required under provisions of the Texas Public Information Act. However, the disclosure of Sensitive information also requires assurances that its release is both controlled and lawful. Sensitive information is often intended for use within a specific workgroup, department or group of individuals with a legitimate need-to-know. Likewise, access to Sensitive information may be controlled by identity authentication and authorization measures (e.g., LSC-O NetID or Lamar University LEA Account and password). Unauthorized disclosure of Sensitive information could adversely impact the College, individuals, or affiliates.
Examples of Sensitive Information include: some employee records (such as performance appraisals, dates of birth, and e-mail addresses), departmental policies and procedures that might reveal otherwise protected information, the contents of e-mail, voicemail, instant messages and memos, unpublished research, information covered by non-disclosure agreements, and donor information.
Generally speaking, Sensitive information should not be published or disclosed to the public except by the College’s designated owner of the information in accordance with the owner’s established practices, or after consultation with the College President. See Section 1.4.3 above for more details.
iii. Restricted/Confidential (Level 3) Information is defined by TAC 202 to be "information that is excepted from disclosure requirements under the provisions of applicable state or federal law" such as the Texas Public Information Act (TPIA) and the Family Education Rights and Privacy Act (FERPA).
Restricted/Confidential information is generally intended for a very specific purpose and shall not be disclosed to anyone without a demonstrated need-to-know, even within a workgroup or department. Disclosure of Restricted/Confidential information is generally regulated by specific legal statutes (e.g., TPIA, FERPA, HIPAA), published opinions by the Office of the Attorney General of Texas, Texas State University System Regents Rules, or contractual agreements. Unauthorized disclosure of this information could have a serious adverse impact on the College, individuals, or affiliates, and presents the most serious risk of harm if improperly disclosed.
Examples of Restricted/Confidential (Level 3) Information include: student education records as defined under FERPA, credit card and financial account information, social security numbers, driver license numbers, personally identifiable medical records, passport information, crime victim information, library transactions (e.g., circulation records), court sealed records, and access control credentials (e.g., PINs and passwords).
Restricted/Confidential information must not be disclosed to the public under any circumstances other than those specifically authorized by law. Any such disclosure should be immediately reported to IT Security for damage mitigation and investigation. Requests for such information received from persons with a questionable need to know should be directed to the College President.
1.4.11. Standards for Handling Sensitive and Restricted/Confidential Information.
Because of the harm that can result from improper disclosure, Sensitive and Restricted/Confidential College information shall be afforded the following special protections by Owners, Custodians, and Users:
i. A person’s social security number, driver license number, or other widely-used government issued identification number shall not be captured, stored, or used as a person identifier unless such use is required by an external, governmental, or regulatory system that is authorized for use at the College. The Lamar State College-Orange Banner ID number should be used in lieu of such prohibited identifiers in situations where personal names or other identifiers do not assure uniqueness. Where use of such numbers is required and authorized, owners, custodians, and users shall store these numbers in encrypted form or behind other compensating controls with the advice and consent of IT Security.
ii. Payment cardholder data (i.e., the primary account number or the magnetic stripe contents together with any one of: cardholder name, expiration date, or the 3-digit service code) shall not be stored on any device connected to the College’s data network for longer than is necessary to authorize a transaction using that information.
iii. Sensitive or Restricted/Confidential information must not be transmitted electronically in unencrypted form. Either the information itself must be encrypted prior to transmission or an encrypted connection must be established and maintained for the duration of the transmission. Authorized encrypted connection examples include the College’s implementations of: VPN - Virtual Private Network, SSL – Secure Socket Layer, and SSH – Secure SHell. Note that most electronic mail systems do not establish and maintain encrypted connections and thus are not appropriate for use in transmitting unencrypted Sensitive or Restricted/Confidential information.
[TAC 202.75(4)]
iv. Sensitive or Restricted/Confidential information should not be stored on portable devices or media such as notebook or tablet computers, PDAs, smart phones, USB drives, CDs, DVDs, tape cartridges, etc. If such storage is required, the Sensitive or Restricted/Confidential information must be protected by encryption or by other compensating controls with the advice and consent of IT Security.
v. Sensitive or Restricted/Confidential information must not be accessed from remote locations in an unauthorized manner. Examples of authorized remote access solutions include the College’s implementations of: VPN - Virtual Private Network, SSL – Secure Socket Layer, and SSH – Secure SHell. Third party remote access solutions like PCAnywhere® and GoToMyPC® are not authorized.
vi. Sensitive or Restricted/Confidential information should not be stored on personally-owned devices or media. If such storage is required, the Sensitive or Restricted/Confidential information must be protected by encryption or by other compensating controls with the advice and consent of IT Security.
vii. Sensitive or Restricted/Confidential information shall not be stored on any devices external to the campus network except as provided under contract with an authorized information resource management service that is contractually bound to properly protect the information (see also Section 1.5.6)
viii. Where encryption is required for protection of Sensitive or Restricted/Confidential information, the encryption must:
-
- employ non-proprietary, industry standard mechanisms;
- be implemented through widely used and tested libraries;
- utilize at least 128 bits of complexity for symmetric encryption;
- utilize at least 1024 bits for asymmetric key-based encryption.
Compliant encryption solutions are available through IT Security.
ix. Sensitive or Restricted/Confidential information shall not be shared, exposed or transmitted via any peer-to-peer (P2P) file sharing mechanism prior to completion of a comprehensive risk assessment, including penetration testing, of the proposed P2P file sharing mechanism by IT Security.
1.4.12. Transfer, Disposal, or Destruction of Information Assets. The sale, transfer, or disposal of old, obsolete, damaged, nonfunctional, or otherwise unneeded electronic devices and media pose information risks for the College. These risks are related primarily to the media contents that might be exposed, which can be Sensitive or Restricted/Confidential information, licensed and non-transferable software, copyrighted intellectual property, or other protected information. Even supposedly deleted data can be retrieved through contemporary data recovery techniques.
Under Texas Government Code § 2054.130, state agencies and institutions of higher education are required to permanently remove data from data processing equipment before disposing of or otherwise transferring the equipment to an entity that is not a state agency or other agent of the state. DIR recommends that "unless the agency can absolutely verify that no personal or confidential information, intellectual property, or licensed software is stored on the hard drive/storage media, the hard drive/storage media should be sanitized or be removed and destroyed."
[TAC 202.78]
Owners, custodians, and users shall contact IT for media sanitization assistance prior to transferring ownership or otherwise disposing of any magnetic media (e.g., hard disk drives, USB drives, backup tape cartridges, DVDs, CDs, etc.) or any devices containing such media (e.g., computers, PDAs and smart phones, printers, copiers, etc.). IT will securely sanitize or destroy the media, at its sole discretion, and maintain appropriate records of the action taken.
Owners, custodians, and users shall not repurpose or reassign any electronic device or electronic media contained within a device without first fully sanitizing the media using a tool sanctioned by IT. Examples of currently sanctioned tools include Ghost Gdisk and DBAN for Windows devices and Disk Utility (for OS X). Reformatting the media does NOT constitute, by itself, a satisfactory sanitization process.
1.5. HUMAN RESOURCES SECURITY
1.5.1. In any organization, people represent both the greatest information security assets as well as the greatest information security threats. Consequently, employee awareness and motivation are integral parts of any comprehensive information security program.
1.5.2. To emphasize security awareness and the importance of individual responsibility with respect to information security, all Lamar State College-Orange employees shall explicitly affirm their agreement to abide by the College’s information security, copyright, and appropriate use policies each time they change their Lamar State College-Orange domain-level password.
[TAC 202.77(a)]
1.5.3. IT Security shall provide literature at all new employee orientation sessions, as well as periodic seminars, workshops, and other educational events for existing employees. All such training and events will provide references to relevant College policy and procedure documents and promote the Technology Resources Web site as a valuable repository of information security policies, procedures, guidelines, and best practices. Department heads shall continually reinforce the value of security consciousness in all employees whose duties entail access to Sensitive or Restricted/Confidential information resources.
[TAC 202.77(d) and (e)]
1.5.4. Department heads are responsible for implementing the measures necessary to ensure that department members maintain the confidentiality of information used in departmental operations. Examples of such information include personnel and payroll records, transcript and grade records, financial aid information, and other Sensitive or Restricted/Confidential information. Such information shall not be used for unauthorized purposes or accessed by unauthorized individuals. Department heads are required to obtain a signed non-disclosure agreements from their employees prior to granting those employees access to departmental information resources. The required form is located on the Technology Resources website.
[TAC 202.77(c) and TAC202.70(1)]
1.5.5. Department heads are responsible for ensuring that access privileges are revoked or modified as appropriate for any employee in their charge who is terminating, transferring, or changing duties. Department heads should provide written notification to Technology Resources whenever an employee's access privileges should be revoked or changed as a result of the employee's change in status.
[TAC 202.75(3)(B)]
1.5.6. Owners of information resources shall obtain and retain signed non-disclosure agreements from all temporary employees, consultants, contractors, and other external parties prior to their obtaining access to Lamar State College-Orange information resources. The agreements shall affirm their compliance with Lamar State College-Orange’s security policies and procedures. A template non-disclosure agreement is available, on the Technology Resources website.
[TAC 202.77(c)]
1.6. PHYSICAL AND ENVIRONMENTAL SECURITY
1.6.1. Physical access to mission critical information resources facilities shall be managed and documented by the facility’s custodian. The facilities must be protected by physical and environmental controls appropriate for the size and complexity of the operations and the criticality or sensitivity of the systems operated within those facilities.
[TAC 202.73(a)]
1.6.2. Reviews of physical security measures shall be conducted annually by the custodian in conjunction with each facility’s risk assessment, as well as whenever facilities or security procedures are significantly modified.
[TAC 202.73(b)]
1.6.3. Physical access to information resources facilities administered by the Information Technology division is restricted to individuals having prior authorization from the Coordinator of Information Resources. The responsibility for securing departmentally administered computer facilities or equipment from unauthorized physical access ultimately rests with the designated owner and designated custodian of the facility or equipment.
1.6.4. A log will be maintained of all persons entering or leaving the College’s primary data center (server room) in the Academic Center, including the date, time, and purpose of the visit. Access to the equipment rooms in these data centers shall be controlled through keyed access and monitored.
1.6.5. Employees and information resources shall be protected from the environmental hazards posed by information resources facilities. Employees with duty stations inside information resources facilities shall be trained to monitor any installed environmental controls and equipment and to respond appropriately to emergencies or equipment malfunctions. Emergency procedures shall be developed, documented, and regularly tested in collaboration with the College’s Office of Safety & Risk Management. [TAC 202.73(c)(d)(e)]
1.6.6. Terminals, computers, workstations, mobile devices (e.g., PDA’s, portable storage devices, smart phones, etc.), communication switches, network components, and other devices outside the College’s primary data center shall receive the level of protection necessary to ensure the integrity and confidentiality of the College information accessible through them. The required protection may be achieved by physical or logical controls, or a combination thereof.
1.6.7. No authenticated work session (i.e., a session in which the user’s identity has been authenticated and authorization has been granted) shall be left unattended on one of these devices unless appropriate measures have been taken to prevent unauthorized use. Examples of appropriate measures include:
i. activation of password-protected keyboard or device locking;
ii. automatic activation of a password-protected screensaver after a brief inactivity period (15 minutes or less, based upon risk assessment); and
iii. location or placement of the device in a locked enclosure preventing access to the device by unauthorized parties.
The creator of the work session is responsible for any activity that occurs during a work session logged-in under his or her account.
1.7. COMMUNICATIONS AND OPERATIONS MANAGEMENT
1.7.1. Network resources used to exchange Sensitive or Restricted/Confidential information shall protect the confidentiality of the information for the duration of the session. Controls shall be implemented commensurate with the highest risk. Transmission encryption technologies (e.g., VPN, SSL, https, SSH, IPSEC, etc.) shall be employed to accomplish this objective.
[TAC 202.75(4)]
1.7.2. Sensitive or Restricted/Confidential College information must not be transmitted in unencrypted form. Either the information itself must be encrypted prior to transmission or an encrypted connection must be established and maintained for the duration of the transmission. Authorized encrypted connection examples include the College’s implementations of VPN (Virtual Private Network), SSL (Secure Socket Layer), and SSH (Secure Shell), as well as any wireless network connection utilizing the Wi-Fi Protected Access 2 (WPA2) Advanced Encryption Standard (AES). These restrictions apply regardless of the user’s location and include transmissions over any private or public network accessible to the user, including in-home networks. Technology Resources shall establish and maintain a WPA2-AES encrypted (or equivalent/superior) wireless network for use on the College campus.
1.7.3. To facilitate security of the campus network, owners, custodians, and users of information resources shall adhere to the provisions of the College’s Network Use Policy.
1.7.4. Owners of distributed information resources within the campus network shall prescribe sufficient controls to ensure that access to those resources is restricted to authorized users and uses only. Examples of such resources include network equipment rooms, data closets, and the equipment contained within them. Controls shall restrict access to the resources based upon user identification and authentication (e.g., password, smartcard/token), physical access controls, or a combination thereof.
[TAC 202.70(1) and TAC 202.75 (3)]
1.7.5. Owners of applications containing or with access to Sensitive or Restricted/Confidential information, or applications involving automated transmission of such information to other applications, shall require authentication of user identity prior to granting access to the applications.
[TAC 202.70(1) and TAC 202.75(3)]
1.8. ACCESS CONTROL
1.8.1. Prior to obtaining access to the Lamar State College-Orange network, any device connected to that network, any service provided via that network, or any application hosted on that network, individuals shall be required to authenticate themselves as authorized users of the network, service, device, or application. This requirement may be waived in situations where a formal risk assessment has determined that access to the resource does not require individual user identification, authorization, or accountability.
1.8.2. A College-assigned network identifier (e.g., NetID or Lamar State College-Orange ID number) and its corresponding "secret" (e.g., a Password/PIN) shall be used to accomplish the authentication. The network identifier shall be unique to an individual in all cases except for authorized "administrator" accounts that must be accessible to a team of custodians charged with supporting a breadth of resources.
[TAC 202.75(3)(A) and (C)]
1.8.3. Based upon security risk assessment, and excepting administrator accounts as described in the preceding paragraph, owners and custodians shall implement and maintain audit trails and transaction logs as necessary to provide individual accountability for changes to mission critical information, hardware, software, and automated security or access rules.
[TAC 202.75(5)]
1.8.4. Self service systems must incorporate security procedures and controls to ensure the data integrity and protection of Sensitive or Restricted/Confidential information. Self service systems must authenticate the identity of individuals that utilize the systems to retrieve, create, or modify Sensitive or Restricted/Confidential information about them.
[TAC 202.75(3)(C)]
1.8.5. To the extent practicable, all initial login and authentication screens should clearly and prominently display the following user advisory:
"Use of computer and network facilities owned or operated by Lamar State College-Orange requires prior authorization. Unauthorized access is prohibited. Usage may be subject to security testing and monitoring, and affords no privacy guarantees or expectations except as otherwise provided by applicable privacy laws. Abuse is subject to criminal prosecution. Use of these facilities implies agreement to comply with the policies of Lamar State College-Orange."
[TAC 202.75(9) and TAC 202.77(a)]
1.8.6. A user's NetID shall be deactivated whenever the user’s then current affiliation with the College no longer qualifies the user to possess an active NetID. See Section 3, Appropriate Use of Information Resources, for specifics regarding the deactivation of employee accounts upon separation from service.
[TAC 202.75(3)(B)]
1.8.7. Sensitive and Restricted/Confidential information shall be accessible only to personnel with authorization from the information owner on a strict "need to know" basis in the performance of their assigned duties. Such information shall be disclosed only by the information owner(s), consistent with the College’s policy on the appropriate release of information.
[TAC 202.75(2)]
1.8.8. Passwords. Lamar State College-Orange systems that employ passwords for authenticating user identities shall comply with the following minimum password acceptability standards:
i. Minimum password length is 8 characters.
ii. Previous 24 passwords are remembered and ineligible for use.
iii. Passwords expire every 90 days.
iv. Passwords are case sensitive.
v. Passwords cannot match any part of the LSC-O NetID.
vi. Passwords cannot match any part of the user full name.
vii. Passwords must contain 3 out of the 4 character types:
-
- At least 1 uppercase character
- At least 1 lowercase character
- At least 1 numeric character
- At least 1 special character such as: !@#$%^&*()_-+={}[]\|`~
Password repositories must utilize one-way encryption and, once assigned, the password must not be retrievable by anyone. Thus, when a password is lost or forgotten, the existing password will not be retrieved but rather, re-set to the specific user default.
Passwords shall be distributed from the password source to the owner in a confidential manner. The password for the LSC-O NetID must be changed by the owner every 90 days, at a minimum. System owners and custodians may require more frequent password changes based upon risk assessment results. Passwords shall be changeable by their owners at will
[TAC 202.75(3)(D)]
1.9. INFORMATION SYSTEMS ACQUISITION, DEVELOPMENT, AND MAINTENANCE
1.9.1. Test functions shall be kept either physically or logically separate from production functions. Copies of production data shall not be used for testing unless all personnel involved in testing are authorized access to the production data or all Restricted/Confidential information has been removed from the test copy.
[TAC 202.75(6)(A)]
1.9.2. Appropriate information security and audit controls shall be incorporated into new systems. Each phase of systems acquisition or development shall incorporate corresponding development or assurances of security controls. The movement of system components through various lifecycle phases shall be tracked and more specifically, the movement of any software component into production shall be logged.
[TAC 202.75(6)(B)]
1.9.3. After a new system has been placed into production, all program changes shall be authorized and accepted by the system owner (or the owner’s designee) prior to implementation.
[TAC 202.75(6)(C)]
1.9.4. To the extent practicable, the principle of separation of duties shall be applied to the system development and acquisition lifecycle. The developer/maintainer of a component should not also have the ability to place the component into production.
1.9.5. Modifications to production data by custodians or developers shall be authorized in advance by the data owner. If advance authorization is not possible in a real or perceived emergency, the owner shall be notified as soon as possible after the fact and the notification logged. The notification log entry shall contain the notification date and time, a description of the data modified, the justification for the modification, and the identities of the owner and the custodian.
1.10. INFORMATION SECURITY INCIDENT MANAGEMENT
1.10.1. The ISO is charged with establishing and maintaining an effective security incident response program to ensure that:
i. security events are thoroughly investigated and documented;
ii. immediate damage is minimized, latent risks are identified, and subsequent exposures are mitigated;
iii. incident reporting and notification are timely and legally compliant; and
iv. remedial actions are taken to prevent recurrence.
[TAC 202.76]
1.10.2. As part of the incident response program, the ISO will develop a Security Breach Response Plan (SBRP) for responding to incidents that may require notification of impacted parties as described in Chapter 521 of the Texas Business & Commerce Code (CH 521).
The Coordinator of Information Resources will activate the SBRP when in his or her judgment, Sensitive Personal Information (as defined in CH 521) was, or is reasonably believed to have been, acquired by an unauthorized person. The response team associated with the SBRP will include, at a minimum:
i. the Coordinator of Information Resources (ISO), as the team lead;
ii. the owner(s) and custodian(s) of the breached information resource, along with their respective vice presidents;
iii. the Director, Public Information; and
iv. other IT and College employees at the discretion of the Coordinator of Information Resources in collaboration with other members of the team.
To facilitate rapid activation and execution of the SBRP, the ISO shall, to the extent practicable, maintain resources appropriate for use by the team.
At the direction of the Coordinator of Information Resources, the SBRP will be tested annually in a table-top exercise developed by the ISO. Test results will be evaluated by the participants and the SBRP will be modified in response to those evaluations.
1.10.3. Owners, custodians and users must immediately report suspected information resources security incidents to the ISO at (409-882-3998, iso@lsco.edu) or IT Security (409-882-3354, itsecurity@lsco.edu). If criminal activity is suspected, the ISO shall immediately contact the appropriate law enforcement and investigative authorities.
[TAC 202.76(b)]
1.10.4. Except as provided in section 1.10.2 above, information security incident response will be managed by the ISO (or the ISO’s designee) and will involve, at a minimum, IT Security staff and the owner(s) and custodian(s) of the compromised information resource(s). The ISO shall fully document the incident, the investigation itself, and the results of the investigation. A draft incident report will be prepared and shared with the owner(s) and custodian(s) of the compromised resource(s), their respective vice president(s), and the College President.
The draft report’s completeness and accuracy will be reviewed in a meeting of the report recipients and modifications noted in that meeting. The final report will be released to all recipients subsequent to the review meeting. If required, the results will be included in the ISO’s report to the DIR (see below).
1.10.5. The ISO shall report any incident to the Texas Department of Information Resources (DIR) within twenty-four hours, and to other entities as may be appropriate to the incident, if the initial incident investigation reveals a critical threat that might propagate beyond the confines of the campus network and threaten other networks.
[TAC 202.76(a)]
1.10.6. The ISO shall also provide recurring summary reports to the DIR as directed by the DIR.
[TAC 202.76(c)(d)(e)]
1.11 BUSINESS CONTINUITY MANAGEMENT
1.11.1. Administrative heads responsible for delivering mission critical College services should maintain written Business Continuity Plans (BCP) that provide for continuation or restoration of such services following a disruption in critical information systems, communication systems, utility systems, or similar required support systems.
The BCP should incorporate:
i. A Business Impact Analysis that addresses the maximum possible downtime for critical service delivery components and resources including: key personnel, facilities, components of electronic information and communication systems (e.g., voice and data network, hardware, and software), and vital electronic and hard copy records and materials;
ii. To the extent practicable, alternate methods and procedures for accomplishing its program objectives in the absence of one or more of the critical service delivery components;
iii. A Security Risk Assessment to weigh the cost of implementing preventive measures against the risk of loss from not taking preventive action;
iv. A Recovery Strategy Assessment that documents realistic recovery alternatives and their estimated costs; and
v. Reference to a Disaster Recovery Plan that provides for the continuation or restoration of electronic information and communication systems as described later in this section.
Key aspects of the BCP should be tested or exercised at least annually and updated as necessary to assure the plan’s continued viability. Results of such tests and exercises should be documented and retained until the end of the current fiscal year, plus three (3) years.
[TAC 202.74]
1.11.2. Technology Resources shall prepare and maintain a written and cost-effective Disaster Recovery Plan that addresses key infrastructure components in its custody. The plan should provide for the prompt and effective continuation or restoration of critical College information systems and processes if a disaster were to occur that might otherwise severely disrupt these systems and processes. The plan should provide for the scheduled backup of mission critical information and for the off-site storage of that backup in a secure, environmentally safe, and locked facility accessible only to authorized Technology Resources staff. The plan should also identify other key continuation and recovery strategies, required resources, alternate sources of required resources, as well as measures employed to minimize harmful impacts. Technology Resources shall exercise or test key aspects of the Disaster Recovery Plan and make periodic updates as necessary to assure its viability.
[TAC 202.74(a)(5)]
1.11.3. Owners and custodians of departmental information resources are responsible for disaster recovery plans associated with those resources. The plans should include regular schedules for making backup copies of all data and software resident in their systems and for ensuring that the backups are stored in a safe location. Users are responsible for ensuring that the data and software resident on their personal computers are backed up as required by their individual circumstances. The security controls over the backup resources should be as stringent as the protection afforded to the primary resources. The Technology Resources personnel are available for assistance in the design of backup and recovery solutions.
1.12. COMPLIANCE
1.12.1. An internal audit of the Information Security Program shall be performed biennially, based on risk assessment, as directed by the TSUS System, the President, or the Coordinator of Information Resources.
[TAC 202.71(e)]
1.12.2. Key aspects of the College’s Information Security Program shall be a prominent component of any College program designed to encourage or enhance legal and policy compliance by College constituents.
2. Network Use Policy
2.1. POLICY STATEMENTS
2.1.1. The purpose of this section is to establish the policies for the maintenance, expansion and use of the Lamar State College-Orange network infrastructure. These policies are necessary to:
i. Provide a reliable College network and Internet connection to conduct the College’s business;
ii. Provide only authorized access to institutional, research or personal data and information on the College network; and
iii. Protect computer system and network integrity at Lamar State College-Orange
2.2. GENERAL GUIDELINES
2.2.1. All devices connected to the Lamar State College-Orange College network (physical or wireless) must be associated with, and in support of, the mission of the institution. The integrity, security, and proper operation of the College network require an orderly assignment of network addresses and the correct configuration of devices attached to the network. Network access, performance and security are put at risk when devices are introduced into the network environment without appropriate coordination. Therefore, all connections to the College network must be managed with accessibility, performance, and security concerns taken into consideration.
2.2.2. Technology Resources is responsible for the College network, including routing, switching, domain name service, etc. It is the logical entity to coordinate all connections to the College network including the assignment of addresses. Technology Resources shall coordinate the connection of any and all devices to the College network. Network users may not alter, extend or re-transmit network services in any way. Users are prohibited from attaching or contracting with a vendor to attach equipment such as routers, switches, hubs, firewalls or wireless access points to the College network without prior authorization from Technology Resources. This does not include personal software firewalls, printers or other peripheral devices connected to the workstation.
2.2.3. The use of devices connected to the College network is accompanied by certain responsibilities. Specifically, all users are required to perform timely updates of applications, operating systems and virus protection software in order to minimize risks associated with computer hacking and other threats such as worms and viruses. Technology Resources will provide mechanisms to facilitate such updates to the extent reasonably possible.
2.2.4. All devices placed on the College network acting in any role other than an individual workstation or printer (e.g. servers regardless of function, hardware or software) must be placed by the Technology Resources in the centralized data center (server room). Following placement, Technology Resources will perform a certification process to ensure compliance with industry best practices.
2.3. RESPONSE TO THREATS AND POLICY VIOLATIONS
2.3.1. Devices posing an immediate threat to the College network will be disconnected from the network to isolate the intrusion or problem and minimize risk to other systems, until the device is repaired and the threat is removed. In coordination with administrative departments and law enforcement, Technology Resources will investigate any incident involving unauthorized access of the College network. Devices involved in these and other security incidents which do not have security best practices implemented will remain disconnected from the College network until the device can be brought into compliance. Technology Resources will attempt to notify appropriate departmental personnel when devices in their department are disconnected from the network.
2.3.2. Devices that are involved in repeated incidents may be disconnected from the campus network for longer periods of time as required. The affected user will be required to show that they understand the best practices and guidelines and know how to implement them through an audit review or other assessment of the network attached device(s) for which they are responsible. If the affected user lacks the knowledge or training needed to comply with this policy, Technology Resources personnel will work with the department to help plan an appropriate training program.
3. Appropriate Use of Information Resources Policy
3.1. POLICY STATEMENTS
3.1.1. This section establishes policies and procedures for the appropriate use of information resources. This policy is established to achieve the following:
i. To ensure compliance with applicable statutes, regulations, and mandates regarding the management of information resources.
ii. To establish prudent and acceptable practices regarding the use of information resources.
iii. To educate individuals who may use information resources with respect to their responsibilities associated with such use.
3.2. APPROPRIATE NETWORK USE
3.2.1. General Guidelines and Principles
3.2.1.1. Lamar State College-Orange provides each of its authorized users with a computer account, known as a Lamar State College-Orange NetID, which facilitates access to the College’s information resources. In accepting a Lamar State College-Orange NetID or any other access ID, the recipient agrees to abide by applicable Lamar State College-Orange policies and legal statutes, including all federal, state, and local laws. Lamar State College-Orange reserves the right at any time to limit, restrict, or deny access to its information resources and to take disciplinary and/or legal action against anyone in violation of these policies or statutes.
3.2.1.2. The College’s faculty, staff and students are given a system generated NetID. In order to change the system generated NetID written approval must be obtained from the Vice President of Academic Affairs and Vice President of Student Services. This written approval document is filed as part of the individuals associated College files.
3.2.1.3. Applicable College policies and procedures include all Lamar State College-Orange policies and departmental policies and procedures that address the usage of Lamar State College-Orange information resources. Also applicable are College policies prohibiting harassment, plagiarism, or unethical conduct. Laws that apply to the use of Lamar State College-Orange’s information resources include laws pertaining to theft, copyright infringement, insertion of viruses into computer systems, and other computer-related crimes. This policy applies to all College information resources, whether administered centrally or departmentally; whether on-campus or off-campus. Information resources include hardware, software, communication networks and access devices, electronic storage media, manuals, and other documentation. Also included in this definition are data files that reside on hardware or media owned or supplied by the College, regardless of size, source, or type of storage media, including e-mail messages, system logs, web pages and software.
3.2.1.4. Lamar State College-Orange provides information resources for the purpose of accomplishing tasks related to the College’s mission. Use of or access to Lamar State College-Orange computers, networks, data and software may be restricted due to specific research, teaching or other purposes in keeping with Lamar State College-Orange’s mission. Lamar State College-Orange’s computer information resources are not a public forum.
3.2.1.5. Lamar State College-Orange considers email to be a significant information resource and an appropriate mechanism for official College communication. The College provides official College email addresses and services to its students, faculty, staff, and organizational units for this purpose and to enhance the efficiency of educational and administrative processes. In providing these services, the College anticipates that email recipients will access and read College communications in a timely fashion. Faculty, staff, and students may forward email from their official College address to an alternate email address at their own risk, however, the College is not responsible for email that has been forwarded to any other address.
3.2.1.6. Subject to applicable policies and statutes, students who have registered and paid their fees are allowed to use Lamar State College-Orange’s information resources for school-related and personal purposes. Personal use must not result in any additional expense to the College or violate restrictions detailed in section 4 (below). The Lamar State College-Orange NetID’s of graduating students are deactivated ninety (90) days after graduation. Continuing students may retain their Lamar State College-Orange NetID’s as long as they remain enrolled for the current or a future semester.
3.2.1.7. Employees of Lamar State College-Orange are allowed to use Lamar State College-Orange’s information resources in the performance of their job duties as long as they adhere to all applicable policies and statutes. Incidental personal use of Lamar State College-Orange information resources by an employee is permitted, subject to review and reasonable restrictions by the employee’s supervisor. Such personal use must not violate any applicable policies and statues, must not interfere with the employee’s job performance, and must not result in any additional expense to the College. Employees may obtain a Lamar State College-Orange NetID upon verification of employment by the appropriate administrative head.
An employee’s access to Lamar State College-Orange’s information resources will be terminated immediately upon the employee’s separation from employment at Lamar State College-Orange. There are two limited exceptions to this access termination requirement:
i. A Lamar State College-Orange retiree retains access to the information resources specified in LSC-O Administrative Policy and Procedures 6.1, Retirement;
ii. Former employees retain access to the College’s web-enabled, employee self-service (SSB) functions for a period not to exceed 90 calendar days following the date of separation. Examples of these SSB functions include retrieval of remuneration statements, mailing address updates, and similar functions that afford access only to the former employee’s personal information.
Other exceptions require specific, prior authorization from the College President.
3.2.1.8. Censorship is not compatible with the goals of Lamar State College-Orange. The College will not limit access to any information due to its content, as long as it meets the standard of legality. The College reserves the right, however, to place reasonable time, place and manner restrictions on expressive activities that use its information resources.
3.2.1.9. Lamar State College-Orange’s information resources are subject to review and disclosure in accordance with:
i. the Texas Public Information Act and other laws (see Appropriate Release of Information);
ii. other policies or legal requirements, such as subpoenas and court orders;
iii. efforts to protect and sustain their operational integrity;
iv. security reviews or audits; and
v. such other purposes required to protect the College’s interests and those of other users. Users should not expect privacy from disclosure in any messages or other use of Lamar State College-Orange's information resources.
Anyone using Lamar State College-Orange’s information resources expressly consents to monitoring by the College for these purposes and is advised that if such monitoring reveals possible evidence of criminal activity, College administration may provide that evidence to law enforcement officials. Further, all users should understand that while the College takes reasonable precautions, it is unable to guarantee the protection of electronic files, data, or e-mails from unauthorized or inappropriate access.
3.2.1.10. Intellectual property laws extend to the electronic environment. Users should assume that works communicated through Lamar State College-Orange computer networks are subject to copyright laws, unless specifically stated otherwise.
3.2.1.11. Information resources are considered valuable assets of the College. Further, computer software purchased or licensed by the College is the property of the College or the company from whom it is licensed. Any unauthorized access, use, alteration, duplication, destruction, or disclosure of any of these assets may constitute a computer-related crime, punishable under Texas and federal statutes.
4. Server Management Policy
4.1. POLICY STATEMENTS
4.1.1. This policy is intended to promote the appropriate management of College servers and in doing so, achieve consistency, increase availability and security, facilitate disaster-recovery, coordinate technical operations and apply sound Information Technology management practices consistently throughout the institution.
4.2. GENERAL REQUIREMENTS
4.2.1. Before connecting to the Lamar State College-Orange network, servers must comply with the General Requirements outlined in this policy. Departments should contact Technology Resources to determine what alternatives may exist to satisfy any server needs. If adequate resources do not already exist, Technology Resources will purchase and/or budget for a server adequate to address the requirements.
4.2.2. The Technology Resources network personnel are responsible for the placement, management, operation and security of LSC-O servers. Technology Resources personnel assure that the server is physically secured, that electronic access to the server is properly controlled, and server configuration is maintained within specified security and operational parameters.
4.2.3. IT Security maintains an internal server list that facilitates compliance with the mandated security efforts and assists in diagnosing, locating and mitigating security incidents on the campus network.
4.2.4. System administrators must subscribe to vendor notification and/or automated update services appropriate to the software hosted on their servers.
4.2.5. While this policy is meant to be a definitive policy and guide to effective server management at Lamar State College-Orange, it is recognized that not all specific situations and/or problems can be addressed by a policy.
4.2.6. Exceptions to this policy require collaboration with Technology Resources and may be granted only by the Coordinator of Information Resources or a designee.
4.3. RESPONSE TO THREATS AND POLICY VIOLATIONS
4.3.1. IT Security routinely scans the network to monitor compliance with this policy. Devices discovered acting in a server capacity will be removed from the campus network with the concurrence of the Coordinator of Information Resources.
4.3.2. Emergency circumstances: IT Security will attempt to notify the server administrator when it determines that a server presents an unacceptable risk to College information resources, i.e., when a server has been compromised, when it is a threat to other network users, or when its defenses against compromise are inadequate for the purpose it serves. If the server administrator cannot be contacted or will not act immediately, Technology Resources may remove the offending server from the network and work with the server owner to remedy the threat and recertify the server.
5. Inappropriate Use of Information Resources Policy
5.1. The following actions constitute inappropriate use of the College's information resources and are strictly prohibited for all users.
5.1.1. Use of College information resources for illegal activities or purposes. The College may deal with such use appropriately, and may report such use to law enforcement authorities. Illegal activities or purposes include unauthorized access, intentional corruption or misuse of information resources, theft, obscenity, and child pornography.
5.1.2. Failure to comply with laws, policies, procedures, license agreements, and contracts that pertain to and limit the use of the College's information resources.
5.1.3. The abuse of information resources includes any willful act that: endangers or damages any specific computer software, hardware, program, network, data or the system as a whole, whether located on campus or elsewhere on the global Internet; creates or allows a computer malfunction or interruption of operation; injects a computer virus or worm into the computer system; sends a message with the intent to disrupt College operations or the operations of outside entities; produces output that occupies or monopolizes information resources for an unreasonable time period to the detriment of other authorized users; consumes an unreasonable amount of communications bandwidth, either on or off campus, to the detriment of other authorized users; or fails to adhere to time limitations that apply at particular computer facilities on campus.
5.1.4. Use of College information resources for personal financial gain or commercial purpose.
5.1.5. Failure to protect a password or Lamar State College-Orange NetID from unauthorized use.
5.1.6. Falsely representing one’s identity through the use of another individual’s Lamar State College-Orange NetID or email alias, or permitting the use of a NetID and password by someone other than their owner
5.1.7. Unauthorized use of or access to any electronic file.
5.1.8. Unauthorized use, access, duplication, disclosure, alteration, damage, or destruction of data contained on any electronic file, program, network, web page, or College hardware or software.
5.1.9. Unauthorized duplication, use or distribution of software and other copyrighted digital materials (including copyrighted music, graphics, etc.) is a violation of this policy. All software and many other digital materials are covered by some form of copyright, trademark, license or agreement with potential civil and criminal liability penalties. Exceptions must be specifically authorized by the copyright or trademark holder or by the fair use provisions of the copyright law.
5.1.10. Participating or assisting in the deliberate circumvention of any security measure or administrative access control that pertains to College information resources.
5.1.11. Using College information resources in a manner that violates other College policies, such as racial, ethnic, religious, sexual or other forms of harassment.
5.1.12. Using College information resources to knowingly transmit spam mail, chain letters, malicious software (e.g., viruses, worms, or spyware), or personal advertisements, solicitations or promotions.
5.1.13. Modifying any wiring or attempting to extend the network beyond the port (i. e., adding hubs, switches or similar devices) in violation of the College’s Network Use Policy, Section 2 above.
5.1.14. Using Lamar State College-Orange’s information resources to affect the result of a local, state, or national election or to achieve any other political purpose.
5.1.15. Using Lamar State College-Orange’s information resources to state, represent, infer, or imply an official College position without appropriate authorization.
6. Responsibilities Of Users Policy
6.1. Each user shall utilize College information resources responsibly and respect the needs of other users.
6.2. Each person is responsible for any usage of his or her Lamar State College-Orange NetID. Users must maintain the confidentiality of their password(s).
6.2. A user must report any abuse or misuse of information resources or violations of this policy to their department head or to the Coordinator of Information Resources.
6.4. When communicating with others via College information resources (e.g., e-mail), a user's communications should reflect high ethical standards, mutual respect and civility.
6.5. Users are responsible for obtaining and adhering to relevant, acceptable network use policies, Section 3.3 above.
6.6. Administrative heads and supervisors must report ongoing or serious problems regarding the use of Lamar State College-Orange information resources to the Coordinator of Information Resources.
7. Access To College Information Resources By Auditors
7.1. There will be occasions when auditors may require access to Lamar State College-Orange information resources. Access is permitted in accordance with these guidelines.
7.2. Internal auditors from Lamar University shall be allowed access to all College activities, records, property, and employees in the performance of their duties, as approved by the Office of the President.
7.3 The Director of Internal Audit for Lamar University shall notify the Office of the President and Coordinator of Information Resources, prior to accessing individual data files.
7.4. State and federal auditors will be granted access to College information resources and data files on an as needed basis, as approved by the Office of the President.
8. Liability For Failure To Adhere To This Policy
8.1. Failure to adhere to this policy may lead to the revocation of a user’s Lamar State College-Orange NetID, suspension, dismissal, or other disciplinary action by the College, as well as referral to legal and law enforcement agencies.
8.2. Statutes pertaining to the use of College information resources include the following:
8.2.1. Texas Administrative Code, Title 1, Part 10, Chapter 202 - Regulations from the Department of Information Resources establishing requirements for State agencies regarding computer security.
8.2.2. Texas Penal Code, Chapter 33: Computer Crimes - Texas law pertaining to computer crimes. This statute specifically prohibits unauthorized use of College computers, unauthorized access to stored data, or dissemination of passwords or other confidential information to facilitate unauthorized access to the College’s computer system or data.
8.2.3. Texas Penal Code, § 37.10: Tampering with Governmental Record - Prohibits any alteration, destruction, or false entry of data that impairs the validity, legibility or availability of any record maintained by the College.
8.2.4. United States Code, Title 18, Chapter 47, § 1030: Fraud and Related Activity in Connection with Computers - Federal law specifically pertaining to computer crimes. Among other stipulations, prohibits unauthorized and fraudulent access to information resources.
8.2.5. Computer Fraud and Abuse Act (Part of Title 18, Chapter 47, U.S.C. § 1030) - Makes it a crime to access a computer to obtain restricted information without authorization; to alter, damage, or destroy information on a government computer; and to traffic in passwords or similar information used to gain unauthorized access to a government computer.
8.2.6. The Computer Abuse Amendments Act of 1994 (Part of Title 18, Chapter 47, U.S.C. § 1030) - Expands the Computer Fraud and Abuse Act of 1986 to address the transmission of viruses and other harmful code.
8.2.7. Federal Copyright Law - Recognizes that all intellectual works are automatically covered by copyright. The owner of a copyright holds the exclusive right to reproduce and distribute the work.
8.2.8. Digital Millennium Copyright Act - Signed into law on October 20, 1998, as Public Law 105-304. Created to address the digitally networked environment, the DMCA implements the WIPO Internet Treaties; establishes safe harbors for online service providers; permits temporary copies of programs during the performance of computer maintenance; and makes miscellaneous amendments to the Copyright Act, including amendments that facilitate Internet broadcasting.
8.2.9. Electronic Communications Privacy Act (U.S.C., Title 18) - Prohibits the interception or disclosure of electronic communication and defines those situations in which disclosure is legal.
8.2.10. Computer Software Rental Amendments Act of 1990 - Deals with the unauthorized rental, lease, or lending of copyrighted software.
8.2.11. Texas Government Code § 556.004 - Prohibits using state resources or programs to influence elections or to achieve any other political purpose.
- Related Documents
9.1. Information Resources Security Manual
9.2. Appropriate Release of Information
| Policy: | Whistle Blower |
| Scope: | Faculty and Staff |
| Policy Number: | 5.12 |
WHISTLE BLOWING
An agency may not suspend or terminate the employment of, or otherwise discriminate against, a public employee who reports a violation of the law to the appropriate law enforcement authority if the employee’s report is made in good faith. A public employee who alleges a violation of this provision may sue for injunctive relief, actual and punitive damages, court costs, and reasonable attorney’s fees. Also, an employee whose employment is wrongfully suspended or terminated is entitled to reinstatement to his or her former position, compensation of lost wages, and reinstatement of lost fringe benefits and seniority rights. If an employee decides to sue, he or she must have initiated the grievance and have exhausted the appeal procedures no later than 90 days after the alleged violation occurred or was discovered by the employee.
(Texas Government Code, Chapter 554)
| Policy: | Open Records Act |
| Scope: | Faculty and Staff |
| Policy Number: |
5.13 |
Texas Public Information Act
The Texas Public Information Act, effective June 14, 1973. Its broad purpose is to provide the public access and information about the affairs of government and the official acts of public officials and employees. The Act makes public agency files available to the public with some exceptions. For example, a former employee or official of a governmental body may choose whether to allow public access to information in the custody of the government body that relates to the person’s: (1) home address, (2) home telephone number, (3) social security number, or (4) information that reveals whether the person has family members. Effective September 1, 1995, the employee, official or former employee must declare this information as confidential or the information will be subject to public access.
Lamar State College-Orange employees make the election whether or not to have this information remain confidential when the Personnel Event Form is completed. Should the employee wish to change his/her election, a new Personnel Event Form must be completed.
Requests for public information must be in writing and provided to the requester (or sent, within 10 calendar days to the Attorney General for a ruling as to whether or not the request must be honored). Student educational records, certain audit documents, high-level policy memoranda, and employee records (disclosure of which would constitute a clearly unwarranted invasion of privacy) are generally exempt from disclosure.
(Texas Government Code, Chapter 552)
| Policy: | Sexual Harassment |
| Scope: | Faculty and Staff |
| Policy Number: | 5.14 |
SEXUAL HARASSMENT POLICY
It is the policy of Lamar State College-Orange that no employee, student, or contractor of the College may sexually harass another person. Any employee, student, or contractor will be subject to disciplinary action up to and including dismissal for a violation of this policy. Rules and Regulations, the Texas State University System, VII-8.0. Lamar State College-Orange shall distribute the policy on Sexual Harassment to all employees on an annual basis.
Lamar State College-Orange strives to provide an educational and working environment for its students, faculty, and staff free of intimidation and harassment. Sexual harassment is sex discrimination and is, therefore, a violation of the 1964 Civil Rights Act.
Sexual harassment is defined as unwelcome sexual advances, requests for sexual favors, and other verbal or physical conduct of a sexual nature when: 1) submission to such conduct is made either explicitly or implicitly a term or condition of an individual’s employment or academic career; 2) submission to or rejection of such conduct by an individual is used as the basis for employment or academic decisions affecting the individual; 3) such conduct has the purpose or effect of unreasonably interfering with an individual’s performance or creating an intimidating, hostile, or offensive employment or academic environment; 4) submission to or rejection of such conduct by a student is used as a basis for evaluating such student’s academic performance; or 5) such conduct has the purpose of unreasonably interfering with a student’s academic or extracurricular activity or creating an intimidating, hostile, or offensive environment.
In determining whether alleged conduct constitutes sexual harassment, Lamar State College-Orange shall construe any act or omission within the totality of circumstance, such as the nature of the conduct and the context in which the alleged incidents occurred. Lamar State College-Orange will take immediate corrective actions if prohibited conduct occurs. The direct supervisor will be responsible for continued monitoring of the circumstances surrounding the complaint to assure the situation has been remedied.
Lamar State College-Orange may not dismiss a complaint once registered with the appropriate authority until the case has been resolved. The College may take appropriate disciplinary action for any sexual harassment occurring in the employment or academic environment even in the absence of an individual complaint. Disciplinary action may consist of action up to and including termination of employment or, in the case of a student, dismissal from the College. If disciplinary action is imposed for engaging in sexual harassment, the individual may invoke the applicable due process procedures.
To the fullest extent practicable, Lamar State College-Orange shall keep complaints of sexual harassment and the terms of their resolution confidential.
Any employee or student who thinks he/she is the victim of sexual harassment should clearly communicate to the offender that the behavior is unwelcome and must cease immediately. If the behavior continues, the victim should lodge a complaint against the offender. A complaint may be filed with the appropriate resource person.
Informal Complaint
All complaints are considered informal until they are filed in writing. The steps for seeking an informal resolution are as follows:
the offended individual should report the incident(s) to the Vice President for Academic Affairs if the complaint is against a faculty member, the Dean of Student Services if the complaint is against a student, or the appropriate Division head if the complaint is against a staff member. Complaints against the employee’s direct supervisor may be filed with any other of the above officials. Any employee contacted about an alleged sexual harassment incident is required to then notify the Human Resources Director
the college official will work with the complainant to determine the extent of the alleged sexual harassment
the evidence presented will be reviewed to determine if there is cause to believe that a sexual harassment violation occurred
if in the judgment of the college official a violation did not occur, the complainant will be so advised and given a verbal explanation of why the incident(s) described does not constitute sexual harassment
if the complainant does not agree with this decision, the complainant will be given the opportunity to file a formal written complaint
if the college official has cause to believe sexual harassment did occur, the complainant will be given the option of filing a formal complaint or pursuing an informal resolution
if the complainant chooses to pursue the informal resolution, the college official will notify the person being charged that an informal complaint has been filed against him/her and the complainant wishes to seek an informal resolution to the problem. The charged party will be given an opportunity to confirm or rebut the charge. The college official will then meet with both parties together or independently and try to reach a mutually agreeable resolution.
if a resolution is not achieved, the charging party will be given the opportunity to file a written formal complaint
the College may elect to pursue the charge even if the complainant does not elect to proceed.
Formal Complaint
To be considered a formal complaint; the complaint must be submitted to the appropriate college official in writing within ninety (90) days of the most recent incident and must include the resolution being sought. Complaints filed against a faculty member should be directed to the Vice President for Academic Affairs, complaints against a staff member should be directed to the appropriate Division head; and complaints against a student should be directed to the Dean of Student Services. Complaints against the employee’s direct supervisor may be filed with any other of the above College officials. Any employee contacted about a complaint of sexual harassment should immediately contact the Human Resources Director. Appeals must be filed within five (5) working days of receiving an answer and each step should be completed within ten (10) working days.
Step One
the college official will review the written complaint with the charging party
if the college official does not feel there is cause to believe that sexual harassment occurred, he/she will so advise the complainant in writing stating the reason(s) for the decision
if the college official thinks there is cause to believe that sexual harassment did occur, he will notify the charged party that he/she has been formally charged with sexual harassment and give him/her a copy of the written charge. The accused party will be given the opportunity to confirm or rebut the charge in writing.
the college official will then meet with both parties either together or separately and try to reach a mutually agreeable resolution
Step Two
if a solution is not reached in Step one, the college official and the Human Resources Director will meet with both parties, either together or separately, to review both sides of the issue
the college official and the Human Resources Director will then mutually agree on a resolution which will be communicated in writing to both parties
both parties will be instructed by the Human Resources Director to comply with the terms of the resolution
Step Three
the decision may be appealed by either party to the President by submitting a written statement to the Human Resources Director. The appeal must include the basis for the appeal and the remedy sought.
the President will take whatever action he feels appropriate to resolve the complaint. The President’s decision is final and binding.
If a complaint, whether informal or formal, is filed against a college official or the Human Resources Director, the functions assigned to the person by these procedures will transfer to the President or his designee.
The complainant and the respondent both have the right to bring an advisor to the meeting. The advisor may not act as a participant, but may render consultation to the advisee. If either party chooses to exercise this option, he/she shall submit the name of the advisor in writing to the Human Resources Director at least forty-eight (48) hours prior to the meeting.
Retaliation or reprisal by the College or by any member of the College community against anyone who has articulated a concern about harassment, resisted harassment, participated or cooperated in a complaint investigation or hearing or filed a complaint alleging harassment is illegal. Such retaliation is also prohibited by this policy. Prohibited retaliatory conduct includes, but is not limited to changing work or class assignments, or otherwise interfering with work or school performance. Retaliatory conduct is grounds for appropriate disciplinary action, up to and including discharge or expulsion.
| Policy: | Racial Harassment |
| Scope: | Faculty and Staff |
| Policy Number: | 5.15 |
RACIAL HARASSMENT POLICY
Lamar State College-Orange shall provide equal educational opportunities for all students and equal employment opportunities for all applicants and employees and otherwise foster an environment free of racial intimidation, humiliation, and harassment. Racial harassment, as defined herein, is expressly prohibited. Rules and Regulations, the Texas State University System, Section VII-7.0
"Racial Harassment" is defined as extreme or outrageous acts or communications that are intended to harass, intimidate, or humiliate students, faculty, staff or visitors on account of race, color, or national origin and that reasonably cause them to suffer severe emotional distress. It is a violation of this policy for any student, faculty, or staff member to engage in racial harassment of any person on campus or in connection with a campus-sponsored activity.
It is a violation for any student, faculty or staff member to use authority granted by state law, by system rule, or by college policy to deprive any person of his or her civil rights on campus or in connection with a college sponsored activity.
If a violation of this policy is committed on campus or in connection with a college-sponsored activity because of the race, color or national origin of any person harmed by such violation, the violator’s discriminatory purpose shall be treated as an aggravating factor for the purpose of determining the appropriate penalty.
Student, faculty and staff member offenders are subject to disciplinary action as appropriate under the circumstances up to and including dismissal for violation of this policy.
Any employee, student or visitor who thinks he/she is the victim of racial harassment should lodge a complaint against the offender. A complaint should be filed with the appropriate College official 1) the Vice President for Academic Affairs if it is against a faculty member 2) the appropriate Division head if it is against a staff member or 3) the Dean of Student Services if it is against a student. If the complaint is against one of the above officials, the complaint may be filed with any other of the above College officials. Any employee contacted about a complaint of racial harassment should immediately contact the Human Resources Director.
All complaints are considered informal until they are filed in writing. The steps for seeking an informal resolution are as follows:
the offended individual should report the incident(s) to the appropriate college official or the Human Resources Director
the college official will work with the complainant to determine what evidence exists for the charge of racial harassment
the evidence presented will be reviewed to determine if there is cause to believe a violation of racial harassment occurred
if in the judgment of the college official a violation did not occur, the complainant will be so advised and given a verbal explanation of why the incident(s) described does not constitute racial harassment
if the complainant does not agree with this decision, the complainant will be given the opportunity to file a formal written complaint
if the college official has cause to believe racial harassment did occur, the complainant will be given the opportunity to file a formal complaint or pursuing an informal resolution
if the complainant chooses to pursue the informal resolution, the college official will notify the person charged that an informal complaint has been filed against him/her and the complainant wishes to seek an informal resolution to the problem. The charged party will be given an opportunity to confirm or rebut the charge. The college official will then meet with both parties together or independently and try to reach a mutually agreeable resolution.
if a resolution is not achieved, the charging party will be given the opportunity to file a written formal complaint
the College may elect to pursue the charge even if the complainant does not elect to proceed.
To be considered a formal complaint; the complaint must be submitted to the appropriate college official in writing within ninety 90) days of the most recent incident and must include the resolution being sought. A complaint should be filed with 1) the Vice President for Academic Affairs if it is against a faculty member 2) the appropriate Division head if it is against a staff member or 3) the Dean of Student Services if it is against a student. If the complaint is against one of the above officials, the complaint may be filed with any of the above College officials. Any employee contacted about a complaint of racial harassment should immediately contact the Human Resources Director. Appeals must be filed within five (5) working days of receiving an answer and each step should be completed within ten (10) working days.
Step One
the college official will review the written complaint with the charging party
if the college official does not feel there is cause to believe that racial harassment occurred, he/she will so advise the complainant in writing stating the reason(s) for the decision
if the college official thinks there is cause to believe that racial harassment did occur, he/she will notify the charged party that he/she has been formally charged with racial harassment and give him/her a copy of the written charge. The accused party will be given the opportunity to confirm or rebut the charge in writing.
the college official will then meet with both parties either together or separately and try to reach a mutually agreeable resolution
Step Two
if a solution is not reached in Step One, the college official and the Human Resources Director will meet with both parties, either together or separately, to review both sides of the issue
the college official and the Human Resources Director will then mutually agree on a resolution which will be communicated in writing to both parties
both parties will be instructed by the Human Resources Director to comply with the terms of the resolution
Step Three
the decision may be appealed by either party to the President by submitting a written statement to the Human Resources Director. The appeal must include the basis for the appeal and the remedy sought.
the President will take whatever action he feels appropriate to resolve the complaint. The President’s decision is final and binding.
Lamar State College-Orange may take appropriate disciplinary action for any racial harassment occurring in the employment or academic environment even in the absence of an individual complaint. Disciplinary action may consist of action up to and including termination of employment or, in the case of a student, dismissal from the College. If disciplinary action is imposed, the accused shall have his/her full right to invoke applicable due process procedures.
If a complaint, whether informal or formal, is filed against a resource person or the Human Resources Director, the functions assigned to the person by these procedures will transfer to the President or his designee.
The complainant and the respondent both have the right to bring an advisor to the meeting. The advisor may not act as a participant, but may render consultation to the advisee. If either party chooses to exercise this option, he/she shall submit the name of the advisor in writing to the Human Resources Director at least forty-eight (48) hours prior to the meeting.
Under no circumstances will Lamar State College-Orange knowingly sanction or permit retaliation against an individual in any way as a result of seeking relief under this policy.
| Policy: | Prohibition of Handguns on Campus |
| Scope: | Faculty and Staff |
| Policy Number: | 5.16 |
It is a violation of the Texas State University System Rules and Regulations to possess, carry or otherwise cause a handgun--licensed or otherwise, concealed or otherwise--to be brought on the premises of a System component. "Premises of a System component" as used in this section means a structure and the land, including appurtenances, on which the structure is situated, over which this Board has ownership or control. Specifically, this includes, but is not limited to, System campuses, the System Administrative Office, leased facilities or other facilities when a System or campus function, event, or activity takes or is taking place. This prohibition shall not apply to academic programs or to college sponsored or approved events in which the college explicitly authorizes the use of handguns. Nor shall it be a violation of this rule to transport firearms and/or handguns for registration with and storage by the college public safety office.
| Policy: | Specialized Training Reimbursement Policy |
| Scope: | Faculty and Staff |
| Policy Number: | 5.17 Revised 3/03 |
Any employee receiving funds to pay for specialized training (costing in excess of $500) will be required to sign an agreement to reimburse Lamar State College-Orange for all the costs of training if the person resigns within twelve months of the date of the specialized training.
The employee must also agree that all materials obtained during the specialized training is the property of the College. The employee will be held accountable for the materials at the time of termination.
Training Reimbursement Agreement forms must be submitted along with the Request to Travel at College Expense. Forms will be available from departmental secretaries.
The 77th Legislature stated its intent that state agencies and institutions of higher education should use Internet-based training to the extent available and appropriate.
| Policy: | Personal Appearance |
| Scope: | Faculty and Staff |
| Policy Number: | 5.18 |
Lamar State College-Orange expects all employees to practice good personal hygiene, use good judgment in their choice of personal grooming techniques, and to dress in a manner that is both professional and suited to their specific job responsibilities. Departments/divisions may define specific dress requirements that are appropriate for an employee’s job duties and/or working environment.
In addition, a personal interest should be taken in seeing that work areas are kept in a neat and orderly fashion. Employees should be mindful of the fact that Lamar State College-Orange is a public institution and that appearance is a reflection on the college.
All employees of Lamar State College-Orange are also employees of the State of Texas. Employees are expected to conduct themselves in a manner that reflects credit both on the College and the State.
| Policy: | Open Flame Policy |
| Scope: | Faculty and Staff |
| Policy Number: | 5.19 |
The potential for loss of lives as well as property should a fire occur on campus is of utmost concern. Lit candles, burning incense, and all other displays or applications of open flames or embers are strictly forbidden.
| Policy: | Key Control Policy |
| Scope: | Faculty and Staff |
| Policy Number: | 5.20 |
ADMINISTRATION OF COLLEGE KEYS
The President of Lamar State College-Orange is authorized by the Board of Regents of the Texas State University System to establish and administer regulations and procedures to provide for the security of campus buildings, equipment, and personnel. This includes the installation and maintenance of a key system and policies governing the use of that system. In accordance with this policy, the President has delegated the administration of the Key Control System to the Director of Campus Security.
DEFINITIONS
COLLEGE KEYS: Those keys which open buildings, interior doors and other locks in Lamar State College-Orange (LSCO) facilities, including all furniture and equipment.
CENTRAL KEY CONTROL FILE: Records maintained by Campus Security identifying keys by number and assignment. These files also include key/lock authorization requests and key issue record forms with signatures of personnel possessing campus keys. Confidentiality of this information will be maintained under the authority of the President.
KEY CONTROL METHODS: Methods used by Campus Security and Physical Plant to restrict access to facilities and equipment to those personnel who are properly authorized to use the facilities and/or equipment.
KEYING SYSTEM: Hardware (locks and keys) and pin/tumbler combinations used to control access.
BUILDING ACCESS
Exterior access to facilities is generally available to faculty, staff, and students from 7 a.m. to 10 p.m., Monday through Thursday, and from 7 a.m. to 5 p.m. on Fridays. Weekend hours vary according to class schedules. Employees may request building access keys for use after hours. Employees receiving building access keys must agree to follow entrance/exit procedures and sign a waiver of liability acknowledging the absence of campus security during after hour periods.
DUPLICATION OF KEYS
Duplication of keys by anyone other than the person designated by the Director of Campus Security is prohibited.
KEY CONTROL RESPONSIBILITIES
The Director of Campus Security, working in conjunction with the Director of Physical Plant, will create and administer a keying system and key control file.
The Director of Physical Plant will designate a key mechanic who will maintain all campus locks and manufacture keys as needed. No other person is authorized to install, alter, or remove locks without the approval of the President or the Director of Campus Security.
SUPERVISORY RESPONSIBILITY
Supervisors must review and approve all key requests originating in their department.
Supervisors must report to the Director of Campus Security any key holder who is terminating employment or transferring to a different position.
Supervisors must report any loss of keys to the Director of Campus Security.
RESPONSIBILITIES OF KEY HOLDERS
Key holders must complete and sign a key issue record upon receipt of any key.
Key holders must immediately report any loss of theft of a key to the Director of Campus Security.
Key holders are expected to be responsible for all keys issue to them and to carry the issued keys on their person. In an emergency, security or maintenance personnel may be asked to unlock doors, but it should be understood that unlocking doors is not the primary responsibility of either security or maintenance personnel.
Keys are issued for the use of the recipient only and should not be "loaned" to other parties. The key holder is responsible for the loss, theft, or misuse of a "loaned" key.
SPECIAL SECURITY KEYING AND KEYING CHANGES
Special security locks and keys for areas of special consideration may be permitted only upon approval from the President.
No individual may use a personal lock for space control, nor may locks be changed or re-keyed without prior approval from the President or the Director of Campus Security.
ELIGIBILITY FOR KEYS
Keys will be issued to all full-time employees who need regular access to specific work areas, equipment, and storage facilities. Key requests originate with supervisors and require approval from the Director of Campus Security and/or the President. Part-time employees are eligible to receive keys as needed.
Students and student employees are not eligible to receive keys unless the keys provide access to specific student activity or student organization offices. Keys can only be issued with the written approval of the Vice President for Student Services.
Employees needing short term access to a facility can request a temporary key assignment. Each request must indicate the need for the temporary key and the date it will be returned. Temporary keys must be returned to the Director of Campus Security on or before the indicated return date.
Master keys may be issued to employees only when authorized in writing by the President.
Eligibility to possess any LSCO key(s) may be terminated at any time.
LOST OR OTHERWISE UN-RETURNED KEYS
The President is authorized to require payment of a reasonable cost to the College for each key lost or not returned to the Director of Campus Security. The Department where the individual is (was) employed is responsible for the costs if the College is unable to secure payment by the individual.
Lost or unreturned keys (issued to single user): $10 per each key lost and $20 for every cylinder that is re-keyed.
Lost or unreturned keys (same key issued to multiple users): $10 per each key that must be replaced plus $20 for each cylinder that must be re-keyed.
Lost or unreturned master key (controls access to a portion of a building): $50 each plus $20 for each cylinder that must be re-keyed.
Lost or unreturned grand master key (controls access to entire building): cost of re-keying entire building.
Lost or unreturned great grand master (accesses all campus facilities): cost of re-keying entire campus.
Providers
