Information Security Policy:  I-A

Purpose and Benefits

This policy defines the mandatory minimum information security requirements for South Plains College (SPC). Based on its individual business needs and specific legal, state, and federal requirements, any SPC entity may exceed the security requirements in this document but must, at a minimum, achieve the security levels required by this policy.

This policy is an umbrella document for all other security policies and associated standards.  This policy defines the responsibility to:

  • protect and maintain the confidentiality, integrity, and availability of information and related infrastructure assets;
  • manage the risk of security exposure or compromise;
  • assure a secure and stable information technology (IT) environment;
  • identify and respond to events involving information asset misuse, loss, or unauthorized disclosure;
  • monitor systems for anomalies that might indicate compromise; and
  • promote and increase the awareness of information security.

Failure to secure and protect the confidentiality, integrity, and availability of information assets in today’s highly networked environment can damage or shut down systems that operate critical infrastructure, financial and business transactions, and vital government functions, compromise data, and result in legal and regulatory non-compliance.

This policy benefits entities by defining a framework that will ensure appropriate measures are in place to protect the confidentiality, integrity, and availability of data and that staff and all other affiliates understand their role and responsibilities, have adequate knowledge of security policy, procedures, and practices, and know how to protect information. 

Scope

This policy encompasses all automated and manual systems for which SPC Information Services (SPC-IS) has administrative responsibility, including systems managed or hosted by third parties on behalf of SPC-IS. It addresses all information created or used to support business activities regardless of form or format.

 

Information Statement

Organizational Security

  1. Texas Administrative Code (TAC§202.70) defines the role and responsibilities of the information risk management (IRM) function. TAC§202.71 establishes the role and responsibilities of the information security Officer (ISO) function. SPC has designated the IRM function as the responsibility of the college President and the ISO function as the responsibility of the Associate Dean for Information Services (CIO). The designated individuals are filed with the Texas Department of Information Resources (DIR) and updated every two years.
    1. SPC has designated an individual or group responsible for the risk management function, assuring that:
      1. Risk-related considerations for information assets and individual information systems, including authorization decisions, are viewed as an enterprise decision about the overall strategic goals and objectives of carrying out SPCs core mission and business functions and
      2. the management of information assets and information system-related security risks is consistent, reflects risk tolerance, and is considered along with other types of risks to ensure mission/business success.
    2. The Information Security Officer (ISO) or designated security representative is responsible for technical information security. This function will evaluate and advise on information security risks.
  2. Information security risk decisions must be made through consultation with both function areas described in above.
  3. Although the information security functions may be outsourced to third parties, SPC retains overall responsibility for the security of its information.

Functional Responsibilities

Executive management (IRM) is responsible for:

  1. evaluating and accepting risk on behalf of the SPC;
  2. recognizing information security responsibilities and goals and integrating them into relevant processes;
  3. supporting the consistent implementation of information security policies and standards;
  4. supporting security through clear direction and demonstrated commitment to appropriate resources;
  5. promoting awareness of information security best practices through the regular dissemination of materials provided by the ISO or designated security representative;
  6. overseeing the process for determining information classification and categorization based on industry-recommended practices, organization directives, and legal and regulatory requirements to determine the appropriate levels of protection for that information;
  7. overseeing the process for information asset identification, handling, use, transmission, and disposal based on information classification and categorization;
  8. overseeing who will be assigned and serve as information owners while maintaining ultimate responsibility for the confidentiality, integrity, and availability of the data;
  9. participating in the response to security incidents;
  10. complying with notification requirements in the event of a breach of private information;
  11. adhering to specific legal and regulatory requirements related to information security;
  12. communicating legal and regulatory requirements to the ISO or designated security representative; and
  13. Communicating the requirements of this policy and the associated standards, including the consequences of non-compliance, to the workforce and third parties and addressing adherence to third-party agreements.

The ISO or designated security representative is responsible for:

  1. maintaining familiarity with business functions and requirements;
  2. maintaining an adequate level of current knowledge and proficiency in information security through annual Continuing Professional Education (CPE) directly related to information security;
  3. assessing compliance with information security policies and legal and regulatory information security requirements;
  4. evaluating and understanding information security risks and how to appropriately manage those risks;
  5. representing and assuring security architecture considerations are addressed;
  6. advising on security issues related to the procurement of products and services;
  7. escalating security concerns that are not being adequately addressed according to the applicable reporting and escalation procedures;
  8. communicating threat information to appropriate parties;
  9. participating in the response to potential security incidents;
  10. participating in the development of enterprise policies and standards that consider SPC’s needs and
  11. promoting information security awareness.

IT management is responsible for:

  1. supporting security by providing clear direction and consideration of security controls in the data processing infrastructure and computing network(s) that support the information owners;
  2. Provide resources needed to maintain a level of information security control consistent with this policy;
  3. identifying and implementing all processes, policies, and controls relative to security requirements defined by the business and this policy;
  4. implementing the proper controls for information owned based on the classification designations;
  5. Provide training to appropriate technical staff on secure operations (e.g., secure coding, secure configuration);
  6. fostering the participation of information security and technical staff in protecting information assets and in identifying, selecting, and implementing appropriate and cost-effective security controls and procedures; and
  7. implementing business continuity and disaster recovery plans.

The workforce is responsible for:

  1. understanding the baseline information security controls necessary to protect the confidentiality, integrity, and availability of information entrusted;
  2. protecting information and resources from unauthorized use or disclosure;
  3. protecting personal, private, and sensitive information from unauthorized use or disclosure;
  4. abiding by the Acceptable Use of Information Technology Resources Policy (I-C)
  5. Report suspected information security incidents or weaknesses to the appropriate manager, ISO, or designated security representative.

Separation of Duties

  1. Where appropriate, separation of duties and areas of responsibility must be implemented to reduce the risk of accidental or deliberate system misuse.
  2. Whenever separation of duties is not feasible, other compensatory controls such as activity monitoring, audit trails, and management supervision must be implemented.
  3. The audit and approval of security controls must remain independent and segregated from their implementation.

1.    Data Risk Management

Associated Standard:  Data Classification and Security Planning Policy: I-B 

  1. Any system or process that supports business functions must be appropriately managed for information risk and undergo information risk assessments, at a minimum annually, as part of a secure system development life cycle.
  2. Information security risk assessments are required for new projects, implementations of new technologies, significant changes to the operating environment, or in response to the discovery of a significant vulnerability.
  3. Entities are responsible for selecting the risk assessment approach they will use based on their needs and any applicable laws, regulations, and policies.
  4. Risk assessment results and the decisions made based on these results must be documented.

2.    Data Classification and Handling

Associated Standard: Data Security Risk Management Standard: I-B(a)

Associated Standard: Data Classification Standard: I-B(c)

Associated Standard: Sanitation and Secure Disposal Standard: I-E(e)

  1. All information created, acquired, or used to support SPC business activities must only be used for its intended purpose.
  2. All information must be classified continuously based on its confidentiality, integrity, and availability characteristics, and an information owner must be established within the lines of business.
  3. Information must be managed appropriately from its creation, through authorized use, to proper disposal.
  4. Merging of information that creates a new information asset or situations that create the potential for merging (e.g., backup tape with multiple files) must be evaluated to determine if a new classification of the merged data is warranted.
  5. All reproductions of information in its entirety must carry the same confidentiality classification as the original. Partial reproductions must be evaluated to determine whether a new classification is warranted.
  6. Each classification has an approved set of baseline controls designed to protect these classifications, which must be followed.
  7. The requirements for secure information handling must be communicated to the workforce.
  8. A written or electronic inventory of all information assets must be maintained.
  9. Content made available to the general public must be reviewed according to a process that will be defined and approved. The process must include reviewing and approving updates to publicly available content and considering the type and classification of information posted.
  10. PPI must not be made available without appropriate safeguards approved by the ISO.
  11. For non-public information to be released outside of SPC’s control or shared between other entities, a process must be established that, at a minimum:
  12. Evaluate and document the sensitivity of the information to be released or shared;
  13. identifies the responsibilities of each party for protecting the information;
  14. defines the minimum controls required to transmit and use the information;
  15. records the measures that each party has in place to protect the information;
  16. defines a method for compliance measurement;
  17. Provide a signoff procedure for each party to accept responsibilities and
  18. Establish a schedule and procedure for reviewing the controls.

3.    IT Asset Management

Associated Standard: Secure Configuration Standard: I-E(c)

  1. All IT hardware and software assets must be assigned to a designated business unit or individual.
  2. SPC must maintain an inventory of hardware and software assets, including all system components (e.g., network address, machine name, software version), at a granularity deemed necessary for tracking and reporting. This inventory must be automated where technically feasible.
  3. Regular scanning processes must be implemented to identify unauthorized hardware or software and notify appropriate staff when discovered.
  1. Personnel Security

Associated Standard: Access Control Standard: I-D

Associated Policy: Security Awareness and Training Policy: I-G

  1. The workforce must receive general security awareness training, including recognizing and reporting insider threats, within 30 days of hire. Additional training on specific security procedures must be completed before access is provided to SPC sensitive information not covered in the general security training.  All security training is reinforced annually and tracked.
  2. SPC requires its workforce to abide by the Acceptable Use of Information Technology Resources Policy, and an auditable process must be in place for users to acknowledge that they agree to comply with the policy’s requirements.
  3. All job positions must be evaluated to determine whether they require access to sensitive information or sensitive information technology assets.
  4. For those job positions requiring access to sensitive information and information technology assets, entities must conduct workforce suitability determinations unless prohibited by law, regulation, or contract. Depending on the risk level, suitability determinations may include, as appropriate and permissible, evaluation of criminal history record information or other reports from federal, state, and private sources that maintain public and non-public records.  The suitability determination must provide reasonable grounds for SPC to conclude that an individual will likely be able to perform the required duties and responsibilities of the subject position without undue risk.
  5. SPC has established a process to periodically repeat or review suitability determinations upon change of job duties or position.
  6. SPC department heads are responsible for ensuring all issued property is returned before an employee’s separation, accounts are disabled, and access is removed immediately upon separation.

5.    Cyber Incident Management

Associated Standard: Incident Response Standard I-F(a)

  1. All observed or suspected information security incidents or weaknesses must be reported to appropriate management and the ISO or designated security representative as quickly as possible. If workforce members feel that cyber security concerns are not appropriately addressed, they may confidentially report them.
  2. The ISO or designated security representative must be notified of any cyber incident that may significantly or severely impact operations or security or involve digital forensics to follow proper incident response procedures and guarantee coordination and oversight. 

6.    Physical and Environmental Security

Associated Policy: Physical and Environmental Protection Policy: I-H

  1. Information processing and storage facilities must have a defined security perimeter, appropriate security barriers, and access controls.
  2. Information processing and storage facilities must undergo periodic risk assessments to determine whether existing controls are operating correctly and whether additional physical security measures are necessary. These measures must be implemented to mitigate the risks.
  3. Information technology equipment must be physically protected from security threats and environmental hazards. Special controls may also be necessary to protect supporting infrastructure and facilities, such as electrical supply and cabling infrastructure.
  4. Per the information classification, all information technology equipment and media must be secured to prevent compromise of confidentiality, integrity, or availability.
  5. Visitors to information processing and storage facilities, including maintenance personnel, must always be escorted.

7.    Account Management and Access Control

Associated Policy: Access Control Policy: I-D

Associated Policy: MFA Policy: I-D(b)

Associated Standard: Auditing and Accountability Standard: I-D(c)

Associated Standard: Security Logging Standard: I-D(d)

Associated Standard: Remote Access Standard: I-D(e) 

  1. Each account must have an individual employee or group responsible for account management. This may include the business unit and information technology (IT).
  2. Each employee or group is assigned a user ID. The user ID is associated with an authentication token (e.g., password, key fob, biometric) that must be used to authenticate the identity of the person or system requesting access. The User ID and the authentication token make up the access credentials.
  3. Except as described in the Account Management Access Control Standard: I-D(a), system access must be provided using individually assigned account credentials.
  4. Automated techniques and controls must be implemented to lock a session and require authentication or re-authentication after a period of inactivity for any system where authentication is required. Information on the screen must be replaced with publicly viewable information (e.g., screen saver, blank screen, clock) during the session lock.
  5. Automated techniques and controls must be implemented to terminate a session after specific conditions are met as defined in the Account Management Access Control Standard: I-D(a).
  6. Tokens used to authenticate a person or process must be treated as confidential and protected appropriately.
  7. Tokens must not be stored on paper or in an electronic file, hand-held device, or browser unless they can be stored securely and the method of storage (e.g., password vault) has been approved by the ISO or designated security representative.
  8. Information owners are responsible for determining who should have access to protected resources within their jurisdiction and what those access privileges should be (read, update, etc.).
  9. Access privileges will be granted per the user’s job responsibilities. They will be limited to those necessary to accomplish assigned tasks per SPC’s missions and business functions (i.e., least privilege).
  10. Users of privileged accounts must use a separate, non-privileged account when performing everyday business transactions (e.g., accessing the Internet, e-mail).
  11. Logon banners must be implemented on all systems to inform all users that the system is for business or other approved use consistent with policy and that user activities may be monitored. The user should not expect privacy.
  12. Advance approval for any remote access connection must be provided by the ISO or designated security representative. An assessment must be performed and documented to determine the scope and method of access, the technical and business risks involved, and the contractual, process, and technical controls required for such connection.
  13. All remote connections must be made through managed points-of-entry reviewed by the ISO or designated security representative.
  14. Working from a remote location must be authorized by management and practices that assure the appropriate protection of data in remote environments, which must be shared with the individual before the individual is granted remote access.

8.    Systems Security

Associated Policy: Secure System Development Lifecycle Policy: I-E

Associated Standard: Configuration Management Standard: I-E(a)

Associate Standard: 802.11 Wireless Network Security Standard: I-D(f)

Associated Standard: Secure Coding Standard: I-E(f)

Associated Standard: Security Logging Standard: I-D(d) 

  1. Systems include but are not limited to servers, platforms, networks, communications, databases, and software applications.
  2. An individual or group must maintain and administer any system deployed on behalf of SPC. A list of assigned individuals or groups must be centrally maintained.
  3. Security must be considered at system inception and documented as part of the decision to create or modify a system.
  4. All systems must be developed, maintained, and decommissioned using a secure system development lifecycle (SSDLC).
  5. Each system must have a set of controls commensurate with classifying any data stored on or passing through it.
  6. All system clocks must synchronize to a centralized reference time source set to UTC (Coordinated Universal Time), which is synchronized to at least three synchronized time sources.
  7. Environments and test plans must be established to validate that the system works as intended before deployment in production.
  8. Separation of environments (e.g., development, test, quality assurance, production) is required, either logically or physically, including separate environmental identifications (e.g., desktop background, labels).
  9. Formal change control procedures for all systems must be developed, implemented, and enforced. At a minimum, any change that may affect the production environment or production data must be included.

Databases and Software (including in-house or third-party developed and commercial off the shelf (COTS):

  1. Before being deployed in production, all software written for or deployed on systems must incorporate secure coding practices to avoid common coding vulnerabilities and be resilient to high-risk threats.
  2. Once test data is developed, it must be protected and controlled for the life of the testing by its classification.
  3. Production data may be used for testing only if a business case is documented and approved in writing by the information owner and the following controls are applied:
    1. All security measures, including but not limited to access controls, system configurations, and logging requirements for the production data, are applied to the test environment, and the data is deleted as soon as the testing is completed or
    2. sensitive data is masked or overwritten with fictional information.
  4. Where technically feasible, development software and tools must not be maintained on production systems.
  5. Where technically feasible, source code used to generate an application or software must not be stored on the production system running that application or software.
  6. Scripts must be removed from production systems, except those required for its operation and maintenance.
  7. Privileged access to production systems by development staff must be restricted.
  8. Migration processes must be documented and implemented to govern software transfer from the development environment to the production environment.

Network Systems:

  1. Connections between SPC and third party systems must be authorized by the executive management of all relevant entities and protected by implementing appropriate controls.
  2. All connections and their configurations must be documented, and the documentation must be reviewed by the information owner and the ISO or designated security representative annually, at a minimum, to ensure:
    1. the business case for the connection is still valid, and the connection is still required; and
    2. the security controls (filters, rules, access control lists, etc.) are appropriate and functioning correctly.
  3. A network architecture must be maintained that includes, at a minimum, tiered network segmentation between:
    1. Internet-accessible systems and internal systems;
    2. systems with high-security categorizations (e.g., mission-critical, systems containing PII) and other systems; and
    3. user and server segments.
  1. Network management must be performed from a secure, dedicated network.
  2. Authentication is required for all users connecting to internal systems.
  3. Network authentication is required for all devices connecting to internal networks.
  4. Only authorized individuals or business units may capture or monitor network traffic.
  5. A risk assessment must be performed in consultation with the ISO or designated security representative before initiating a significant change to any network technology or project, including, but not limited to, wireless technology.

9.    Collaborative Computing Devices (Webcam, Microphone)

  1. Collaborative computing devices must:
    1. prohibit remote activation; and
    2. provide users physically present at the devices with an explicit indication of use.
    3. Simple methods must be provided to disconnect collaborative computing devices physically.

10. Vulnerability Management

Associated Standards: Patch Management Standard: I-E(b)

Associated Standard: Vulnerability Scanning Standard: I-E(d) 

  1. All systems must be scanned for vulnerabilities before being installed in production and periodically after that.
  2. All systems are subject to periodic penetration testing.
  3. Penetration tests are required periodically for all critical environments/systems.
  4. Where SPC has outsourced a system to a third party, vulnerability scanning/penetration testing must be coordinated.
  5. Scanning/testing and mitigation must be included in third-party agreements.
  6. The system owner will promptly review the output of the scans/penetration tests. Copies of the scan report/penetration test must be shared with the ISO or designated security representative for risk evaluation.
  7. Appropriate action, such as patching or updating the system, must address discovered vulnerabilities. A plan of action and milestones must be created and updated for any discovered vulnerability to document the remedial actions to mitigate vulnerabilities.
  8. Any vulnerability scanning/penetration testing must be conducted by individuals authorized by the ISO or designated security representative. The ISO must be notified of any such tests in advance.  Any other attempts to perform such vulnerability scanning/penetration testing will be deemed an unauthorized access attempt.
  9. Anyone authorized to perform vulnerability scanning/penetration testing must have a formal process defined, tested, and followed at all times to minimize the possibility of disruption.

11. Operations Security

Associated Standard: Configuration Management Standard: I-E(a)

Associated Standard: Security Logging Standard: I-D(d)

Associated Policy: Cyber Incident Response Policy: I-F

Associated Policy: Access Control Policy: I-D 

  1. All systems and the physical facilities where they are stored must have documented operating instructions, management processes, and formal incident management procedures related to information security matters that define the roles and responsibilities of affected individuals who operate or use them.
  2. System configurations must follow approved configuration standards.
  3. Planning and preparation must be performed to ensure adequate capacity and resources are available. System capacity must be monitored on an ongoing basis.
  4. Where SPC provides a server, application, or network service to another entity, all impacted entities must coordinate operational and management responsibilities.
  5. Host-based firewalls must be installed and enabled on all workstations to protect from threats and to restrict access to only that which is needed
  6. Controls must be implemented (e.g., anti-virus, software integrity checkers, web filtering) across systems where technically feasible to prevent and detect the introduction of malicious code or other threats.
  7. Controls must be implemented to turn off automatic content execution from removable media.
  8. Controls must be implemented to limit information storage to authorized locations.
  9. Controls must be in place to allow only approved software to run on a system and prevent execution of all other software.
  10. All systems must be maintained at a vendor-supported level to ensure accuracy and integrity.
  11. All security patches must be reviewed, evaluated, and appropriately and promptly applied. This process must be automated where technically possible.
  12. Systems that can no longer be supported or patched to current versions must be removed.
  13. Systems and applications must be monitored and analyzed to detect deviation from the access control requirements outlined in this policy and the Security Logging Standard: I-D (d), and events must be recorded to provide evidence and reconstruct lost or damaged data.
  14. Audit logs recording exceptions and other security-relevant events must be produced, protected, and consistent with record retention schedules and requirements.
  15. Monitoring systems must be deployed (e.g., intrusion detection/prevention systems) at strategic locations to monitor inbound, outbound, and internal network traffic.
  16. Monitoring systems must be configured to alert incident response personnel to indications of compromise or potential compromise.
  17. Contingency plans (e.g., business continuity plans, disaster recovery plans, continuity of operations plans) must be established and tested regularly. At a se
    1. An evaluation of the criticality of systems used in information processing (including but not limited to software and operating systems, firewalls, switches, routers, and other communication equipment).
    2. Recovery Time Objectives (RTO)/Recovery Point Objectives (RPO) for all critical systems.
  18. Backup copies of SPC information, software, and system images must be taken regularly per the SPC’s defined requirements.
  19. Backups and restoration must be tested regularly. Separation of duties must be applied to these functions.
  20. Procedures must be established to maintain information security during an adverse event. For those controls that cannot be maintained, compensatory controls must be in place.

 

Compliance

This policy shall take effect upon publication. Compliance is expected with all enterprise policies and standards. Policies and standards may be amended at any time; compliance with amended policies and standards is expected.

If compliance with this standard is not feasible or technically possible, or if deviation from this policy is necessary to support a business function, entities shall request an exception through the Information Security Officer’s exception process.

 

9.0 Related Documents

TAC § 202 Subchapter C: Information Security Standards for Institutions of Higher Education

TAC § 202.70 - TAC § 202.77

Internal Revenue Service Publication 1075: Tax Information Security Guidelines for Federal, State and Local Agencies

An index of approved SPC-IS policies can be found on the SPC Policies website at http://www.southplainscollege.edu/human_resources/policy_procedure/?%20.  The SPC Information Security Program and SPC Information Security User Guide are also available on the Information Technology Services Policies website.

Texas Security Controls Standards Catalog Control Group: PL10,

NIST Function Groups:  ID.AM-1, ID.AM-2, ID.AM-5, ID.M-6, ID.RM-1, PR.AT-1, PR.DS-1, PR.DS-3, PR.DS-2, PR.IP-4, PR.PT-4, DE.CM-1, DE.DP-1, DE.DP-4

 

Section A: District Legal Status, History and Purpose

AA. College District Legal Status and History (BP)
AB. College Name (BP)
AC. System of Governance (BP)
AD. College District Geographic Boundaries and Service Area (BP)
AE. Educational Role and Mission, Purpose and Responsibility (BP)
AF. Vision Statement and Organizational Values

Section B: Governance, Executive Functions and Organization

BA.   Purpose, Powers and Responsibilities of the Board
BAB. Specific Duties of the Board (BL)
BAC. Rights and Responsibilities of the Board (BL)
BB.   Eligibility and Qualifications for Serving on the Board of Regents (BL)
BBA. Election of Board Members (BL)
BBB. Orientation and Professional Development of Board Members (BL)
BBC. Election of Board Officers (BL)
BBD. Duties of the Chairman of the Board (BL)
BBE. Duties of the Vice Chairman (BL)
BBF. Duties of the Secretary (BL)
BC.   Regular Board Meetings (BL)
BCA. Special Meetings (BL)
BCB. Official Business at Regular and Special Meetings (BL)
BCC. Quorum Necessary for Transaction of Business (BL)
BCD. Order of Business (BL)
BCE. Rules of Order (BL)
BCF. Public Participation (BL)
BCG. Board Self Evaluation
BD.   Board Committees (BL)
BE.   Conventions, Conferences and Workshops (BP)
BF.   Policy and By-Law Development (BP)
BFA. Amendments to the By-Laws (BL)
BG.  Board Member Statement of Ethics
BGA. Standards of Conduct and Conflict of Interest
BGAA. Conflict of Interest Disclosure
BGB. Code of Ethics (BP)
BH.  Board Vacancies
BHA. Removal from Office
BI.   Employment of the College President (BL)
BIA. Qualifications of the President (BP)
BIB. The College President as the Executive Officer (BP)
BIC. Evaluation of the President (BP)
BID. Administrative Organization Plan (BP)
BIDA. College Organizational Chart (PDF file opens with Acrobat Reader, 380kb)
BIE. Administrative Rules and Regulations (BP)
BIF. Planning and Institutional Effectiveness (BP)
BJA. Employment of Independent Auditor (BP)
BJB. Employment of College Attorney (BP)
BJC. Selection of Chief Tax Officials (BP)
BK. Relationship between South Plains College and the South Plains College Foundation, Inc. (BP)
BKA. Foundation Administration and Investment of Funds (BP)
BKB. Use of Employees or Property of the College by the Foundation (BP)
BKC. Officer/Director of the College (BP)
BKD. Acceptance of Gifts by the College (BP)
BL. Accreditation (BP)
BLA. Substantive Change

Executive Officers of the College
BMA. Vice President for Academic Affairs
BMB. Vice President for Student Affairs
BMC. Vice President for Business Affairs
BMD. Vice President for Institutional Advancement
Instructional Deans of the College
BME. Dean of Arts and Sciences
BMF. Dean of Health Sciences
BMG. Dean of Technical Education
BMH. Dean of Dual Credit & Early College Programs
Student Services Deans of the College
BMI. Dean of Enrollment Services
BMJ. Dean of Students
BMK. Associate Dean of Students
BN.   Executive Council
BO.  Administrative Council
BP.  Advisory Board By-Laws
BQ. Technical Advisory Committee By-Laws

Section C: Business Services

CA. The College Budget (BP)
CB. Purchase of Supplies and Equipment for the College (BP)
CBA. Purchasing Operating Policy
CBB-E. Price Quote/Bid Certificate
CBC. Food Purchase Policy
CBE. Procurement Card Policy
CBF. Computer and Electronic Device Aquisition Policy
CC. Service and Repair of College Equipment
CD. Use of College Facilities
See Policy GD Use of College Facilities, Including Athletic and Recreational Facilities (BP)
CE. Monthly Salary Payments
See Policy DR Compensation Schedule and Options (BP)
CF. Removal of College Property from Campus
See Policy GDB Loan or Rental of College-Owned Equipment and Tools (BP)
CG. Travel Policies and Procedures
CGC-E. Travel Report-Technical Division
CGD. Vehicle and Bus Driver Policy
CGE. Travel Card Guide
CH. Joint Property Rights
CI. Telephone/Voice Mail Use
CIA. Guidelines for Setting up Voice Mail
CI.28 Privacy Policy
CI.28.1 Web Site Privacy
CI.28.2 Merchant Card Policy
CJ. Technology Acceptable Use Policy
CJ-E. E-mail Application
CJA. Electronic Messaging (all@SPC) Policy
CK. College Depository
CL. Disposal of Property
CM. Records Management Program
CMA. Records Management Schedule
CMB. Records Management of Deceased Person
CN. Internal Audits
CO. Collection of College Funds
CP. Inventory of College Equipment
CQ. Investment Management (BP)
CR. Architectural Styling, Naming of Buildings and Plaques
CRA. Naming of Buildings and College Property
CS. Financial Management of Grant Funds

Section D: Personnel

DA. Affirmative Action Plan (BP)
DAA. Americans with Disabilities Act
DB. Non-Discrimination Policy (BP)
DBA. Protection of Rights and Development
DBC. Conflict of Interest Policy
DBC-E. Disclosure Form
DBD. Intellectual Property Policy
DBDA. Student Intellectual Property Rights
DBE.  Copyright/Patent Fair Use Policy
DC. Grievance Procedure
DD. Replaced by DDA
DDA. Sexual Harassment Policy
DDB. Racial Harassment Policy
DDC. Due Process (Dismissal/Non-Renewal)
DDD. Corrective Action
DDE. Employee Conduct and Work Rules
DDEA. Smoking in the Workplace (See Policy GF)
DDF. Personal Appearance
DDG. Workplace Violence/Firearms (See Policy HHA)
DE. Substance Abuse Policy
DEA. Substance Abuse Program Implementation
DF. Employment Procedures
DFA-E. Personnel Requisition
DFB-E. Personnel Action Form
DFD-E. Affirmative Action Letter
DFE-E. Employment Application
DFEA-E. Supplement to Professional Application
DFF-E. Approval Notice and Status Change Notice
DFG-E. Application for Classified Positions
DFH-E. Part-Time Teaching Applicants
DFJ. Nepotism (BP)
DFK-E. Oath of Office Form
DFL. Definitions of Employment Status
DGA. Personnel Records and Privacy
DH. Employee Benefits Plan (BP)
DHA. Employee Benefits Program
DHAA. Sick Leave
DHB. Worker Compensation and Sick Leave
DHBA. Maintaining a Safe Work Environment
DHBB. Accident/Injury Reports
DHC. Disability Policy (BP)
DHDA. Family and Medical Leave of Absence
DHDA-E. FLMA Checklist
DHE. Personal Leave
DHF. Bereavement Leave
DHG. Professional Development Travel (BP)
DHGA. Professional Leave Approval
DHH. Professional Development Leave, Faculty (See Section 5.4 of Faculty Handbook)
DHI. Leave of Absence (BP)
DHJ. Military Leave (BP)
DHK. Vacations
DHL. Jury Duty
DHM. Group Insurance
DHN. Tax Sheltered Annuity
DHNA. South Plains College Pension Trust Fund
DHOA. Payroll Deduction
DHP. Definitions of Payroll/Personnel Actions
DI. Retirement Policies
DIA. Texas Teacher Retirement System
DIB. Optional Retirement Program (BP)
DIC. Medical Benefits Following Retirement
DID. Retirement Recognition
DIDA-E. Retirement Award
DIE. Retiree use of College Facilities
DL. Outside Employment of Faculty and Staff (BP)
DM. University Interscholastic League (UIL) Assignments and Responsibilities
DN. Parking Regulations
DO. Facility Access
DOA-E. South Plains College Key Request Form
DP. Building Security
DQ. Personnel Classifications
DQA. Employee Handbook, General
DQG. Handbook Supplement, Classified Part-Time (Class A)
DQH. Handbook Supplement, Classified Part-Time (Class B)
DQI. Handbook Supplement, Classified Full-Time (Class C)
DQJ. Handbook Supplement,  Maintenance and Custodial Personnel
DQK. Handbook Supplement, Police Officers
DQL. Handbook Supplement, Dorm Supervisor
DR. Compensation Schedule and Options (BP)
DRA. Salary Increases and Supplements (BP)
DRB. Holidays
DRC. Supplemental Pay Procedure for Exempt Employees
DRC-E. Exempt Employee Supplemental Pay Form
DTA. Evaluations- Administrators and Supervisors
DTA-E. Administrators and Supervisors Process Form
DTB. Faculty (See Section 3.4 Evaluation, Faculty Handbook)
DTC. Administrative Assistants and Clerks
DTC-E1. Personnel Assessment Process Form
DTC-E2. Physical Plant Personnel Performance Evaluation
DUA. Employee Service Awards
DXA. Exit Interviews
DXA-E. Employee Exit Interview Form
DY. Food and Drinks in Classrooms and Laboratories
DZ. Solicitation and Distribution

Section E: Faculty and Instruction

EA. Academic Freedom and Tenure (BP)
EB. Curriculum and Courses of Study (BP)
EC. Bible Instruction (BP)
ED. Honorary Degrees (BP)
EE. Faculty Handbook (BP)
EEA. Online Faculty Handbook

Section F: Student Information

FA. Admission to the College (BP)
FAA. Admission of International Students (BP)
FAB. Degree Limitation Statement
FAC. Academic Appeals Procedure
FAD. Student Records
FADA. Student Identification Number
FADB. Student Identity Verification
FB. Student Clubs and Organizations (BP)
FBA. Student Activities
FBAA. Calendar of Student Events
FBAB. Posting of Announcements and Signs
FBC. Student Newspaper (BP)
FBCA. Editorial and Advertising, Student Publications
FBD. On-Campus Speakers (BP)
FC. Intercollegiate Athletics (BP)
FCA. College Mascot (BP)
FCB. College Colors (BP)
FD. In-District Tuition (BP)
FDA. Waiver of Nonresident Tuition (BP)
FE. Travel by Student Groups
FF. Student Conduct and Discipline
FG. Student Substance Abuse Policy
FH. Sexual Harassment Policy
FI. Campus Assessment, Response and Evaluation (CARE) Team
FJ. Freedom of Expression Policy
FM. Student Grievance Procedure
FN. Compulsory Insurance for Students (BP)
FNA. Health Services
FO. Student Housing Policy (BP)
FOA. Student Housing Policy
FOB. Temporary Housing Assistance for Certain Students
FOC. Residential Housing Missing Student Notification Policy and 
         Procedures
FP. Services for Students with Disabilities
FQ. Annual Public Notice
FR. Student Financial Aid
FS. Student Counseling Center
FT. Learning Resources
FW. Texas Success Initiative (TSI)
FX. Student Correspondence Policy (Student E-Mail)
FY. Absences for Military on Active Duty
FZ. Student Death 
FZA. Student Death Protocol

Section G: Community and Government Relations

GA. Media Relations
GC. Publications and Printing Policy
GD. Use of College Facilities, Including Athletic and Recreational Facilities (BP)
GDA. Use of Facilities in Time of Disaster (BP)
GBD. Loan or Rental of College-Owned Equipment and Tools
GDC. Facility Rental Policies
GE. Use of College Food Service (BP)
GF. Smoke Free Environment
GG. Communicable Disease Policy
GH. Senior Citizens Benefits
GI. Public Complaints and Hearings (BP)
GN. Camp Programs for Minors

Section H: Support Services

HA. Library
HB. Marketing and Communications
HBA. Planning Guide for Printing, Publications, and Web Pages
HBB. College Business Cards
HC. Continuing Education
HD. Administrative Computer Center
HE. Bookstore
HF. College Post Office
HG. Maintenance/Custodial Services
HH. Campus Security
HHA. Workplace Violence and Unauthorized Weapons
HHB. Annual Disclosure of Crime Statistics
HHC. Concealed Carry of Handguns on Campus
HHD. Campus Security Camera Acceptable Use
HHE.  Campus Security Authorities (CSA)
HHF. Violent Intrusion/Action Defense Preparations
HHG. Mass Communication
HHH. Safety Program Emergency Plans and Alerts
HI. Health/Wellness Services-Levelland Campus
HJ. Food Service-Levelland Campus
HK. Severe Weather Procedures
HL. Copy Center and Reproduction Procedures
HM. College Vehicles
HN. College Web Site Policy
HO. College Stationery Policy
HP. College Logos
HQ. Photography Service
HR. Office of Human Resources
HS. Office of Development
HSA. Fundraising, Solicitation and Grant Writing
HSA-E. Fundraising Activity Approval Form
HSAA. Acceptance of Non-Cash Gifts
HSAA-E. Non-Cash Gift Acceptance Form
HT. New Student Relations
HU. Financial Aid Lender Relations Institutional Code of Conduct

Section I: Information Services

IA. Policy Compliance
IB. User Accounts Management Policy
IB-A. Data Security Risk Management
IB-B.Data-Classification-Standard
IB-C. Encryption-Standard
IC. Acceptable Use Policy
ID. Access Control Policy
ID-A. Account Management Access Control
ID-B. MFA Policy
ID-C. Auditing and Accountability 
ID-D. Security Logging Standard
ID-E. Remote Access Standard
ID-F. Wireless Network Security
IE. Secure-System-Development
IE-A. Configuration Management
IE-B. Patch Management Policy
IE-C. Secure Configuration Standard
IE-D. Vulnerability Scanning
IE-E. Sanitization Secure Disposal
IE-F. Secure Coding Standard
IF. Incidnet Response Policy
IF-A. Cyber Incident Response
IG. Security Awareness and Training
IH. Physical and Environmental Protection