South Plains College

Information Services (SPC-IS)

 

Secure System Development Lifecycle Policy: I-E

Purpose and Benefits

While many consider information security a separate process, it is a business requirement that must be considered throughout the System Development Life Cycle (SDLC). This Secure System Development Life Cycle Standard defines security requirements that every SDLC must consider and address.

Computer systems and applications are created to address business needs. System requirements must be identified early and addressed as part of the SDLC to do so effectively. Failure to identify a requirement until late in the process can have significant repercussions on the success of a project and result in project delivery delays, deployment of an inadequate system, and even the project's abandonment. Furthermore, each phase through which a project passes without identifying and addressing a requirement, the more costly and time-consuming it is to fix problems due to the omission.

Information security must be adequately considered and built into every phase of the SDLC.  Failure to identify risks and implement proper controls can result in inadequate security, potentially putting entities at risk of data breaches, reputational exposure, loss of public trust, compromise to systems/networks, financial penalties, and legal liability.

Scope

This standard applies to all information systems developed by or on behalf of SPC. This includes server and network infrastructure, workstations, classroom technology, labs, sims, digital signage, access controls, cameras, IoT devices, and any other system that utilizes SPC enterprise systems to perform a function.

Information Statement

Security is a requirement that must be included in every phase of a system development life cycle (SDLC). An SDLC that provides for formally defined security activities within its phases is secure. Per the Information Security Policy, a secure SDLC must be utilized to develop all applications and systems.

An SDLC must contain the following security activities: These activities must be documented or referenced within an associated information security plan. The documentation must be sufficiently detailed to demonstrate the extent to which each security activity is applied. It must also be retained for auditing purposes.

  1. Define Security Roles and Responsibilities
  2. Orient Staff to the SDLC Security Tasks
  3. Establish a System Criticality Level
  4. Classify Information
  5. Establish System Identity Credential Requirements
  6. Establish System Security Profile Objectives
  7. Create a System Profile
  8. Decompose the System
  9. Assess Vulnerabilities and Threats
  10. Assess Risks
  11. Select and Document Security Controls
  12. Create Test Data
  13. Test Security Controls
  14. Perform Certification and Accreditation
  15. Manage and Control Change
  16. Measure Security Compliance
  17. Perform System Disposal

There is not necessarily a one-to-one correspondence between security activities and SDLC phases. Security activities often must be performed iteratively as a project progresses or cycles through the SDLC. Unless stated otherwise, the placement of security activities within the SDLC may vary per the SDLC being utilized and the security needs of the application or system. Appendix A:  Security Activities within the SDLC provides a sample correlation of security activities to a generic system development life cycle. Appendix B:  Description of Security Activities describes the above security considerations and activities.

Finally, it is important to note that the Secure SDLC process is comprehensive with the intention to assure due diligence, compliance, and proper documentation of security-related controls and considerations. Designing security into systems requires an investment of time and resources. The extent to which security is applied to the SDLC process should be commensurate with the classification (data sensitivity and system criticality) of the system being developed and the risks this system may introduce into the overall environment.  This assures value to the development process and deliverables.  Generally speaking, the best return on investment is achieved by rigorously applying security within the SDLC process to high-risk/high-cost projects. Where it is determined that a project will not leverage the complete Secure SDLC  process – for example, on a lower-risk/cost project, the rationale must be documented, and the security activities that are not used must be identified and approved as part of the formal risk acceptance process.

Note: Data classification cannot be used as the sole determinant of whether or not the project is low risk/cost.  For example, public-facing websites cannot be considered low-risk/cost projects even if all the data is public.  There is a risk of compromising the website to inject malware and compromise visitor’s machines or change the website's content to create embarrassment.

Compliance

This standard shall take effect upon publication. Compliance is expected with all enterprise policies and standards.  Policies and standards may be amended at any time; compliance with amended policies and standards is expected.

If compliance with this standard is not feasible or technically possible, or if deviation from this policy is necessary to support a business function, entities shall request an exception through the Chief Information Security Officer’s exception process.

Related Documents

1 TAC § 202.74 (a)(2)

 

NIST Special Publication 800-30, Guide for Conducting Risk Assessments

NIST Special Publication 800-53A, Guide for Assessing Security Controls in Information Systems & Organizations: Building Effective Assessment Plans

Texas Security Controls Standards Catalog Control Group: SA-3, SA-4, SA-11

NIST Function Groups: PR.AC-1, PR.AC-4, PR.DS-3, PR.IP-1, PR.PT-1

 

 

 

The table below shows the placement of security activities within the phases of a sample SDLC. The actual placement of security activities within the system development life cycle may vary in accordance with the actual SDLC being utilized in a project and the particular security needs of the application or system.  The NIST publications in the third column of this table are recommended documents to provide guidance in the placement and execution of security tasks within the system development life cycle. These documents are available from the NIST website (http://csrc.nist.gov/publications/PubsSPs.html).

 

            Figure A-1: Placement of Security Activities within SDLC Phases

NYS PMG

SDLC Phase

Security Activity

NIST Publications

System Initiation

·         Define Security Roles and Responsibilities

·         Orient Staff on the SDLC Security Tasks

·         Establish a System Criticality Level

·         Classify Information (preliminary)

·         Establish System Assurance Level Requirements

·         Establish System Security Profile Objectives (preliminary)

·         Create a System Profile (preliminary)

·         SP800-12

·         SP800-14

·         SP800-35

·         SP800-27

·         SP800-47

·         SP800-60

·         SP800-63

·         FIPS 199

System Requirements Analysis

 

·         Establish System Security Profile Objectives (iterative)

·         Classify Information (iterative)

·         Decompose the System (preliminary)

·         SP800-23

·         SP800-30

·         SP800-36

·         SP800-53

·         SP800-55

·         SP800-64

·         FIPS 140-2

System Design

 

·         Create a System Profile (iterative)

·         Decompose the System (iterative)

·         Assess Vulnerabilities and Threats (preliminary)

·         Assess Risks (preliminary)

·         Select and Document Security Controls (preliminary)

System Construction

 

·         Create test data

·         Assess Vulnerabilities and Threats (iterative)

·         Assess Risks (iterative)

·         Select and Document Security Controls (iterative)

·         Test security controls

·         SP800-35

·         SP800-36

·         SP800-37

·         SP800-51

·         SP800-53

·         SP800-53A

·         SP800-55

·         SP800-56

·         SP800-57

·         SP800-61

·         SP800-64

System Implementation

 

·         Measure security compliance

·         Document System Security Profile

·         Document Security Requirements and Controls

System Acceptance

 

·         Perform System Certification and Accreditation

Operations & Maintenance:

 

·         Measure security compliance (periodic)

·         Manage and control change

·         Perform System Certification and Accreditation (iterative)

·         SP800-26

·         SP800-31

·         SP800-34

·         SP800-37

·         SP800-53A

·         SP800-55

Disposition

·         Preserve information

·         Sanitize media

·         Dispose of hardware and software

·         SP800-12

·         SP800-14

·         SP800-35

·         SP800-36

·         SP800-64

 

 

 

 

  1. Define Security Roles and Responsibilities

Security roles must be defined, and each security activity within the SDLC must be clearly assigned to one or more security roles. These roles must be documented and include the persons responsible for the security activities assigned to each role. Appendix C:  Security Roles within the SDLC provides guidelines for defining security roles and assigning security activities to roles.

  1. Orient Staff to the SDLC Security Tasks

All parties involved in the execution of a project’s SDLC security activities must understand the purpose, objectives and deliverables of each security activity in which they are involved or for which they are responsible.

  1. Establish System Criticality Level

When initiating an application or system, the criticality of the system must be established. The criticality level must reflect the business value of the function provided by the system and the potential business damage that might result from a loss of access to this functionality.

  1. Classify Information

As per the Information Security Policy, all information contained within, manipulated by or passing through a system or application must be classified. Classification must reflect the importance of the information’s confidentiality, integrity and availability.

  1. Establish System Identity Credential Requirements

All applications or systems which require authentication must establish a user identity credential. The identity credential must reflect the required confidence level that the person seeking to access the system is who they claim to and the potential impact to the security and integrity of the system if the person is not who they claim to be.   

  1. Establish System Security Profile Objectives

When initiating an application or system, the security profile objectives must be identified and documented. These objectives must state the importance and relevance of identified security concepts (Appendix D: Security Concepts) to the system and indicate the extent and rigor with which each security concept is to be built in or reflected in the system and software. Each security concept must be considered throughout each life cycle phase and any special considerations or needs documented.

The purpose behind establishing system security profiles and monitoring them throughout the lifecycle is to be actively aware of the relative priority, weight and relevance of each security concept at each phase of the system’s life cycle. Entities must verify that the security profile objectives adequately consider all federal, state and external security mandates for which the system must be compliant.

  1. Profile the System

The system or application being developed must be iteratively profiled by technical teams within the SDLC. A system profile is a high-level overview of the application that identifies the application’s attributes such as the physical topology, the logical tiers, components, services, actors, technologies, external dependencies and access rights. This profile must be updated throughout the various phases of the SDLC.

  1. Decompose the System

The system or application must be decomposed into finer components and its mechanics (i.e. the inner workings) must be documented. This activity is to be iteratively performed within the SDLC.  Decomposition includes identifying trust boundaries, information entry and exit points, data flows and privileged code. 

  1. Assess Vulnerabilities and Threats

Vulnerability assessments must be iteratively performed within the SDLC process. Threat assessments must consider not only technical threats, but also administrative and physical threats that could have a potential negative impact on the confidentiality, availability and integrity of the system. Threat assessments must consider and document the threat sources, threat source motivations and attack methods that could potentially pose threats to the security of the system.

Threat assessments must adhere to all relevant state and federal mandates to which the entity must comply and follow industry best practices including the documentation of the assessment processes. Threat assessments and the underlying threat modeling deliverables that support the assessment must also be fully documented. Appendix E: Threat and Risk Assessment Resources includes a list of recommended resources for performing threat assessments.

  1. Assess Risk

Risk assessments must be iteratively performed within the SDLC process.  These begin as an informal, high-level process early in the SDLC and become a formal, comprehensive process prior to placing a system or software into production.

All realistic threats and vulnerabilities identified in the threat assessments must be addressed in the risk assessments. The risk assessments must be based on the value of the information in the system, the classification of the information, the value of the business function provided by the system, the potential threats to the system, the likelihood of occurrence, the impact of the failure of the system and the consequences of the failure of security controls.

All identified risks are to be appropriately managed by avoiding, transferring, accepting or mitigating the risk. Ignoring risk is prohibited. Risk assessments must adhere to all relevant state and federal mandates that the entity must document and be compliant.

The risk assessments must be periodically reviewed and updated as necessary whenever the underlying threat assessment is modified or whenever significant changes are made to the system. Appendix E: Threat and Risk Assessment Resources includes a list of recommended resources for performing risk assessments.

  1. Select and Document Security Controls

Appropriate security controls must be implemented to mitigate risks that are not avoided, transferred or accepted. Security controls must be justified and documented based on the risk assessments, threat assessments and analysis of the cost of implementing a potential security control relative to the decrease in risk afforded by implementing the control.

Documentation of controls must be sufficiently detailed to enable verification that all systems and applications adhere to all relevant security policies and to respond efficiently to new threats that may require modifications to existing controls.

Residual risk must be documented and maintained at acceptable levels. A formal risk acceptance, with executive management sign-off, must be performed for medium and high risks that remain after mitigating controls have been implemented.

Security control requirements must be periodically reviewed and updated as necessary whenever the system or the underlying risk assessment is modified.

  1. Create Test Data

A process for the development of significant test data must be created for all applications. A test process must be available for applications to perform security and regression testing.

Confidential production data should not be used for testing purposes. If production data is used, entities must comply with all applicable federal, state and external policies and standards regarding the protection and disposal of production data.

  1. Test Security Controls

All controls are to be thoroughly tested in pre-production environments that are identical, in as much as feasibly possible, to the corresponding production environment. This includes the hardware, software, system configurations, controls and any other customizations.

The testing process, including regression testing, must demonstrate that all security controls have been applied appropriately, implemented correctly and are functioning properly and actually countering the threats and vulnerabilities for which they are intended. The testing process must also include vulnerability testing and demonstrate the remediation of critical vulnerabilities prior to placing the system into production. 

Appropriate separation of duties must be observed throughout the testing processes such as ensuring that different individuals are responsible for development, quality assurance and accreditation.

  1. Perform Accreditation

The system security plan must be analyzed, updated, and accepted by executive management.

  1. Manage and Control Change

A formal change management process must be followed whenever a system or application is modified in order to avoid direct or indirect negative impacts that the change might impose. The change management process must ensure that all SDLC security activities are considered and performed, if relevant, and that all SDLC security controls and documentation that are impacted by the change are updated.

  1. Measure Security Compliance

All applications and systems are required to undergo periodic security compliance assessments to ensure they reflect a security posture commensurate with the definition of acceptable risk. Security compliance assessments must include assessments for compliance with all federal, state and external compliance standards for which the entity is required to comply.  

Security compliance assessments must be performed after all system and application changes and periodically as part of continuous system compliance monitoring.

  1. Perform System Disposal

The information contained in applications and systems must be protected once a system has reached end of life. Information must be retained according to applicable federal and state mandates or other retention requirements. Information without retention requirements must be discarded or destroyed and all disposed media must be sanitized in accordance with applicable federal and state standards to remove residual information.

 

Responsibility for each security activity within the SDLC must be assigned to one or more security roles. To accomplish this, the default definition of an SDLC role may be expanded to include security responsibilities and/or new security roles may be defined to encompass security activities. In all cases, the assignment of security activities to roles, and the identification of persons given responsibility for these roles, must be clearly documented.

For the purpose of utilizing a consistent definition of roles across various SDLC’s, it is highly recommended that entities utilize as guidelines the National Institute of Standards and Technology (NIST) publications . Of specific relevance to the definition of roles and SDLC frameworks are:

 

The makeup of a system and software from a security perspective is its security profile and includes the following security concepts, which must be considered and documented as part of a Secure SDLC process.

 

      Figure D-1: Security Concepts

Concept

Description

Confidentiality

Protect against unauthorized information disclosure

Integrity

Protect against unauthorized, unintentional or incorrect modification of software or data.

Availability

Ensure the availability of systems and information.

Authentication

The process of establishing confidence in the identity of users or information systems.

Authorization

Establish access rights to resources.

Auditing/Logging

Build a historical record of user actions and of critical system processes.

Session Management

Ensure that a session maintains the confidentiality and integrity of the information exchanged between a system and an authenticated user.

Errors and Exception Management

Ensure that unintended and unreliable system behavior is securely handled.  This helps ensure protection against confidentiality, integrity and availability threats.

Configuration Parameters Management

Ensure that the configurable parameters that are needed for software or a system to run are adequately protected.

Least Privilege

Assign only the minimum allowable rights to a subject that requests access to a resource for the shortest duration necessary.

Separation of Privilege

Ensure that multiple conditions are met before granting permissions to an object.

Defense in Depth

Layer security defenses in an application to reduce the chance of a successful attack.

Failing Securely

Ensure the confidentiality and integrity of a system remains intact even though system availability has been lost due to a system failure.

Economy of Mechanisms

Keep the system implementation and design as simple as possible.

Complete Mediation

Require access checks to an object each time a subject requests access, especially for security-critical objects.

Open Design

Use real protection mechanisms to secure sensitive information; do not rely on an obscure design or implementation to protect information (otherwise known as “security through obscurity”).

Least Common Mechanisms

Avoid having multiple subjects share mechanisms to grant access to a resource.

Psychological Acceptability

Ensure that security functionality is easy to use and transparent to the user.

Leveraging Existing Components

Promote the reusability of existing components. Reuse proven and validated code and standard libraries rather than creating custom code.

Weakest Link

Identify and protect a system’s weakest components.

Single Point of Failure

Eliminate any single source of complete compromise.

 

Information concerning these concepts is publically available at the US Department of Homeland Security (DHS) Office of Cyber Security and Communications sponsored website at https://buildsecurityin.us-cert.gov.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

In order to assure alignment with business compliance mandates, and help assure efficient and effective delivery of security services, the use of industry-recognized standards related to risk-based frameworks and secure system development life cycle practices are recommended.

In particular, the use of NIST standards is highly recommended, especially for entities required to comply with federal security mandates. The following NIST publications provide recommended guidance for implementing risk management frameworks and performing threat and risk assessments.

 

NIST publications are available at the National Institute of Standards and Technology website (http://csrc.nist.gov/publications/PubsSPs.html).

 

 

 

 

 

 

 

Section A: District Legal Status, History and Purpose

AA. College District Legal Status and History (BP)
AB. College Name (BP)
AC. System of Governance (BP)
AD. College District Geographic Boundaries and Service Area (BP)
AE. Educational Role and Mission, Purpose and Responsibility (BP)
AF. Vision Statement and Organizational Values

Section B: Governance, Executive Functions and Organization

BA.   Purpose, Powers and Responsibilities of the Board
BAB. Specific Duties of the Board (BL)
BAC. Rights and Responsibilities of the Board (BL)
BB.   Eligibility and Qualifications for Serving on the Board of Regents (BL)
BBA. Election of Board Members (BL)
BBB. Orientation and Professional Development of Board Members (BL)
BBC. Election of Board Officers (BL)
BBD. Duties of the Chairman of the Board (BL)
BBE. Duties of the Vice Chairman (BL)
BBF. Duties of the Secretary (BL)
BC.   Regular Board Meetings (BL)
BCA. Special Meetings (BL)
BCB. Official Business at Regular and Special Meetings (BL)
BCC. Quorum Necessary for Transaction of Business (BL)
BCD. Order of Business (BL)
BCE. Rules of Order (BL)
BCF. Public Participation (BL)
BCG. Board Self Evaluation
BD.   Board Committees (BL)
BE.   Conventions, Conferences and Workshops (BP)
BF.   Policy and By-Law Development (BP)
BFA. Amendments to the By-Laws (BL)
BG.  Board Member Statement of Ethics
BGA. Standards of Conduct and Conflict of Interest
BGAA. Conflict of Interest Disclosure
BGB. Code of Ethics (BP)
BH.  Board Vacancies
BHA. Removal from Office
BI.   Employment of the College President (BL)
BIA. Qualifications of the President (BP)
BIB. The College President as the Executive Officer (BP)
BIC. Evaluation of the President (BP)
BID. Administrative Organization Plan (BP)
BIDA. College Organizational Chart (PDF file opens with Acrobat Reader, 380kb)
BIE. Administrative Rules and Regulations (BP)
BIF. Planning and Institutional Effectiveness (BP)
BJA. Employment of Independent Auditor (BP)
BJB. Employment of College Attorney (BP)
BJC. Selection of Chief Tax Officials (BP)
BK. Relationship between South Plains College and the South Plains College Foundation, Inc. (BP)
BKA. Foundation Administration and Investment of Funds (BP)
BKB. Use of Employees or Property of the College by the Foundation (BP)
BKC. Officer/Director of the College (BP)
BKD. Acceptance of Gifts by the College (BP)
BL. Accreditation (BP)
BLA. Substantive Change

Executive Officers of the College
BMA. Vice President for Academic Affairs
BMB. Vice President for Student Affairs
BMC. Vice President for Business Affairs
BMD. Vice President for Institutional Advancement
Instructional Deans of the College
BME. Dean of Arts and Sciences
BMF. Dean of Health Sciences
BMG. Dean of Technical Education
BMH. Dean of Dual Credit & Early College Programs
Student Services Deans of the College
BMI. Dean of Enrollment Services
BMJ. Dean of Students
BMK. Associate Dean of Students
BN.   Executive Council
BO.  Administrative Council
BP.  Advisory Board By-Laws
BQ. Technical Advisory Committee By-Laws

Section C: Business Services

CA. The College Budget (BP)
CB. Purchase of Supplies and Equipment for the College (BP)
CBA. Purchasing Operating Policy
CBB-E. Price Quote/Bid Certificate
CBC. Food Purchase Policy
CBE. Procurement Card Policy
CBF. Computer and Electronic Device Aquisition Policy
CC. Service and Repair of College Equipment
CD. Use of College Facilities
See Policy GD Use of College Facilities, Including Athletic and Recreational Facilities (BP)
CE. Monthly Salary Payments
See Policy DR Compensation Schedule and Options (BP)
CF. Removal of College Property from Campus
See Policy GDB Loan or Rental of College-Owned Equipment and Tools (BP)
CG. Travel Policies and Procedures
CGC-E. Travel Report-Technical Division
CGD. Vehicle and Bus Driver Policy
CGE. Travel Card Guide
CH. Joint Property Rights
CI. Telephone/Voice Mail Use
CIA. Guidelines for Setting up Voice Mail
CI.28 Privacy Policy
CI.28.1 Web Site Privacy
CI.28.2 Merchant Card Policy
CJ. Technology Acceptable Use Policy
CJ-E. E-mail Application
CJA. Electronic Messaging (all@SPC) Policy
CK. College Depository
CL. Disposal of Property
CM. Records Management Program
CMA. Records Management Schedule
CMB. Records Management of Deceased Person
CN. Internal Audits
CO. Collection of College Funds
CP. Inventory of College Equipment
CQ. Investment Management (BP)
CR. Architectural Styling, Naming of Buildings and Plaques
CRA. Naming of Buildings and College Property
CS. Financial Management of Grant Funds

Section D: Personnel

DA. Affirmative Action Plan (BP)
DAA. Americans with Disabilities Act
DB. Non-Discrimination Policy (BP)
DBA. Protection of Rights and Development
DBC. Conflict of Interest Policy
DBC-E. Disclosure Form
DBD. Intellectual Property Policy
DBDA. Student Intellectual Property Rights
DBE.  Copyright/Patent Fair Use Policy
DC. Grievance Procedure
DD. Replaced by DDA
DDA. Sexual Harassment Policy
DDB. Racial Harassment Policy
DDC. Due Process (Dismissal/Non-Renewal)
DDD. Corrective Action
DDE. Employee Conduct and Work Rules
DDEA. Smoking in the Workplace (See Policy GF)
DDF. Personal Appearance
DDG. Workplace Violence/Firearms (See Policy HHA)
DE. Substance Abuse Policy
DEA. Substance Abuse Program Implementation
DF. Employment Procedures
DFA-E. Personnel Requisition
DFB-E. Personnel Action Form
DFD-E. Affirmative Action Letter
DFE-E. Employment Application
DFEA-E. Supplement to Professional Application
DFF-E. Approval Notice and Status Change Notice
DFG-E. Application for Classified Positions
DFH-E. Part-Time Teaching Applicants
DFJ. Nepotism (BP)
DFK-E. Oath of Office Form
DFL. Definitions of Employment Status
DGA. Personnel Records and Privacy
DH. Employee Benefits Plan (BP)
DHA. Employee Benefits Program
DHAA. Sick Leave
DHB. Worker Compensation and Sick Leave
DHBA. Maintaining a Safe Work Environment
DHBB. Accident/Injury Reports
DHC. Disability Policy (BP)
DHDA. Family and Medical Leave of Absence
DHDA-E. FLMA Checklist
DHE. Personal Leave
DHF. Bereavement Leave
DHG. Professional Development Travel (BP)
DHGA. Professional Leave Approval
DHH. Professional Development Leave, Faculty (See Section 5.4 of Faculty Handbook)
DHI. Leave of Absence (BP)
DHJ. Military Leave (BP)
DHK. Vacations
DHL. Jury Duty
DHM. Group Insurance
DHN. Tax Sheltered Annuity
DHNA. South Plains College Pension Trust Fund
DHOA. Payroll Deduction
DHP. Definitions of Payroll/Personnel Actions
DI. Retirement Policies
DIA. Texas Teacher Retirement System
DIB. Optional Retirement Program (BP)
DIC. Medical Benefits Following Retirement
DID. Retirement Recognition
DIDA-E. Retirement Award
DIE. Retiree use of College Facilities
DL. Outside Employment of Faculty and Staff (BP)
DM. University Interscholastic League (UIL) Assignments and Responsibilities
DN. Parking Regulations
DO. Facility Access
DOA-E. South Plains College Key Request Form
DP. Building Security
DQ. Personnel Classifications
DQA. Employee Handbook, General
DQG. Handbook Supplement, Classified Part-Time (Class A)
DQH. Handbook Supplement, Classified Part-Time (Class B)
DQI. Handbook Supplement, Classified Full-Time (Class C)
DQJ. Handbook Supplement,  Maintenance and Custodial Personnel
DQK. Handbook Supplement, Police Officers
DQL. Handbook Supplement, Dorm Supervisor
DR. Compensation Schedule and Options (BP)
DRA. Salary Increases and Supplements (BP)
DRB. Holidays
DRC. Supplemental Pay Procedure for Exempt Employees
DRC-E. Exempt Employee Supplemental Pay Form
DTA. Evaluations- Administrators and Supervisors
DTA-E. Administrators and Supervisors Process Form
DTB. Faculty (See Section 3.4 Evaluation, Faculty Handbook)
DTC. Administrative Assistants and Clerks
DTC-E1. Personnel Assessment Process Form
DTC-E2. Physical Plant Personnel Performance Evaluation
DUA. Employee Service Awards
DXA. Exit Interviews
DXA-E. Employee Exit Interview Form
DY. Food and Drinks in Classrooms and Laboratories
DZ. Solicitation and Distribution

Section E: Faculty and Instruction

EA. Academic Freedom and Tenure (BP)
EB. Curriculum and Courses of Study (BP)
EC. Bible Instruction (BP)
ED. Honorary Degrees (BP)
EE. Faculty Handbook (BP)
EEA. Online Faculty Handbook

Section F: Student Information

FA. Admission to the College (BP)
FAA. Admission of International Students (BP)
FAB. Degree Limitation Statement
FAC. Academic Appeals Procedure
FAD. Student Records
FADA. Student Identification Number
FADB. Student Identity Verification
FB. Student Clubs and Organizations (BP)
FBA. Student Activities
FBAA. Calendar of Student Events
FBAB. Posting of Announcements and Signs
FBC. Student Newspaper (BP)
FBCA. Editorial and Advertising, Student Publications
FBD. On-Campus Speakers (BP)
FC. Intercollegiate Athletics (BP)
FCA. College Mascot (BP)
FCB. College Colors (BP)
FD. In-District Tuition (BP)
FDA. Waiver of Nonresident Tuition (BP)
FE. Travel by Student Groups
FF. Student Conduct and Discipline
FG. Student Substance Abuse Policy
FH. Sexual Harassment Policy
FI. Campus Assessment, Response and Evaluation (CARE) Team
FJ. Freedom of Expression Policy
FM. Student Grievance Procedure
FN. Compulsory Insurance for Students (BP)
FNA. Health Services
FO. Student Housing Policy (BP)
FOA. Student Housing Policy
FOB. Temporary Housing Assistance for Certain Students
FOC. Residential Housing Missing Student Notification Policy and 
         Procedures
FP. Services for Students with Disabilities
FQ. Annual Public Notice
FR. Student Financial Aid
FS. Student Counseling Center
FT. Learning Resources
FW. Texas Success Initiative (TSI)
FX. Student Correspondence Policy (Student E-Mail)
FY. Absences for Military on Active Duty
FZ. Student Death 
FZA. Student Death Protocol

Section G: Community and Government Relations

GA. Media Relations
GC. Publications and Printing Policy
GD. Use of College Facilities, Including Athletic and Recreational Facilities (BP)
GDA. Use of Facilities in Time of Disaster (BP)
GBD. Loan or Rental of College-Owned Equipment and Tools
GDC. Facility Rental Policies
GE. Use of College Food Service (BP)
GF. Smoke Free Environment
GG. Communicable Disease Policy
GH. Senior Citizens Benefits
GI. Public Complaints and Hearings (BP)
GN. Camp Programs for Minors

Section H: Support Services

HA. Library
HB. Marketing and Communications
HBA. Planning Guide for Printing, Publications, and Web Pages
HBB. College Business Cards
HC. Continuing Education
HD. Administrative Computer Center
HE. Bookstore
HF. College Post Office
HG. Maintenance/Custodial Services
HH. Campus Security
HHA. Workplace Violence and Unauthorized Weapons
HHB. Annual Disclosure of Crime Statistics
HHC. Concealed Carry of Handguns on Campus
HHD. Campus Security Camera Acceptable Use
HHE.  Campus Security Authorities (CSA)
HHF. Violent Intrusion/Action Defense Preparations
HHG. Mass Communication
HHH. Safety Program Emergency Plans and Alerts
HI. Health/Wellness Services-Levelland Campus
HJ. Food Service-Levelland Campus
HK. Severe Weather Procedures
HL. Copy Center and Reproduction Procedures
HM. College Vehicles
HN. College Web Site Policy
HO. College Stationery Policy
HP. College Logos
HQ. Photography Service
HR. Office of Human Resources
HS. Office of Development
HSA. Fundraising, Solicitation and Grant Writing
HSA-E. Fundraising Activity Approval Form
HSAA. Acceptance of Non-Cash Gifts
HSAA-E. Non-Cash Gift Acceptance Form
HT. New Student Relations
HU. Financial Aid Lender Relations Institutional Code of Conduct

Section I: Information Services

IA. Policy Compliance
IB. User Accounts Management Policy
IB-A. Data Security Risk Management
IB-B.Data-Classification-Standard
IB-C. Encryption-Standard
IC. Acceptable Use Policy
ID. Access Control Policy
ID-A. Account Management Access Control
ID-B. MFA Policy
ID-C. Auditing and Accountability 
ID-D. Security Logging Standard
ID-E. Remote Access Standard
ID-F. Wireless Network Security
IE. Secure-System-Development
IE-A. Configuration Management
IE-B. Patch Management Policy
IE-C. Secure Configuration Standard
IE-D. Vulnerability Scanning
IE-E. Sanitization Secure Disposal
IE-F. Secure Coding Standard
IF. Incidnet Response Policy
IF-A. Cyber Incident Response
IG. Security Awareness and Training
IH. Physical and Environmental Protection