Policies, Procedures and Practices » INFORMATION TECHNOLOGY » SECURITY, BANNER POLICY
SECURITY, BANNER POLICY
INTRODUCTION
This document provides a general framework of the policy utilized by Georgia College & State
University (GCSU) with the assistance of the Board of Regents, Office of Information and
Instructional Technology (USG OIIT) to assure security of information and/or systems associated
with the Banner Student Information System. These are basic components, procedures, and
general guidelines for dealing with computer and network security, as well as personal
responsibilities of the employee and supervisor. Through this policy GCSU and the University
System of Georgia (USG) strive to minimize security vulnerabilities.
PURPOSE
Access authorization gives the “User” the right to certain access privileges to information contained
in the Banner Student Information System for GCSU. Access granted to the User does not imply
any job or information privileges beyond those stipulated in the position employment agreement or
by GCSU policies and/or procedures.
The following information regarding access rights and privileges applies to all student information
regardless of its form (automated, paper, electronic, etc.). In all circumstances, users are
expected to follow GCSU policy and/or state and federal regulations regarding access and rights
to the institution’s student information.
GENERAL STRUCTURE
RESPONSIBILITIES AND AUTHORITY - GEORGIA COLLEGE & STATE
UNIVERSITY
The GCSU staff is responsible for all data entry, end-user access authorization and security, file
server maintenance, application of all patches and updates as provided by USG OIIT, and the
maintenance and security of the client software and office workstations used to access the Banner
databases.
CHIEF INFORMATION OFFICER
The president of the university, through the university’s Technology Security Incident Response
Plan has delegated the responsibility and necessary authority to the Chief Information Officer
(CIO), to assure that critical data and the network infrastructure of the university are secure. The
CIO, or his designee, shall be the single point of contact for reporting any incident. Upon
consultation with appropriate key members of the university’s Computer Incident Response Team
(CIRT), the CIO, or a designee, shall have the authority to, without notice, shut down or remove
from the network any suspect enterprise or office level equipment, terminate any process deemed
hazardous, confiscate any equipment that may be involved in an incident or prohibit an individual
from shutting down a suspect piece of equipment if deemed necessary for an investigation.
ASSISTANT VICE PRESIDENT FOR ENROLLMENT MANAGEMENT
The Assistant Vice President for Enrollment Management is the primary authority for access to the
Banner Student Information System data by GCSU staff. The Associate Vice President for
Enrollment Services, or his designee, must approve the level of access to the Student Information
system, before a user id and password is created for the employee.
DATABASE ADMINISTRATOR
The Database Administrator is responsible for the application of software upgrades and patches as
provided by the USG and back-ups of the local database server. The Database Administrator acts
as the first step of security by creating user ids and passwords to access the local file servers. The
Database Administrator is also responsible for the creation and deletion of user ids to access
specific data relative to the position occupied by the employee and approved by the appropriate
Director. The creation of a specific unique user id and password allows access to the Banner
databases and is the second step in the security process.
TECHNICAL PROJECTS MANAGER
The Technical Projects Manager is the primary contact for working with the USG for problem
resolution with Banner issues.
SOFTWARE DEVELOPERS
All Software Developers work with end users to provide additional processes outside of baseline
Banner to better serve the faculty, staff and students at GCSU.
TECHNICAL SUPPORT SPECIALIST
All technical support work required on office workstations that make available Banner access is
provided by a limited number of experienced, higher seniority level employees. It is against the
university’s service policy to assign entry level or student workers to support tasks.
RESPONSIBILITIES AND AUTHORITY – UNIVERSITY SYSTEM OF GEORGIA
USG staff is responsible for providing upgrades and patches of software for the Banner Student
Information System that has been released from SCT and tested at their location. Additional
information on the responsibilities and authority may be obtained by contacting the Executive
Director for Enterprise Application Systems.
EXECUTIVE DIRECTOR, ENTERPRISE APPLICATION SYSTEMS
The Executive Director reports to the Vice Chancellor and Chief Information Officer of the USG’s
Information Technology Division. In this role, the Executive Director is responsible for assuring the
staff of EAS supports the mission and business model of the USG in regard to Banner.
USG OIIT HELPDESK
The USG OIIT Helpdesk Remedy Work Order System is available for problems/issues that cannot
be resolved on campus first. The GCSU policy stipulates that the requests for assistance be
coordinated through the Data Management Director. The GCSU Data Management Director then
requests assistance from the OIIT Helpdesk by phone or by e-mail.
INFORMATION ANALYSTS
Information Analysts are assigned work orders received by the OIIT Helpdesk Remedy Work Order
System. The Information Analysts contacts the Data Management Director through e-mail or a
telephone call to resolve issues that have been reported.
PHYSICAL SECURITY
GCSU SERVER ROOM
The primary and secondary local GCSU database and web servers are housed in a locked secure
server room. The room design includes a UPS system to support the entire room and a backup
generator. The room is equipped with dry pipe fire suppression. The independent air conditioning
unit incorporates a warning system that pages Physical Plant personnel if the ambient temperature
reaches a threshold level of 80 degrees Fahrenheit. The windows are protected with bars and the
glass is protected with a Kevlar coating.
GCSU OFFICES AND WORKSTATIONS
Each client machine is located in a securable office. Employees are required to lock the office when
the area is unattended. Each employee using a client machine is required to log into a Windows
domain for authentication. The Systems Administrator creates the domain user id and password
(see section 3.2). The user then enters a different application user id and password to access the
Banner system as created by the Database Administrator (see section 3.3). The user is required to
change the application password at the time of their first log in to the system. Subsequently, each
user is required to change their application password upon notification. This process is performed
on a once per 3 months basis or as needed to assure security.
SERVER ACCESS SECURITY
Passwords for the GCSU Banner Servers are random eight character strings. They are changed on
the basis of a minimum of once per three months. Physical access to the servers is limited to
GCSU's IT staff. It is against the university’s policy to assign entry level or student workers to
support tasks within the main server rooms without direct supervision.
ACCESS AUTHORIZATION PROCEDURES
Employees are granted access to the GCSU Student Information System only if deemed necessary
to perform their job duties as described in the job description for each position. Authorization is
granted by the appropriate Director at the request of the senior administrator responsible for the
supervision of the employee. Background checks are conducted on employees prior to extending
job offers and any history of violations with regard to technology security issues will be
investigated before applicant is considered a viable candidate.
SERVE HELPDESK
The Director contacts the GCSU SERVE Helpdesk to request the appropriate access giving the
employee’s name, the rights and privileges needed by the employee, and the employee’s contact
information. An official work order is generated.
SYSTEMS ADMINISTRATOR – USER ID AND PASSWORDS
The Systems Administrator creates a user id and password providing access only to the local file
server. The user id and password is written to a secure administrative server with restricted
lookup access available to the GCSU Technical Support Specialist for use in configuring the client
workstation software. A second work order is generated to have the user’s workstation configured
to access the local server and a technician is assigned. The user is required to complete an on-line
course reviewing the End User Responsibilities (see section 3.5). The user must score 100% on
the quiz before receiving their user id and password. Once the quiz has been successfully
completed, the user is contacted in person with the information and instructions to change the
password upon their first log in to the system. On an annual basis or as needed to assure
compliancy with University Banner security policies, a general review and discussion session is
required of all employees that have been granted access to the Banner Student Information
System.
DATABASE ADMINISTRATOR
The Database Administrator subsequently creates a unique user id and password to access the
Banner database with the requested permissions described by the Director. It is against University
Policy to assign generic user id and/or password access.
USER ID AND PASSWORD DEACTIVATION
Upon termination of employment or reassignment of job responsibilities, the employee’s user ids
and passwords are made unusable in compliance with the GCSU Employee Deactivation Security
Policy.
END USER RESPONSIBILITIES
The authorized user shall:
• Keep any account authentication information in a secure place.
• Not permit any other person to use the account for any purpose whatsoever.
• Use all necessary precautions to safeguard confidentiality of the associated password and
discuss that password with only a GCSU IT employee who has shown their identification
credentials.
• Change the password when directed to comply with scheduled security reviews.
• Notify the Office of the CIO immediately if the password may have been compromised
• Direct individuals with a formal request for information, Subpoena or Court Order to the
University’s Legal Affairs Office using appropriate channels.
• Be accountable for any and all improper use of this account.
• Not use an access account and password belonging to someone else.
• Not leave the Student Information System running on any computer while not in
attendance.
• Acknowledge that when no longer an employee of the University in the current position,
authorization to use the account will be terminated.
• In the event of employment in another university position, refrain from using facilities,
accounts, access codes, privileges, or information for which you are not authorized.
RELATED DOCUMENTATION/SOURCES
Family Educational Rights and Privacy Act of 1974 (FERPA)
www.ed.gov/offices/OM/fpco/ferpa/index.html.