- Home
- /
- Board Policy and Administrative Procedures
- /
- Section C: Business and Support Services
- /
- Section CN.1
- /
Section C: Business and Support Services
- Section CA: Appropriations and Revenue Sources
- Section CAA: Appropriations
- Section CAB: Bond Issue
- Section CAC: Time Warrants
- Section CAD: Certificates of Indebtedness
- Section CAE: Loans and Notes
- Section CAF: Ad Valorem Taxes
- Section CAG: Investments
- Section CAH: Sale, Trade or Lease of College Property
- Section CAH.1: Sale, Trade or Lease of College Property
- Section CAI: Grants, Funds and Donations
- Section CAI.1: Grant Management Procedures
- Section CAJ: Rentals and Service Charges
- Section CB: Depository of Funds
- Section CC: Annual Operating Budget
- Section CD: Accounting
- Section CD.1: Accounting
- Section CD.2: Cash Handling Procedures
- Section CD.3: Fixed Assets
- Section CD.4: Financial Reports and Statements
- Section CD.5: Accounting Inventories
- Section CD.6: Accounting Audits
- Section CD.7: Accountability
- Section CD.8: Travel Procedures
- Section CD.9: Taxation of Gifts, Prizes, and Awards to Employees
- Section CE: Purchasing and Acquisitions
- Section CF: Safety Program
- Section CG: Site Management
- Section CH: Equipment, Supply and Records Management
- Section CI: Transportation Management
- Section CJ: Insurance and Annuities
- Section CK: Facilities Planning and Standards
- Section CL: College District Auxiliary Enterprises
- Section CM: Technology Resources
- Section CN: Information Security
- Section CO: Intellectual Property
Section CN.1
Business and Support Services
Information Security
Procedure
Oversight
Abbreviations
This document uses abbreviations and acronyms that are expanded on first use and listed below to support readability and accessibility.
-
Chief Information Officer (CIO)
-
Information Security Officer (ISO)
-
Texas Administrative Code (TAC)
-
Texas Department of Information Resources (DIR)
-
Texas Risk and Authorization Management Program (TX-RAMP)
-
Information Technology (IT)
-
Student Information System (SIS)
-
Customer Relationship Management (CRM)
-
Human Resources (HR)
-
Vice President of Academic Affairs (VPAA)
-
Learning Management System (LMS)
-
Identify and Access Management (IAM)
-
Single Sign-On (SSO)
-
Security Information and Event Management (SIEM)
-
Disaster Recovery (DR)
-
Satisfactory Academic Progress (SAP)
-
Free Application for Federal Student Aid (FAFSA)
-
Texas Application for State Financial Aid (TAFSA)
-
Texas Success Initiative (TSI)
The Chief Information Officer (CIO) shall appoint or serve as the College's Information Security Officer (ISO). It shall be the duty of the Chief Information Officer to:
-
Allocate resources for ongoing information security remediation, implementation, and compliance activities that reduce risk to a level acceptable to the institution head;
-
Ensure that senior institution of higher education officials and information-owners, in collaboration with the Information Resources Manager and Information Security Officer, support the provision of information security for the information systems that support the operations and assets under their direct or indirect (e.g. cloud computing or outsourced) control;
-
Ensure that the institution of higher education has trained personnel to assist the institution of higher education in complying with the requirements of Chapter 202 and related policies;
-
Ensure that senior institution of higher education officials support the institution of higher education's Information Security Officer in developing, at least annually, a report on the institution of higher education's information security program, as specified in Texas Administrative Code, Title 1 (1 TAC) 202.71(b)(10) and 202.73(a);
-
Approve high residual risk management decisions as required by Texas Administrative Code, Title 1 (1 TAC) 202.75(4);
-
Review and approve at least annually the institution of higher education's information security program required under Texas Administrative Code, Title 1 (1 TAC) 202.74; and
-
Ensure that information security management processes are part of the institution of higher education's strategic planning and operational processes.
Information Security Officer
The Information Security Officer shall report to executive level management, has explicit authority for information security for the entire agency, possesses the training and experience required to ensure the agency complies with requirements and policies established by the Texas Cyber Command, and to the extent feasible, has information security duties as that officer's primary duty.
Information Security Program
The Chief Information Officer (CIO) shall approve the districts Information Security Program under Texas Administrative Code, Title 1 (1 TAC) 202.70, that includes protections, based on risk, for all information and information resources owned, leased, or under the custodianship of any department, operating unit, or employee of the institution of higher education including outsourced resources to another institution of higher education, contractor, or other source (e.g. cloud computing). The program shall include:
-
Periodic assessments in alignment with minimum legal reporting requirements of the risk and impact that could result from the unauthorized access, use, disclosure, disruption, modification, or destruction of information, information systems, and applications that support the operations and assets of the institution of higher education;
-
Policies, controls, standards, and procedures that:
-
Are based on the risk assessments required by 1 TAC 202.75;
-
Cost-effectively reduce information security risks to a level acceptable to the institution head;
-
Ensure that information security is addressed throughout the life cycle of institution of higher education information resources; and
-
Ensure compliance with the requirements of 1 TAC Chapter 202, Subchapter C; minimally acceptable system configuration requirements, as determined by the institution of higher education; and the control catalog published by the Department of Information Resources (DIR).
-
-
Strategies to address risk to high-impact information resources;
-
Plans for providing information security for networks, facilities, and systems or groups of information systems and applications, based on risk;
-
A process for planning, implementing, evaluating, and documenting remedial action to address any deficiencies in the information security policies, procedures, and practices of the institution of higher education; and
-
A process to justify, grant and document any exceptions to specific program requirements in accordance with requirements and processes defined in 1 TAC Chapter 202.
State institutions of higher education are responsible for:
-
Defining all information classification categories except the confidential information category, which is defined in 1 TAC Chapter 202, Subchapter A, and establishing the controls for each:
-
Administering an ongoing information security awareness education program in compliance with the requirements of Government Code 2054.5191-.5192 for all users; and
-
Introducing information security awareness and informing new employees of information security policies and procedures during the onboarding process.
Staff Responsibilities
Information owners, custodians, and users of information resources shall, in consultation with the institution's Chief Information Officer and Information Security Officer, be identified, and their responsibilities defined and documented by the institution. The distinctions below among owner, custodian, and user responsibilities should guide determination of these roles. Texas Administrative Code, Title 1 (1 TAC) 202.72(a). Information owners shall be designated within appendix CN.1A and shall determine and document identified custodians and users, as well as document and communicate to the appropriate system administrators changes or removal of access.
Information Owner
The owner or the owner's designated representative(s) are responsible for:
-
Classifying information under their authority or responsibility, with the concurrence of the agency head or the official's designated representative(s), in accordance with the institution of higher education's established information classification categories;
-
Approving access to information resources and periodically reviewing access lists based on documented risk management decisions;
-
Formally assigning custody of information or an information resource;
-
Coordinating data security control requirements with the Information Security Officer;
-
Conveying data security control requirements to custodians;
-
Providing authority to custodians to implement security controls and procedures;
-
Justifying, documenting, and being accountable for exceptions to security controls issued by the Information Security Officer for the information for which the information owner is responsible;
-
Coordinating and obtaining approval for exceptions to security controls with the agency Information Security Officer;
-
Performing risk assessments as provided under 1 TAC 202.75.
Information owners, in coordination with the information custodian, shall ensure that information resources provide a clear and conspicuous prohibition against unauthorized access or use as detailed by Penal Code 33.02(b-1).
Information Custodian
Custodians of information resources, including third-party entities providing outsourced information resources services to state institutions of higher education, shall:
-
Implement controls required to protect information and information resources requi9red by 1 TAC Chapter 202 based on the classification and risks specified by the information owner(s) or as specified by the policies, procedures, and standards defined by the institution of higher education information security program;
-
Provide owners with information to evaluate the cost-effectiveness of controls and monitoring;
-
Adhere to monitoring techniques and procedures, approved by the Information Security Officer, for detecting, reporting, and investigating incidents;
-
Supply any information and/or documents necessary to provide appropriate information security training to employees; and
-
Ensure information is recoverable in accordance with risk management decisions.
User
The user of information resources has the responsibility to:
-
Use the resource only for the purpose specified by the institution or information owner;
-
Comply with information security controls and institutional policies to prevent unauthorized or accidental disclosure, modification, or destruction of information and information resources; and
-
Formally acknowledge that they will comply with the security policies and procedures in a method determined by the institution head or the institution head's designated representative.
Security Controls, Risk Management, Assessments, and Reporting
Navarro College shall adhere to mandatory controls established by the Texas Department of Information Resources (DIR). Navarro College shall perform all assessments and ensure all reporting requirements are met as set forth in statutory and regulatory requirements. Navarro College shall adhere to all statutory and regulatory requirements for social media applications on college district devices, financial information security programs, the cybersecurity information sharing act, and security breach notifications.
Risk and Authorization Management Program for Cloud Computing Services
When contracting for cloud computing services that store, process, or transmit data of the institution of higher education shall:
-
Confirm that vendors contracting with the institution of higher education to provide cloud computing services for the institution of higher education are certified through the Texas Risk and Authorization Management Program (TX-RAMP) prior to entering or renewing a cloud computing services contract; and
-
Require a vendor contracting with the institution of higher education to provide cloud computing services for the institution of higher education that are subject to the state risk and authorization management program to maintain program compliance and certification throughout the term of the contract.
Government Code 2063.408; Texas Administrative Code,, Title 1 (1 TAC) 202.5, .77
Mandatory Standards
Mandatory standards for Texas cloud computing services shall be defined by DIR in the program manual published on DIR's website. Government Code 2063.408(c); 1 TAC 202.77(a)
System and Security Updates
The Information Technology (IT) Department will perform major non-emergency system and security updates monthly. Notice of planned updates will be communicated with the leadership team at least one week prior to the planned update. If this schedule conflicts with major College events, updates will occur on the next available date. Emergency updates will be performed immediately upon notification. This does not apply to updates pushed out by third parties.
Usage Monitoring
Use of Information Technology (IT) resources may be monitored by the IT Department to ensure proper and efficient usage, identify problems or check for security violations.
Passwords
All users of Information Technology (IT) resources are required to take appropriate steps, as outlined below, to select and secure their passwords.
-
Passwords must be at least 8 characters and contain uppercase and lowercase letters, at least one number, and at least one special character.
-
Passwords must be complex and difficult to guess.
-
Passwords must not be reused.
All passwords are confidential and must be protected. Do no share personal account passwords in production environments. Do not share system passwords in any environment or personal account passwords in test environments unless the recipient is explicitly authorized and requires access to perform assigned duties.
Lock Screen Policy
All employees must log out of devices and/or applications which are not in active use. Computer workstations may not be left unattended without being locked, logged out, or shut down.
Physical Access Control
All employees must be aware of the financial investment and data security considerations of Information Technology (IT) facilities, including IT offices, data centers, and network closets.
The areas below are considered Information Technology (IT) Restricted Areas.
Level 1: Server Room
A “Server Room” is any area or locked container that houses one or more servers which houses internal, confidential, and/or secret data.
Rooms are designated by the Chief Information Officer (CIO).
All entrances must be locked; keys/access may be assigned to no more than four CIO-designated keyholders.
All entrances to these areas must be marked with prominent signage with the following messages:
All entries must be logged, including the entrant's name and entry time.
-
Level 1 IT Restricted Area
-
Server Room
-
Authorized Personnel Only
-
IT Escort Required Beyond This Point
-
All entries must be logged
Anyone who is not a CIO-designated keyholder must be escorted by a keyholder while in a Server Room, and entry must be approved by the keyholder. Maintain an escort log that includes:
-
Entry time
-
Escort name
-
Visitor name
-
Purpose of visit
-
Visitor company/organization (if applicable)
Level 2: Technical Work Area
A “Technical Work Area” is where Information Technology (IT) staff work or perform technical tasks. These areas may contain equipment under repair and/or sensitive data.
Technical Work Areas are designated by the Chief Information Officer (CIO).
Non-IT personnel may enter Technical Work Areas only with IT approval for legitimate College business and must be escorted by IT staff at all times.
All entrances to these areas must be kept closed and locked, except for individual employee offices, which must be kept closed when unoccupied.
All entrances to these areas must be keyed with keys available only to IT employees and Campus Police.
All entrances to these areas must be marked with prominent signage with the following messages:
-
Level 2 IT Restricted Area
-
Technical Work Area
-
Authorized Personnel Only
-
IT Escort Required Beyond This Point
-
Door to Remain Locked
Information and Equipment Disposal
Employees must delete any files on their issued devices once it is no longer needed.
Employees must return any storage media, such as hard drives, solid state drives, removable storage devices, compact discs, or other storage media to the IT department for proper disposal and destruction.
All data stored on paper must be shredded by an approved shredding company.
Encryption of Devices
Newly issued computers must be configured to be encrypted when powered off. The IT department will maintain a database of the decryption keys necessary to recover data from each device issued.
Publicly accessible computers such as kiosk computers and lab computers are exempt from the encryption requirement.
Data Ownership
Below is a list of Navarro College data owners and their primary responsibilities. The examples of primary data and key systems/artifacts are provided for guidance and are not exhaustive.
Registrar
Primary Data Owned (Examples)
-
Student enrollment files
-
Course section and enrollment
-
Degrees and certificates
-
Transcripts
-
Residency classification
Primary Responsibilities
-
Custodian of official student academic records
-
Ensures accuracy and timeliness of state reporting data
-
Maintains definitions and documentation for academic records
Key Systems and Artifacts
-
Student Information System (SIS)
-
Degree audit
-
Transcript services
Admissions
Primary Data Owned (Examples)
-
Prospective and applicant records
-
Recruitment data
-
Placement and TSI readiness data
Primary Responsibilities
-
Owns intake quality
-
Validates application data
-
Coordinates handoff to Registrar and Institutional Research (IR) for reporting
Key Systems and Artifacts
-
Customer Relationship Management (CRM) for recruitment
-
Application portal
-
Testing/Placement systems
Financial Aid
Primary Data Owned (Examples)
-
Financial Aid Data System (FADS) submissions
-
Pell Grant, grant, loans
-
Exemptions and waivers
-
Satisfactory Academic Progress (SAP)
-
Free Application for Federal Student Aid (FAFSA) and Texas Application for State Financial Aid (TAFSA) records
Primary Responsibilities
-
Ensures accurate financial aid data for compliance and audit
-
Certifies state and federal aid files
Key Systems and Artifacts
-
Financial aid system
-
Document verification
-
Scholarship systems
Information Technology / Chief Information Officer
Primary Data Owned (Examples)
-
System access logs
-
Identity/ Authentication records
-
SIS integration pipelines
-
Backups
Primary Responsibilities
-
Owns technology stack, security controls, and technical metadata
-
Coordinates with Data Management Office (DMO)/Information Security Officer (ISO) and records management
Key Systems and Artifacts
-
Identity and Access Management (IAM)/Single Sign-On (SSO)
-
Logging/Security Information and Event Management (SIEM)
-
Integration middleware
-
Backup/disaster recovery (DR) systems
Operations
Primary Data Owned (Examples)
-
Employee demographic and employment records
-
Payroll/benefits
-
Faculty credentials
Primary Responsibilities
-
Custodian of personnel data
-
Ensures privacy, retention, and reporting linkage for faculty assignments
Key Systems and Artifacts
-
Human Capital Management, Payroll
-
Credentialing repositories
-
Access control system (badge/card access logs)
Business Office / Finance
Primary Data Owned (Examples)
-
General ledger and finance records
-
Budgets
-
Appropriations
-
Tuition and fees
-
Vendor and procurement
Primary Responsibilities
-
Owns institutional financial data
-
Prepares required submissions to the state
Key Systems and Artifacts
-
Enterprise Resource Planning and FInance
-
Budgeting
-
Procurement systems
Vice President of Academic Affairs (VPAA)
Primary Data Owned (Examples)
-
Academic program inventory
-
Academic policies
-
Accreditation evidence at the executive level
Primary Responsibilities
-
Executive Data Executive for academics
-
Final approval/oversight of academic data standards and policy
Key Systems and Artifacts
-
Policy repository
-
Accreditation systems
-
Governance charters
Executive Deans and Directors
Primary Data Owned (Examples)
-
Course master (descriptions, outcomes, credits)
-
Program histories
-
Learning outcomes
-
Faculty credential files
-
Workload and assignments
-
Evaluation/promotion records
Primary Responsibilities
-
Owns academic definitions and change control
-
Ensures alignment with state manuals
-
Ensuring credential compliance
Key Systems and Artifacts
-
Curriculum Management System
-
Agenda/workflow tools
-
Faculty credentialing repository
-
Workload systems
Director of Academic Compliance
Primary Data Owned (Examples)
-
Official catalog (programs, degree/certificate, rules, calendars, academic policies)
-
Archived catalogs
-
Workforce program inventories and crosswalks
-
Course competencies
-
Credential attainment
-
Clinical/apprenticeship records
Primary Responsibilities
-
Steward of official academic record published to students/public
-
Ensures version control and legal reliance
-
Defines and maintains workforce curriculum data
-
Aligns with state course manuals
Key Systems and Artifacts
-
Catalog Management System
-
Archival repository
-
Curriculum Management
-
Program accreditation systems
Library or Learning Resource Center
Primary Data Owned (Examples)
-
Bibliographic/catalog metadata
-
Database/resource usage
Primary Responsibilities
-
Owns academic support data, metadata standards, and resource stewardship
Key Systems and Artifacts
-
Integrated Library Systems and Library Services Platform
-
Discovery layers
-
Analytics for e-resources
Distance Education and Instructional Technology
Primary Data Owned (Examples)
-
Learning Management System (LMS) course shells and metadata
-
Course activity analytics
-
Distance Education compliance records
Primary Responsibilities
-
Owns online instructional data
-
Ensures accessibility/regular-substantive-interaction compliance
Key Systems and Artifacts
-
LMS
-
Proctoring
-
Accessibility tools
-
Analytics
Department of Public Safety
Primary Data Owned (Examples)
-
Incident reports and law enforcement records
-
Security video
-
Emergency communication systems
Primary Responsibilities
-
Custodian of public safety incident records
-
Defines access rules for law enforcement/security data
-
Oversees security video governance
-
Manages emergency communications data
-
Coordinates incident response evidence handling
Key Systems and Artifacts
- Video Management System (VMS)/camera recording platform
- Incident/case management system
- Emergency notification system
- Incident reports, daily logs, dispatch logs, camera retention schedule, evidence/chain-of-custody forms, records request log
Success Coaches and Advising
Primary Data Owned (Examples)
-
Advising notes
-
Student academic plans
-
Early alert and intervention records
-
Case management notes
Primary Responsibilities
-
Owns accuracy and integrity of advising records
-
Ensures advising documentation supports degree completion, compliance, and audit needs
-
Maintains consistent advising practices aligned with academic and student success policy
-
Coordinates with Registrar, Financial Aid, and Student Success leadership on student record impacts
Key Systems and Artifacts
-
SIS advising modules
-
CRM for student success
-
Early alert and case management systems
Student Services
Primary Data Owned (Examples)
-
Student service interaction records
-
Case escalation and resolution documentation
-
Service delivery metrics
-
Complaint and referral tracking (non-disciplinary)
Primary Responsibilities
-
Owns operational student services data
-
Ensures consistency, quality, and compliance in student-facing service records
-
Coordinates cross-functional service data practices
-
Supports leadership reporting and continuous improvement
Key Systems and Artifacts
-
SIS service modules
-
Case management platforms
-
Service dashboards
-
Workflow and forms systems
Marketing / Communications
Primary Data Owned (Examples)
-
College website content
-
Digital publications
-
Institutional messaging
-
Branding and visual identity assets
-
Marketing analytics and performance data
-
Digital assets stored in the College Digital Asset Management (DAM) system
Primary Responsibilities
-
Owns accuracy, timeliness, consistency, and accessibility of all official institutional content
-
Ensures published information aligns with approved policies, branding, standards, and messaging guidelines
-
Governs content lifecycle, including creating, review, approval, publication, and archival
-
Establishes and enforces content standards, style guidelines, and accessibility best practices
-
Coordinates with designated data owners and subject matter experts to verify accuracy and accessibility of published information
-
Reviews digital content for accessibility compliance and providing guidance or recommendations to data owners on necessary remediation
-
Periodically monitors departmental subsites, such as the College Catalog, to ensure consistency with institutional branding, messaging, and accessibility standards
-
Identifies and reports issues related to accuracy, usability, or accessibility to the content-owning department for resolution
-
Monitors and analyzes marketing performance and engagement metrics, including usability and accessibility considerations
Key Systems and Artifacts
-
College website Content Management System (CMS) for institutional pages and oversight of subsites
-
Digital asset management system for storage, organization, and governance of approved digital assets
-
Marketing automation platforms
-
Marketing analytics and reporting tools
-
Institutional style guides, content standards, and accessibility guidelines (including WCAG standards and checklists)
-
Accessibility evaluation and testing tools (e.g. automated scanners and manual review processes)
-
Departmental subsites managed by other offices (e.g. College Catalog site by Academic Affairs)
Institutional Research and Effectiveness
Primary Data Owned (Examples)
-
CBM reporting datasets after final submission, accountability metrics
Primary Responsibilities
-
Integrates/validates data from owners
-
Storage and analysis of reports submitted to the state
-
Maintains institutional definitions/metadata
Key Systems and Artifacts
-
Certified Data, institutional projections
Approved: 2015
Updated: 2021, 2024, 2026
Reviewed:
