Administrative Regulations Home
Work Breaks
Web Content Management
Video
Vehicle Usage
Vacation
Travel Procedures
Travel Card
Trademarks and Photographs
Tobacco Use
Tax Sheltered Annuity Program
Surveillance Cameras
Substantive Change Procedure (SACSCOC)
Student Per-Term Credit Hour Limits
Student Employment: Federal Work-Study
Student Dress Code
Student Complaints
Student Attendance and Class Participation
Social Media Guidelines
Sick Leave Pool Administrative Guidelines
Sick Leave
Assistance Animals - Service Animals
Annual Security and Fire Safety Report
Scholastic Probation or Suspension
Scholastic Integrity
Safety Manual
Responsibilities of Student Organization Advisors
Research Security Program Framework
Access to Educational Records of Deceased Students
Records Retention Schedules and Management Training
Recording of Class Lectures by Students
Quiet Hours and No Loitering
Purchasing
Procurement Card (P-Card)
Printing Guidelines
Payment of Medical Care Costs for Student Athletes
Parking and Traffic Regulations
Outside Employment
Excused Absences for Students Called To Active Military Service
Blinn Announcement (Mass Email) Guidelines
Building Access Key and Card Regulation
Institutional Scholarships/Pell Grant Award Coordination
Information Resources Acceptable Use, Security and Copyright Infringement
Incivility Protocol
Hiring Manager’s Guide For Faculty and Staff
Graduation
General Educational Development Test Administration
Flexible Work Schedules
Financial Support for Student Organizations
Final Course Grade Appeal
Faculty Workload, Teaching Load, and Office Hours
Faculty Professional Development
Unearned Tuition Assistance Funds
Facility Naming Rights
Externally Funded Grants and Contracts
Expulsion of Students from Class
Expressive Activities on Campus by Students and Employees
Employee Progressive Discipline
Employee Performance Evaluations
Assistance Animals - Emotional Support Animals
Cell Phone Allowances
Emergency Response Plan
Employee Book Voucher
Emergency Procedures Manual
Athletic Department Drug Testing
Drug and Alcohol Prevention Program (DAAPP)
Disposal of Property
Display Screen Guidelines
Discretionary Time
Direct Deposit, Payroll
Capital Asset Guidelines
Campus Security Authorities
Campus Carry
Information Systems and Services
Information Systems and Information Integrity
Information Systems and Communications Protection
Information Systems Supply Chain Risk Management
Information Systems Security Planning
Administrative Organization Plan - Councils and Committees
Information Systems Security Assessment and Authorization
Information Systems Risk Assessment
Prohibited Technologies and Covered Applications
Information Systems Media Protection
Information Systems Maintenance
Information Systems Security Program
Information Resources Acceptable Use, Security and Copyright Infringement
Information Systems Incident Response
Information Systems Identification and Authentication
Information Access Control
Photo Identification (ID) Card
Faculty Credentialing Procedures
Blinn Alert Notification
Student Code of Conduct
Approved Vendors for Apparel and Promotional Items
Alternate Work Location
Admission Requirements and Registration Eligibility
Web Accessibility
Board Policy/Administrative Regulations Development and Approval
Quarantine Leave for Certain Law Enforcement and EMS Personnel
Outdoor Intramural Spaces Guidelines
Name, Image, and Likeness
Indoor Tabling Guidelines
Hazing Prevention
Credit by Examination, Prior Learning Assessment, Awarding Credit
Additional Education During Term of Employment
Post Accident Drug and Alcohol Testing
Personal Leave
Prohibition Against Inducements, Commission and High-Pressure Recruitment Tactics for Service Members
Continuity of Operations Plans
Employee Complaints
Community Users of the Blinn College Library
College District Closures
College District Brand Guidelines
College Catalog Policy
Information Systems Physical and Environmental Protection
Information Systems Personnel Security
Information Systems Contingency Planning
Information Systems Configuration Management
Information Systems Awareness and Training
Information Systems Audit and Accountability
Awarding Incomplete Grades
Athletic Awards Criteria
Assessment of Instructional Programs and Courses
Board Policy CS - Information Systems

Administrative Regulations Home Work Breaks Web Content Management Video Vehicle Usage Vacation Travel Procedures Travel Card Trademarks and Photographs Tobacco Use Tax Sheltered Annuity Program Surveillance Cameras Substantive Change Procedure (SACSCOC) Student Per-Term Credit Hour Limits Student Employment: Federal Work-Study Student Dress Code Student Complaints Student Attendance and Class Participation Social Media Guidelines Sick Leave Pool Administrative Guidelines Sick Leave Assistance Animals - Service Animals Annual Security and Fire Safety Report Scholastic Probation or Suspension Scholastic Integrity Safety Manual Responsibilities of Student Organization Advisors Research Security Program Framework Access to Educational Records of Deceased Students Records Retention Schedules and Management Training Recording of Class Lectures by Students Quiet Hours and No Loitering Purchasing Procurement Card (P-Card) Printing Guidelines Payment of Medical Care Costs for Student Athletes Parking and Traffic Regulations Outside Employment Excused Absences for Students Called To Active Military Service Blinn Announcement (Mass Email) Guidelines Building Access Key and Card Regulation Institutional Scholarships/Pell Grant Award Coordination Information Resources Acceptable Use, Security and Copyright Infringement Incivility Protocol Hiring Manager’s Guide For Faculty and Staff Graduation General Educational Development Test Administration Flexible Work Schedules Financial Support for Student Organizations Final Course Grade Appeal Faculty Workload, Teaching Load, and Office Hours Faculty Professional Development Unearned Tuition Assistance Funds Facility Naming Rights Externally Funded Grants and Contracts Expulsion of Students from Class Expressive Activities on Campus by Students and Employees Employee Progressive Discipline Employee Performance Evaluations Assistance Animals - Emotional Support Animals Cell Phone Allowances Emergency Response Plan Employee Book Voucher Emergency Procedures Manual Athletic Department Drug Testing Drug and Alcohol Prevention Program (DAAPP) Disposal of Property Display Screen Guidelines Discretionary Time Direct Deposit, Payroll Capital Asset Guidelines Campus Security Authorities Campus Carry Information Systems and Services Information Systems and Information Integrity Information Systems and Communications Protection Information Systems Supply Chain Risk Management Information Systems Security Planning Administrative Organization Plan - Councils and Committees Information Systems Security Assessment and Authorization Information Systems Risk Assessment Prohibited Technologies and Covered Applications Information Systems Media Protection Information Systems Maintenance Information Systems Security Program Information Resources Acceptable Use, Security and Copyright Infringement Information Systems Incident Response Information Systems Identification and Authentication Information Access Control Photo Identification (ID) Card Faculty Credentialing Procedures Blinn Alert Notification Student Code of Conduct Approved Vendors for Apparel and Promotional Items Alternate Work Location Admission Requirements and Registration Eligibility Web Accessibility Board Policy/Administrative Regulations Development and Approval Quarantine Leave for Certain Law Enforcement and EMS Personnel Outdoor Intramural Spaces Guidelines Name, Image, and Likeness Indoor Tabling Guidelines Hazing Prevention Credit by Examination, Prior Learning Assessment, Awarding Credit Additional Education During Term of Employment Post Accident Drug and Alcohol Testing Personal Leave Prohibition Against Inducements, Commission and High-Pressure Recruitment Tactics for Service Members Continuity of Operations Plans Employee Complaints Community Users of the Blinn College Library College District Closures College District Brand Guidelines College Catalog Policy Information Systems Physical and Environmental Protection Information Systems Personnel Security Information Systems Contingency Planning Information Systems Configuration Management Information Systems Awareness and Training Information Systems Audit and Accountability Awarding Incomplete Grades Athletic Awards Criteria Assessment of Instructional Programs and Courses Board Policy CS - Information Systems

Information Systems and Services

BLINN COLLEGE ADMINISTRATIVE REGULATIONS MANUAL

SUBJECT: Information Systems and Services

EFFECTIVE DATE: June 1, 2020; amended September 19, 2023

BOARD POLICY REFERENCE: CS

PURPOSE

Develop policies and procedures for system and services.

PROCESS

System and Services Policy and Procedures (SA-01)

The College District:

Develops, documents, and disseminates to budget managers:
1. A system and services acquisition policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the system and services acquisition policy and associated system and services acquisition controls; and
Reviews and updates the current:
1. System and services acquisition policy biennially; and
2. System and services acquisition procedures annually.

SYSTEM AND SERVICES POLICY

Allocation of Resources (SA-02)

The College District:

Determines information security requirements for the information system or information system service in mission/business process planning;
Determines, documents, and allocates the resources required to protect the information system or information system service as part of its capital planning and investment control process; and
Establishes a discrete line item for information security in organizational programming and budgeting documentation.

System Development Life Cycle (SA-03)

The College District:

Acquire, develop, and manage the system using a recognized risk mitigation framework that incorporates information security and privacy considerations;
Define and document information security and privacy roles and responsibilities throughout the system development life cycle;
Identify individuals having information security and privacy roles and responsibilities; and
Integrate the organizational information security and privacy risk management process into system development life cycle activities.

Acquisition Process (SA-04)

The College District includes the following requirements, descriptions, and criteria, explicitly or by reference, in the acquisition contract for the information system, system component, or information system service in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, guidelines, and organizational mission/business needs:

Security functional requirements;
Security strength requirements;
Security and privacy assurance requirements;
Controls needed to satisfy the security and privacy requirements.
Security and privacy documentation requirements;
Requirements for protecting security and privacy documentation;
Description of the system development environment and environment in which the system is intended to operate;
Allocation of responsibility or identification of parties responsible for information security, privacy, and supply chain risk management; and
Acceptance criteria.

Before acquisition, information technology or processing systems receiving, containing or processing personally identifiable information, protected health information or institutional data whether operating on premise or in the cloud must be reviewed and approved by the CISO and legal department.

Information System Documentation (SA-05)

The College District:

Obtains administrator documentation for the information system, system component, or information system service that describes:
1. Secure configuration, installation, and operation of the system, component, or service;
2. Effective use and maintenance of security functions/mechanisms; and
3. Known vulnerabilities regarding configuration and use of administrative (i.e., privileged) functions;
Obtains user documentation for the information system, system component, or information system service that describes:
1. User-accessible security functions/mechanisms and how to effectively use those security functions/mechanisms;
2. Methods for user interaction, which enables individuals to use the system, component, or service in a more secure manner; and
3. User responsibilities in maintaining the security of the system, component, or service;
Documents attempts to obtain information system, system component, or information system service documentation when such documentation is either unavailable or nonexistent and is retained by the information system owner in response;
Protects documentation as required, in accordance with the risk management strategy; and
Distributes documentation to information system custodians and applicable documentation to users.

Security and Privacy Engineering Principles (SA-08)

Apply the following systems security and privacy engineering principles in the specification, design, development, implementation, and modification of the system and system components: NIST 800-37 Rev. 2.

External System Services (SA-09)

The College District:

Requires providers of external information system services comply with college information security requirements and comply with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance;
Information system owners are responsible for oversight, defining user roles and responsibilities; and
Employ the following processes, methods, and techniques to monitor control compliance by external service providers on an ongoing basis: TX-RAMP.

Developer Configuration Management (SA-10)

The College District requires the developer of the information system, system component, or information system service to:

Perform configuration management during system, component, or service design, development, implementation and operation;
Document, manage, and control the integrity of changes;
Implement only college-approved changes to the system, component, or service through the change control process;
Document approved changes to the system, component, or service and the potential security impacts of such changes; and
Track security flaws and flaw resolution within the system, component, or service and report findings to information system owner and CISO.

Developer Testing and Evaluation (SA-11)

The College District requires the developer of the system, system component, or system service, at all post-design stages of the system development life cycle, to:

Develop and implement a plan for ongoing security and privacy assessments;
Perform system testing/evaluation;
Produce evidence of the execution of the assessment plan and the results of the testing and evaluation;
Implement a verifiable flaw remediation process; and
Correct flaws identified during testing and evaluation.

Unsupported System Components (SA-22)

Replace system components when support for the components is no longer available from the developer, vendor, or manufacturer; or
Provide the support from external providers.