Technology & Data Policies

This IT Acceptable Use Policy ("Policy") applies to all students, faculty, staff, and third-party users who access the information technology resources of Catawba College. The purpose of this Policy is to ensure the appropriate use of these resources, to protect the privacy and confidentiality of institutional data, and to maintain the integrity and security of the institution's information technology systems and infrastructure.

General Principles:

1. Access to information technology resources must be in accordance with the policies and procedures of the institution.

2. All users must comply with local, state, and federal laws and regulations, as well as with institutional policies and procedures, when using information technology resources.

3. Information technology resources may be used only for authorized purposes, including instruction, research, and administrative activities in support of the institution's mission.

4. Users must comply with all intellectual property laws and regulations.

5. Users must respect the privacy and confidentiality of institutional data and not disclose, use, or disseminate such data without authorization.

6. Users must protect the integrity and security of institutional information technology systems and infrastructure by following the institution's security policies and procedures.

7. Users must report any suspected security breaches or violations of this Policy to the appropriate institutional authority.

Acceptable Use:

1. Users may use institutional information technology resources for instructional, research, and administrative activities that support the mission of the institution.

2. Users may access and use the internet and email for institutional purposes, provided that such use is consistent with the principles of this Policy.

3. Users may not use institutional information technology resources for personal commercial activities or for personal gain.

4. Users may not engage in activities that disrupt or interfere with the normal operation of institutional information technology systems and infrastructure.

5. Users may not install or use unauthorized software or hardware on institutional information technology resources.

6. Users may not engage in activities that are illegal or in violation of institutional policies and procedures.

7. Users may not engage in activities that are abusive, offensive, or harassing to other users.

Security:

1. Users must protect institutional information technology resources from unauthorized access or use by following the institution's security policies and procedures.

2. Users must protect their accounts and passwords from unauthorized access or use.

3. Users must not share their accounts or passwords with others.

4. Users must not attempt to access or use information technology resources for which they are not authorized.

5. Users must report any suspected security breaches or violations of this Policy to the appropriate institutional authority.

Enforcement:

1. Violations of this Policy may result in disciplinary action, up to and including termination of employment or expulsion from the institution.

2. The institution may monitor information technology resources to ensure compliance with this Policy.

3. The institution may restrict or terminate access to information technology resources for violations of this Policy.

Conclusion:

The institution expects all users to comply with this Policy and to use Catawba College Information Technology resources in a responsible and ethical manner. By doing so, we can ensure the security, integrity, and availability of these resources for the benefit of the institution and its mission.

The purpose of this policy is to provide a consistent method of handling any information security incidents that may occur on the Catawba network and applies to all Catawba College students, faculty, and staff. Any network user found to have violated this policy may be subject to disciplinary action, including suspension or termination of network privileges.

Any employee found to have violated this policy may be subject to disciplinary action up to and including termination of employment.

If infractions also violate local, state, or federal laws, other civil or criminal penalties may apply.

The College reserves the right to monitor previous offenders for further abuse.

An information security incident is defined as any event that affects the confidentiality, integrity, or availability of network resources. Any of the following would constitute an information security incident:

1. Any potential violation of federal law, North Carolina law, or Catawba College policy involving a Catawba Information Technology (IT) asset.
2. A breach, attempted breach, or other unauthorized access to a Catawba IT asset
3. Any Internet worm, virus, Denial of Service (DoS) attack, or related incident
4. Any change in a computer system that disables or defeats security precautions that have been installed on the machine
5. Any conduct using in whole or in part a Catawba IT asset that could be construed as harassing or in violation of Catawba College policies. Incidents that potentially involve harassment should be reported to the Student Affairs or Human Resources as appropriate.
6. The appropriate authorities should be notified immediately of any suspected or real information security incident. If it is unclear as to whether a situation should be considered an information security incident, IT should be contacted to evaluate the situation.
   • Incidents that potentially involve violation of federal or state law should be immediately reported to Campus Safety (704-637-4000).
   • Incidents that potentially involve malicious or accidental damage to the Banner enterprise database should be reported to the Director of Enterprise Applications.
   • Any other potential information security incident should be reported to the Help Desk and Media Services Director.

The North Carolina Identity Theft Protection Act requires organizations to notify persons whose personal information held by the organization has been compromised by an information security breach. The purpose of this policy is to define the circumstances and procedures under which required notifications will be made and applies to all Catawba College students, faculty, and staff. Any employee found to have violated this policy may be subject to disciplinary action up to and including termination of employment.

Definitions: 

Personal Information is defined by the North Carolina Identity Theft Protection Act as a person’s first name or first initial and last name in combination with any of the following items:

• Social Security or employer taxpayer identification number
• Driver’s license, state identification card, or passport numbers
• Checking account numbers
• Savings account numbers
• Credit or debit card numbers
• Personal Identification Number (PIN code)
• Digital signatures
• Any other numbers or information that can be used to access a person’s financial resources
• Biometric data
• Fingerprints

Even if listed above, however, “personal information” does not include publicly available directories containing information an individual has voluntarily consented to have publicly disseminated or listed, including name, address, and telephone number, and does not include information made lawfully available to the general public from federal, state, or local government records.

Information Security Breach is defined as an incident of unauthorized access to and acquisition of unencrypted and unredacted records or data containing personal information where illegal use of the personal information has occurred or is reasonably likely to occur or that creates a material risk of harm to a consumer. Any incident of unauthorized access to and acquisition of encrypted records or data containing personal information, along with the confidential process or key, also constitutes an information security breach.

Good faith acquisition of personal information by an employee or agent of the College for a legitimate purpose is not an information security breach, provided that the personal information is not used for a purpose other than a lawful purpose of the College and is not subject to further unauthorized disclosure.

Policy: 

Any information security breach should be reported to the Chief Information Officer (CIO) and the IT Operations Director immediately upon discovery.

In the case of an information security breach that results in disclosure of personal information, Catawba will notify the affected individuals without unreasonable delay.

Notification will be delayed if a law enforcement agency determines that notification will impede a criminal investigation. In this case, notification will be provided without unreasonable delay after the law enforcement agency determines that it will not compromise the investigation.

The purpose of this policy is to establish guidelines for external user access to Information Technology applications, systems, and services, ensuring the security and confidentiality of sensitive information. This policy applies to all external users who require access to Information Technology resources including hired contractors.

Authorization: External user access to the Information Technology resources must be authorized by the IT department and approved by the respective business unit manager or executive sponsor.

Access Control: Access to the enterprise IT environment will be granted on a "need-to-know" basis and shall be limited to the minimum access necessary to perform the authorized duties. Access to our primary student information system, Banner, will be granted to the Test environment only by default.

Security Awareness: External users shall receive security awareness training on the enterprise IT environment, including policies, procedures, and security controls.

Password Policy: External users must follow the enterprise password policy.

Two-Factor Authentication: External users must use two-factor authentication to access resources as required.

Remote Access: External users must use secure remote access technologies, approved by the IT department.

User Responsibilities: External users are responsible for maintaining the confidentiality and security of their login credentials and must report any suspected security breaches to the IT department immediately.

IT Responsibilities: IT is responsible for initial account setup and access to necessary systems. IT is not responsible to train, troubleshoot, or assist with usage of these systems. IT cannot support contractor supplied equipment or software.

Monitoring: The IT department will monitor external user access to Information Technology resources to ensure compliance with policies and procedures.

Termination: Access to the Information Technology Resources will be terminated upon the expiration of the user's authorized access period, or upon termination of the user's employment or contract with the enterprise.

Policy Review: This policy shall be reviewed periodically to ensure its effectiveness and relevance to Catawba College’s security objectives.

Enforcement: Failure to comply with this policy may result in disciplinary action, up to and including termination of the user's contract with the College.

Acknowledgment:

All external users who require access to Information Technology Resources must acknowledge their understanding and agreement to comply with this policy before being granted access.

Access to email accounts is restricted to authorized individuals only. To gain access, users must provide a valid username and password or other authorized credentials.

User Responsibilities

Users are responsible for maintaining the security of their account credentials and for preventing unauthorized access to their accounts. They should not share their passwords with others or allow anyone else to use their accounts.

Users are expected to use email accounts only for legitimate purposes related to their academic or job-related activities. Sending or receiving emails for personal or non-work-related purposes is prohibited.

Users should be aware that email is not a secure means of communication and that sensitive information should not be transmitted via email unless it is encrypted. If sensitive information must be transmitted via email, it should be marked as confidential.

Users are prohibited from using email accounts to engage in any form of harassment, discrimination, or other behavior that is prohibited by our institutional policies or laws.

The institution reserves the right to monitor email accounts for compliance with this policy and for any other legitimate purpose.

Violations of this policy may result in disciplinary action, up to and including termination of employment or expulsion from the institution.

Information Technology Responsibilities

IT personnel may not access accounts such as email, Blackboard, or Financial Aid unless specifically given instruction by the account owner, the supervisor of the personnel's account, the Executive Cabinet member from that area or the President of the college.

Account credentials pertaining to personnel employed by the college should not be shared with anyone other than the employee. Managers for departing personnel or personnel taking a leave of absence may request that those email addresses be forwarded to another person on their team. For personnel taking a leave of absence, the employee must be notified.

Account credentials pertaining to a current or past student of the college should not be shared with anyone other than the student. FERPA regulations dictate that knowledge of any other factors pertaining to a student's account such as a locked or inactive state, access, or logs may only be shared with college personnel. This requires that IT personnel be confident they are speaking or engaging directly with the student in question. To prove identity, IT personnel must request ID number, date of birth, social security number (never via email or ticketing system), or a photo ID. If identity cannot be proven without reasonable doubt, college personnel cannot share account details or reset a password.

Creation of Accounts

Student accounts are created at the time of Enrollment Deposit and are available within the hour.

Employee accounts are created at the time the employee record is entered into Banner by Human Resources. If the employee is a graduate of the college, a new email address will be created to use for professional purposes. They may not use their former Catawba email address for professional purposes. Employees who are being re-hired by the institution will receive a new email address for their new role and will not be allowed access to their former email address.

Vendors who are under contract with the college, such as Follett or Chartwells, and contractors who are on retainer by the college may have a Catawba email address requested by the appropriate Executive Cabinet member or the President.

Termination of Accounts

Student access to digital services other than OneDrive and email are terminated after ending their time at the college (such as through graduation or withdrawal).

Employee access to email and software using SSO is immediately terminated on the last day of employment entered by Human Resources in Banner. In the event an employee is terminated effective immediately but given a later end date of employment, IT will be asked to end account access effective immediately. The email address will remain active but locked from the employee with emails being forwarded to someone within the department. This request for forwarding must come from the manager, Director, VP, or President.

Changing of Account Username

Email address will only be changed when a request is submitted by Human Resources, Executive Cabinet Member or the President if the automatic username generated is deemed problematic.

When an employee legally changes their name, they may request their account username be changed to match their new name. They will continue to log in with their previous username, but the email address will automatically be connected to their previous account.

Names will appear as noted in preferred name in the Student Information System and can be updated with the Registrar’s Office (for Students) and Human Resources (for Employees).

Distribution Lists

Distribution Lists can be created as needed for official college purposes. These distribution lists will be automatically updated based on criteria set forth in the request and will pull based on corresponding Banner data for each person.  Appropriately corresponding offices who own the data are able to update these distlists. This includes:

• Registrar for Student DistLists by Academic Credentials
• Student Affairs for Housing-related DistLists
• Human Resources for personnel DistLists

Shared Accounts

There are two opportunities for shared account options at the college. The first is a DistList and the ability to send emails as though from this email address. This is the most secure and recommended method. The second is an email address that is a stand alone email address for an office with access shared. There should be no accounts created or used with shared login credentials. This is only to be used by offices who have a designated person primarily responsible for the account and need to take action on each email received.

All electronic communication at the college must adhere to the behavior standards set forth by the institution including FERPA guidelines and Honor Code. Any correspondence deemed as harassing or bullying in nature may result in immediate expulsion for students or termination for employees.

Personal Identifying Information should not be shared via email. Personal Information is defined by the North Carolina Identity Theft Protection Act as a person’s first name or first initial and last name in combination with any of the following items:

• Social Security or employer taxpayer identification number
• Driver’s license, state identification card, or passport numbers
• Checking account numbers
• Savings account numbers
• Credit or debit card numbers
• Personal Identification Number (PIN code)
• Digital signatures
• Any other numbers or information that can be used to access a person’s financial resources
• Biometric data
• Fingerprints

Even if listed above, however, “personal information” does not include publicly available directories containing information an individual has voluntarily consented to have publicly disseminated or listed, including name, address, and telephone number, and does not include information made lawfully available to the general public from federal, state, or local government records.

Purpose
This policy establishes guidelines for the use of text messaging as a method of communication between faculty, staff, and students at Catawba College. The intent is to ensure that all communications are professional, respectful of student privacy, and compliant with institutional standards and applicable regulations.

Scope
This policy applies to all faculty, staff, student workers, and contractors who engage in direct communication with students via text messaging, whether through personal devices or institution-managed platforms.

Acceptable Use:

Text messaging may be used as a supplemental communication method for time-sensitive, urgent, or logistical matters (e.g., class cancellations, meeting reminders, emergency notifications). It is not to be used for delivering academic content, discussing grades, or engaging in extended dialogue.

All text communications must adhere to the following standards:

• Consent: Students must opt-in to receive text messages. Consent must be documented and may be withdrawn at any time.
• Platform Use: Whenever possible, institution-approved messaging platforms (e.g., Microsoft Teams, Outlook SMS integrations, Slate, EAB Navigate) must be used. Personal phone numbers should not be used unless explicitly authorized.
• Content: Messages must be professional, concise, and relevant to institutional activities.
• Privacy: Text messages must not contain sensitive or personally identifiable information (PII), including but not limited to grades, health information, or financial data.

Enforcement
Violations of this policy may result in disciplinary action, including revocation of communication privileges or further administrative review. All communications are subject to audit by the Office of Information Technology, Office of the Provost, and/or the Office of Student Affairs.

Purpose
To safeguard the confidentiality and integrity of Personally Identifiable Information (PII), this policy establishes the exclusive use of Secure File Transfer Protocol (SFTP) or cloud-based file sharing services for transmitting PII outside of Catawba College’s network.

Scope
This policy applies to all faculty, staff, contractors, and affiliates who handle or transmit PII in the course of their duties. PII includes, but is not limited to, names, addresses, Social Security numbers, student ID numbers, financial data, and health-related information.

Policy Statement
Catawba College mandates that all external transmission of PII must be conducted exclusively through Secure File Transfer Protocol (SFTP) or cloud-based file sharing. The use of email or unencrypted transfer methods for sending PII is strictly prohibited.

Requirements

• Encryption: All SFTP and cloud-based file sharing service transmissions must use strong encryption protocols (e.g., AES-256).
• Authentication: Access to SFTP services or cloud-based file sharing services must require multi-factor authentication (MFA) and be restricted to authorized users.
• Approved Platforms: Only institution-approved SFTP platforms may be used. Personal or third-party SFTP services are not permitted.
• Data Minimization: Only the minimum necessary PII should be transmitted, and only to verified recipients with a legitimate business or academic need.

Exceptions
Any exceptions to this policy must be approved in writing by the Office of Information Technology. Exception requests must include justification, risk assessment, and mitigation strategies.

Enforcement
Violations of this policy may result in disciplinary action, including revocation of access privileges, formal reprimand, or further administrative review. All incidents will be investigated in accordance with Catawba College’s Information Security Incident Response Policy.

Review and Revision
This policy will be reviewed annually by the Office of Information Technology and updated as needed to reflect changes in regulatory requirements, institutional practices, or technological capabilities.

Purpose
To protect institutional data integrity, security, and compliance, this policy prohibits the creation, use, or maintenance of unauthorized databases—commonly referred to as “shadow databases”—outside of approved Catawba College systems.

Scope
This policy applies to all faculty, staff, contractors, and affiliates who access, manage, or store institutional data, including student records, financial information, academic data, and operational systems.

Policy Statement
Catawba College strictly prohibits the use of shadow databases. A shadow database is defined as any data repository created or maintained outside of institutionally approved platforms, systems, or oversight. These databases pose significant risks to data accuracy, security, and regulatory compliance.

Examples of shadow databases include:

• Spreadsheets or Access files containing student or employee data stored on local drives or cloud services
• Unofficial data tracking systems not integrated with institutional databases
• Third-party applications used without IT approval that store institutional data

Risks of Shadow Databases

• Security Vulnerabilities: Unsecured data may be exposed to unauthorized access or breaches.
• Data Inconsistency: Shadow databases often contain outdated or conflicting information.
• Compliance Violations: Use of unauthorized systems may violate FERPA, HIPAA, and other regulatory standards.
• Operational Inefficiency: Fragmented data sources hinder reporting, decision-making, and collaboration.

Requirements

• All institutional data must be stored and managed within approved systems maintained by the Office of Information Technology.
• Requests for new data systems or tools must be submitted to IT for review and approval.
• Existing shadow databases must be reported to IT and either migrated to approved platforms or decommissioned.

Enforcement
Violations of this policy may result in disciplinary action, including revocation of access privileges, formal reprimand, or further administrative review. The Office of Information Technology reserves the right to audit systems and devices for unauthorized data repositories.

Information Technology Services is responsible to maintain and support only technology that has been pre-approved through an authorized Information Technology representative. Peripheral devices (such as mice and screen protectors) do not have to go through this process. This technology consists of networking/telecom equipment and services; web applications design and/or services; computer or server application and hardware; audio/video facilities and equipment; broadcast/production facilities and equipment; software for installation on college-owned devices or cloud-based access; etc. All vendors must go through a security review to ensure they are adhering to best practices before being onboarded to the college. An Information Technology representative will work with the purchasing area through this process.

Catawba’s Information Technology Services Office will not maintain or support any technology or service that is not owned or leased by Catawba College.  Technology purchased outside of this policy will result in the permanent transfer of departmental funds in amount used to purchase the technology from the purchasing department to the Office of Information Technology Services.

Information Technology Services staff are available to consult with you about your academic and administrative technology needs. While some needs may be met with existing solutions on campus, others may require the purchase of a solution. IT will help to evaluate your needs, make appropriate recommendations while also working with our existing/future infrastructure and data security requirements, review contracts, offer basic training, and other tasks. This process ensures the technology you need meets compatibility and support guidelines across campus. Information Technology has to right to decline approval for technology that does not meet this criteria and will provide options for alternate solutions. To inquire about or request technology, submit an IT ticket by emailing ithelp@catawba.edu.

• Academic Purchasing - Academic departments should create an IT Service Request to begin this process.
• Administrative Purchasing - Administrative departments should create an IT Service Request to begin this process. 
• Replacement Policy for College Computer Equipment - As a matter of policy, Catawba College will replace basic technology equipment on a three-to-five year cycle, based on the recommendations of the Information Technology staff with regard to advancements in technology during such a cycle and on the availability of funding.

Standard IT Office hours are 8:00am-5:00pm Monday through Friday when the College is open. Only emergency needs are addressed outside of these hours. In the case of emergency needs outside of these hours, the request must be submitted via the IT ticketing system by the managing Director and/or VP. Personnel to assist with testing and troubleshooting in addition to the Director and/or VP of the area must be available during the time IT personnel are working on the issue. Emergency needs are defined as system outages or issues that have widespread impact and hinder operations of the institution. All other issues will be resolved during regularly operating business hours.

Device:

Full time faculty and permanent and temporary professional staff working in an office environment will be supplied with one set of technology (monitor(s), docking station (if needed), keyboard, mouse, and computer) to perform their job functions, whether it be remote or on campus.

The college is committed to ensuring employees have the technology necessary to conduct the duties that correlate with their position and will have devices across campus on a three-year rotation. In doing so, standardization includes:

• All employees will receive one (1) 24” monitor.
  • Personnel who work at their desk thirty-five hours or more a week are eligible to request receive a 36” curved monitor
• A standard Dell keyboard and mouse.
• All Staff are issued a Dell PC16250 laptop
  • Mac Pro 14” are only available for staff who have a role of Marketing and Communication for the College
• Faculty may select from the Dell PC16250 laptop or a Mac Pro 14”

Care:

• No stickers on the device. Those wishing to customize the exterior of their device should utilize a case.
• During office moves, monitors should only be moved by Information Technology personnel.
• The laptop device and charger must be returned to HR at the time of departure. Failure to do so will result in punitive action.
• Employees are expected to sign in to Zoom daily during working hours.
• Employees are expected to utilize One Drive and SharePoint to save documents.