IT400 Software/Data Policy

Tags software data

Effective Date:  03/22/2023

Owner:  PPAC

Team Members:  PPAC

1.0            PURPOSE

1.1              The purpose of this policy is to establish procedures and guidelines for the procurement and administration of software and data used by Baker College.

2.0           SCOPE DETAIL

2.1             This policy is applicable to those responsible for the procurement, management, and use of software across the institution.

3.0           DEFINITIONS


The Academic or Admin individual responsible for testing, documenting, and reviewing the compatibility of a resource with the College’s systems.


Acceptable Use Policy


Chief Information Officer


Information stored electronically or in printed form.

Data at rest

Data when it is not in process or in transit and is stored in persistent storage.

Data in transit

Data that is being transferred between source and destination.

Desktop Software

Software that is installed on any Baker College desktop, laptop, or similar device.

Directory Information

Any information that is generally not considered harmful or an invasion of privacy if released and can be disclosed to outside organizations without prior written consent: student name, address, telephone, email, date / place of birth, photograph, honors / awards, dates of attendance, student identifier (UIN), library card number, enrollment status, and most recent educational agency or institution attended.


The Enterprise Application Services team

Education Records

Record means any information recorded in any way, including, but not limited to, handwriting, print, computer media (electronic), video, audio tape, film, microfilm, and microfiche which directly relates to a student.

Enterprise Software

Any software, excluding desktop software, that is used across the organization.


The manufacturer's End of Support or End of Service date.


Family Educational Rights and Privacy Act


Gramm Leach Bliley Act


Health Insurance Portability and Accountability Act


The Infrastructure Security and Support team.


Information Technology

Personally Identifiable Information (PII)

Any data that is protected regardless of protocol that is associated with an individual person. This includes SSN, financial information, credit card numbers, driver's license number, health records / insurance, family contact information, disability status, citizenship, biometric identifiers, background.

Protected Information / Data (organization)

Intellectual property, configuration of technology assets (network diagrams, access controls, user access).


Service Level Agreement defines the level of service expected by a customer from a supplier.


Subject Matter Experts are the individuals responsible for documenting instructions and reviewing the compatibility of a resource with the College’s systems.


Software means, in its broadest definition, electronically stored computer instructions, operating systems, utilities, application, application or hosting service provider services, software as a service, and related documentation.

Technology Request

A formalized procedure that approves technology installation, acquisition, contracts, and renewals for IT Resources.


The Technology Services and Support team

4.0           GUIDELINES

4.1              Software

4.1.1         Procurement Process

a.)              New and donated software must be submitted and approved through a Technology Request prior to acquisition or installation.

b.)              New software should be standardized across the enterprise whenever possible.

4.1.2       Software Asset Management

a.)                Software Installation and Removal

i.)               Desktop software will be managed by the SME and deployed using an endpoint management system when possible.

ii.)             Enterprise software installation and removal will be managed by the EAS, ISS, and TSS departments.

iii.)             Software life cycles are determined by academic needs, manufacturer EOS date, and system compatibility.

b.)                License Management and Reporting

i.)               Software usage and licensing must be audited and any violations reported to the Procurement Department.

ii.)             Extra or unused licenses should be repurposed or removed when possible.

c.)                Software usage should adhere to all guidelines as specified by the AUP.

4.1.3        Obsolete Operating Systems

a.)              IT managed operating systems that have reached the end of support will not be allowed on any Baker managed networks unless directed by the CIO.

4.1.4       Backup Policy

a.)              Baker College IT will provide procedure-based, system level, network-based backups of server systems under its stewardship.

b.)              In accordance with industry standards, Baker College IT will implement backup procedures on a per system basis that define:

i.)                 Selections

ii.)               Priority

iii.)             Type

iv.)             Schedule

v.)                Duration

vi.)             Retention Period

c.)                Storage, Access, and Security

i.)                All backup media must be stored in a remote secure area that is accessible only to designated Baker College IT staff. Backup media will be stored in a physically secured, fireproof safe when not in use. Offsite storage vendors should be bonded and insured.

ii.)             During transport or changes of media, media will not be left unattended.

d.)                Hosted Solution Backups

i.)               All hosted application backup procedures should be identified within the technical design documentation for each application.

4.2             Data Regulation

4.2.1        Protected Information / Data includes any information that Baker College has a contractual, legal, or regulatory obligation to safeguard in the most stringent manner. In some cases, unauthorized disclosure or loss of this data will require Baker College to notify the affected individual and state or federal authorities. In some cases, modification of the data will require informing the affected individual.

4.2.2       Baker College shall comply with Federal and State data regulations. The Family Educational Rights and Privacy Act (FERPA) is a federal law that protects the privacy of a student’s education records. In compliance with FERPA, Baker College does not disclose personally identifiable information contained in student education records, except as authorized by law.

4.2.3       Baker College is required by the Health Insurance Portability and Accountability Act (HIPAA) to ensure the privacy and security of all “Protected Health Information” or “PHI” created, received, maintained, or transmitted by or for its health care providers and self-insured health plans that are subject to HIPAA. This policy is intended to guide components at Baker College that are covered by HIPAA (“HIPAA Covered Components”) to rigorously implement all HIPAA-mandated requirements as they are subject to enforcement by the federal government. Regardless of where or in what form (paper, electronic or otherwise) Baker College data is stored, it remains the property of Baker College and the college’s HIPAA Covered Components are responsible for ensuring proper protection.

4.2.4      Baker College is required by the Gramm Leach Bliley Act (GLBA) to safeguard personal financial information held by financial institutions and higher education organizations as related to student loan and financial aid applications. Examples of this type of data include student loan information, student financial aid and grant information, and payment history.

4.2.5       Personally Identifiable Information (PII) is information that, if made available to unauthorized parties, may adversely affect individuals or the business of Baker College. PII is information that can be used to uniquely identify, contact, or locate a single person. This classification also includes data that the college is required to keep confidential, either by law (e.g., FERPA) or under a confidentiality agreement with a third party, such as a vendor. This information should be protected against unauthorized disclosure or modification. PII should be used only when necessary for business purposes and should be protected both when it is in use and when it is being stored, transported, and/or destroyed.

4.2.6      Baker College is required to adhere to the Michigan Social Security Number Privacy Act. Social Security numbers are unique, nine-digit numbers issued to U.S. citizens, permanent residents, and temporary (working) residents for taxation, Social Security benefits, and other purposes. Baker College does not use Social Security numbers as identifiers for students, faculty, or staff.      

4.2.7       Information Lifecycle

a.)             The information lifecycle is the progression of stages or states in which a piece of information may exist between its original creation and final destruction. These phases are: Accessing, Data Handling, Storing, Auditing, and Destroying. It is important to understand that storing refers to a broad spectrum of activities including putting a file in a filing cabinet or on to a file server or entering information into a database or spreadsheet. The requirements for storing information apply equally to the source and to any copies made.

b.)              Baker College will use best practices and methods to properly destroy and/or sanitize physical and digital media containing sensitive internal and confidential information.


5.1              IT

5.1.1         The role of Baker College Information Technology is to ensure the IT environment and affiliated products and services are used to support the institution while striving to achieve the IT SLA’s.

5.1.2        SMEs shall be responsible for:

a.)              Maintaining a process to audit and manage access, accounts, and licensing for software.

b.)              Sending notifications of product upgrades and enhancements.

c.)              Scheduling and applying patches, updates, and upgrades on appropriate schedules to reduce risk, increase usability, and ensure availability.

d.)              Notifying the Procurement Department of any licensing violations.

5.1.3         IT leadership should conduct periodic reviews of where Protected Information data is located, who has access to it, and the access control mechanisms.  IT leadership should also verify that procedures for removing access are documented and accurate.

5.2             Procurement Department

5.2.1        Where applicable, the Procurement Department is responsible for recording software usage, location, cost, and the start and end dates of contracts and agreements.

5.2.2        The Procurement Department will manage and provide reporting for contract and licensing expirations.

5.2.3       The Procurement Department will notify the software SME of any licensing violations.

5.3             Faculty/Staff

5.3.1        The ASME shall be responsible for:

a.)                Testing new software and recommending changes based on curriculum needs.

b.)                Notifying IT of product upgrades and changes in curriculum requirements.

c.)                Providing training material and documentation to faculty.

5.3.2       Review potential donations or acquisitions of software with Campus IT personnel.

5.3.3       Employee Supervisors

a.)                Assist IT with software requests, approvals and audits.

5.4             End Users

5.4.1        End users are responsible for understanding all Federal and State regulations that apply to their role(s).

5.4.2       Usage should adhere to all guidelines as specified by the AUP, student handbook, and employee handbook.


Article ID: 154560
Thu 3/23/23 2:20 PM
Thu 3/23/23 2:58 PM

Related Articles (2)

Defines the structure and purpose of policy & procedure utilization by the Baker College Information Technology Department.