Access and use of the Student Information System "Enrollment" Panel.

This standard is effective August 1, 2004.

The following standard describes the responsible use expected by those given access to the technology resources and services supporting the VCCS Student Information System (SIS). The System Office Information Technology Office has proposed practical guidelines for the application of this standard.

The VCCS provides shared information technology resources and services to faculty, students, staff, and college patrons for activities supporting the VCCS mission. The purpose of this standard is to protect the integrity of VCCS Technology Resources and the users thereof against unauthorized or improper use of those resources. All individuals (VCCS and otherwise) granted access to this panel will be required to follow the guidance documented in this standard.

PeopleSoft provides a special Student Enrollment panel, often described as the "Super" Panel, where all editing and application referential integrity rules normally imposed by PeopleSoft’s Student Administration System is suspended. Anyone authorized to use this panel can make changes to the database and production data without going through validation or verification routines.

It is an accepted best practice that changes to data outside of normal system use, in any production system, must be documented to construct an audit trail for subsequent review. It is also an accepted best practice to limit the numbers of staff permitted such access and to provide specific training regarding specific circumstances when the panel may be used.

Changing production data with a mechanism that suspends all of the data integrity rules is often an easier and quicker alternative to the prescribed methods for affecting changes to production data. Access methods, like the Enrollment Panel, are at risk for potential abuse primarily through well-intentioned misuse. In the extreme, changes to the database using the Enrollment Panel can leave elements of the database in an error state, and the validity and integrity of student and institution data can be compromised.

As a best practice, each college campus will name two qualified individuals as the primary user of the Enrollment Panel at that campus location. The college is responsible for ensuring that the individual has all the required knowledge, training and related skill sets that are required to effectively administer and use this panel. The college information security officer must maintain on file for review by the VCCS Internal Audit Office and the VCCS Chief Information Security Officer the contact information for each person so designated. In addition, each use of the Enrollment Panel shall be documented in written and/or electronic form, showing the individual who initiated the change, the date/time of the change, the purpose of the change and the state of the table information before/after the change. the state of the table information before and after use of the Enrollment Panel to update data in the SIS database. These records shall be stored and safeguarded in a manner consistent with all applicable records retention policies and guidelines, and available upon request by the VCCS Director of Internal Audit or his/her designee.

All exceptions to this standard must be fully documented by the college and that information forwarded to the VCCS Security Officer for verification and review. This information will be reviewed as part of the VCCS Internal Audit Office l review of access controls.