6.1 Use of State Property - Bulletin Boards
CVCC’s Security Office maintains a list of the general purpose bulletin boards on Main Campus and East Campus and the persons responsible for maintaining the information on those boards. Flyers/posters, etc. which meet approved criteria, need to be sent to the CVCC Security Office to be distributed to the persons responsible for maintaining the boards. 24 copies are needed to cover all bulletin boards.
CVCC policies permit posting of information related to college events, opportunities at the college, and non-profit/civic/charitable activities. Distributions of materials which promote for-profit commercial activities are not permitted.
CVCC students, faculty, and staff are permitted by policy to use these general purpose bulletin boards to advertise the sale of used personal items such as books. This information need not come to the Security Office prior to posting but will be monitored by those responsible for maintaining the bulletin boards.
top of page | Procedure Manual Table of Contents
6.2 Catawba Valley Community College Regulation Regarding Use of College Facilities
The first priority for reserving the campus facilities will be given to the College and College-sponsored activities.
- To the extent that space is available, CVCC welcomes community groups and organizations to use campus facilities. Scheduling will be done on a first-come, first-serve basis after curriculum and continuing education classes and student activities are scheduled.
- CVCC does not discriminate on the basis of race, sex, color, religious affiliation, age, or national origin. Approval to use College facilities is not an endorsement by CVCC of the user’s organization or group.
- CVCC reserves the right to deny usage to any group or organization if there is reason to believe that such use would interfere with normal operations of College activities or which, in the opinion of College administration, is not in keeping with the philosophy of CVCC.
- No fund-raising activity is allowed unless prior approval is provided by CVCC.
Procedures for Reserving Facilities
- Requests for usage must be submitted at least ten working days prior to the event.
- Each group, organization, or individual desiring to use the facilities must complete and submit an “Application for Use of College Facilities” prior to usage, along with proof of liability insurance by the user for the intended use of the facilities.
- Any special requests for equipment, conditions, or assistance necessary in connection with facilities usage should be submitted with the “Application for Use of College Facilities”.
- College facilities may be used only for the stated purpose on the “Application for Use of College Facilities”.
- The College reserves the right to change the assigned room or cancel a reservation if an emergency or urgent need justifies such a change. Every effort will be made to suitably accommodate the affected group should such a situation arise.
- A reservation agreement with a user may not be transferred or assigned to any other person or agency without the consent of CVCC.
- To request the use of the CVCC Multipurpose Complex, contact the Director of the Multipurpose Complex directly.
- A deposit may be required for the approved event.
- If a deposit is required, the deposit will be applied toward the total charges incurred by the user.
- Payment is due upon receipt of the invoice mailed to the applicant from the CVCC Business Office.
- If an individual, group, or organization cancels a reservation, this must be done at least 72 hours prior to the requested facilities usage.
- Cancelation fees may be assessed if cancelations are received after the 72 hour deadline.
- Smoking is not permitted on Campus property.
- The possession and/or consumption of alcoholic beverages or controlled substances in the buildings or grounds of CVCC are prohibited.
- Gambling is prohibited.
- The possession of weapons is prohibited.
- Food and drinks in the Auditorium and laboratories where safety issues are of concern are prohibited.
- Food and drinks in the arena of the Multipurpose Complex are not permitted unless approved by the Director of the Multipurpose Complex.
- Special events that require the serving of food and beverages in classrooms and other approved areas are allowable. Trash must be disposed of by securing trash bags and depositing them in the dumpster (or nearest trash receptacle) by those responsible for the event, unless prior arrangements have been made with maintenance.
- Any person using profanity, participating in physical violence, or under the influence of alcoholic beverages or illegal drugs while on the College’s premises shall be removed by proper authority.
- Any activity that violates federal or North Carolina laws is prohibited.
Care of Facilities
- In the event damage to College property is incurred as a result of the use of the facility by any group, the using group shall be assessed an amount which shall cover the damage and related costs.
- The user is prohibited from using tape, nails, tacks, or screws to attach items to floors, walls, ceilings, desks, or other College property.
- The user shall not paint, wallpaper, mark, or deface any College property.
- Furniture should not be removed from rooms without prior permission. If the existing arrangement of furniture in rooms is altered, the user shall return the room to the original arrangement.
- The user shall leave the premises in a clean,neat, and orderly manner.
- The user must specify at the time of application for facility usage if use of College equipment is needed.
- The user shall be assessed a charge (in addition to the rental fee) for use of College equipment.
Supervision of Event
- Each group or organization shall designate a person or persons to be held responsible for the supervision of the activity including the maintenance of order and the safety of the people present. The using group obligates itself to maintain order and decorum.
- All youth groups, 21 years of age or under, must have an adequate number of approved chaperones. The individual who signs the Application Form assumes responsibility for conduct and damages.
- CVCC will require a minimum of one employee to be on duty when a facility is used at times other than regular operation hours. However, the employee is not responsible for the supervision of the activity. Any group or organization using the facilities at times other than during normal operational hours shall pay, in addition to other application fees, a charge of $30.00 per hour for administrative supervision of the facility.
- The College retains the right to determine the appropriate number of staff necessary to properly manage the activity/event. If additional staff are required to manage the activity, the user shall pay, in addition to other applicable fees, the costs for the additional staff up to $30.00 per hour per staff member.
- CVCC will be responsible for determining the number, selection, supervision, and compensation of security officers for each activity/event. Groups or individuals will not be allowed to employ or bring their own security personnel to the campuses unless approved by the Director of Campus Safety and Security. Exception: Each public or private school may bring its School Resource Officer (SRO) to school sponsored events. CVCC will not compensate the SRO for the time he/she spends at the event.
- CVCC security officers will enforce all law enforcement policies and regulations. This includes but is not limited to using or selling drugs including alcohol, possession of guns without an appropriate permit, stealing, and parking and traffic regulations. When an event sponsor or CVCC staff notifies a security officer of alleged illegal activities, sponsoring groups/individuals must describe the alleged crime and identify the alleged person(s) or provide a detailed description of the alleged person(s).
- Event sponsors will be responsible for defining, communicating, monitoring, and enforcing acceptable behavior of attendees. Sponsoring groups/individuals should contact security officers when attendees become defiant by refusing to adhere to acceptable behavior. Sponsoring groups/individuals must describe the alleged behavior and identify the alleged person(s) or provide a detailed description of the alleged person(s).
- CVCC’s security officers will provide additional handicapped spaces or special parking when requested a minimum of twenty-four (24) hours prior to the event.
- CVCC security officers will direct traffic on the College’s campuses as needed. The Hickory/Newton/Taylorsville Police Departments and/or the Catawba County/Alexander County Sheriff’s Departments are responsible for directing traffic entering and exiting the campuses as needed.
- CVCC security officers will not be responsible for collecting tickets and/or money at events where tickets and/or money are required for admittance. Event sponsors will be responsible for collecting tickets and/or money. If individuals become defiant, security officers must be notified immediately by event sponsors, the alleged behavior described, and the alleged persons(s) identified or a detailed description provided of the alleged person(s).
- All concessions and sales on the CVCC campus must be approved by the administration as part of the application for facilities usage. In most cases involving concessions, CVCC will arrange such service and shall retain all profit.
- The College reserves the right to prohibit and/or limit the consumption of food or drink in specific areas. The user group must have prior approval from the College before providing food/drink for participants. Any damages as a result of drinking and eating will be charged to the user group.
- No college-owned kitchen equipment shall be used by the user group without prior approval of the College.
- The user shall not advertise the activity/event as being held at CVCC until the contracts involving all parties have been executed or the appropriate College officials have approved the activity.
- Political candidates or political parties receiving approval to use the College facilities must declare the College non-partisan in any advertising in which the College’s name appears.
- The user should reserve the facilities for the purpose of setup/rehearsal at the same time that the facility is reserved for the event/activity.
- Rehearsal and setup hours will count toward the total hours used for a program or event.
- Vehicles are to park only in marked parking spaces. Vehicles not correctly parked are subject to ticketing and towing. The user is responsible for informing participants of parking regulations.
- A certificate of insurance verifying coverage in case of injury or other damage must be provided in advance of the use of the Multipurpose Complex, soccer or softball fields.
- For other facilities, the College may require proof of liability insurance by the user based on the risks involved for the intended use of the facilities.
- The minimum insurance coverage by the user should be one million dollars.
- In renting or making available for use of any College property, neither the College President, the Board of Trustees, nor any College personnel shall assume responsibility for loss or damage to any property placed on the premises by the user or participants, nor for personal injury which may occur during the use of the facility.
- Authorization shall be given for entrance to specific areas only and use of the specific facilities only, within a building.
- Misuse of College facilities or violations of the regulations for facility usage shall result in prohibition from any future use of College facilities by that group, organization, or individual.
- Additional requirements for rental of facilities for various events may be necessary. These requirements shall be included as an attachment to the Application for Use of College Facilities form.
- The University of North Carolina General Administration in coordination with the North Carolina Community College System has developed a fee schedule for use of community college facilities for credit and non-credit courses. Please use the Public and Private Colleges & Universities Reservation Form.
- All fees obtained for rental of facilities are used to support the mission of Catawba Valley Community College.
An organization, group, or individual wishing to appeal a decision of the administration regarding facility usage or damage assessment may do so in writing to the Office of Business Affairs.
Procedures for Obtaining Authorization to Use CVCC Facilities for Non-Commercial Expression Activities ("Expression Activities")
These procedures have been established in accordance with the CVCC Policy titled Free Speech, Public Assembly, and Distribution/Petitioning.
Authorization for Expression Activities must be obtained from the Chief of Staff (the office of Safety/Security). The Chief of Staff shall document such authorization on a Non-Commercial Expression Activities Authorization Form (“Form”) and provide such Form to person(s) authorized. Persons engaging in Expression Activities must have such Form available for verification upon request by CVCC Officials or law enforcement officers.
A written request for authorization must be received by the Vice President sufficiently in advance of the requested activities to permit appropriate planning on the part of CVCC. Such planning at a minimum would include an assessment of the impact on normal CVCC operations and previously scheduled activities, the need for additional security, and the availability of locations requested for the expression activities. The length of time required for such planning by CVCC will vary depending on the complexity of the expression activities requested , the number of persons involved, the number of locations involved, and the potential for such activities to create a disruptive and/or dangerous environment. Such request must include the following information.
- Date(s) and times for Expression Activities
- Person or persons to be engaging in Expression Activities
- A brief description of the subject matter of the intended expression for the sole purpose of identifying any parties who request an authorization for use of the CVCC facilities for dissenting Expression Activities and appropriately planning for any potential interaction among multiple groups engaged in Expression Activities and a statement that the Expression Activities are not intended to include any commercial expression or any expression constituting obscenity, defamation, fighting words, or incitements to violence or other lawless action which are reasonable likely to produce such lawless action imminently, which the Supreme Court has held constitute content which can be prescribed.
- A statement agreeing to comply with the CVCC Policy titled Free Speech, Public Assembly, and Distribution/Petitioning (Policy 4.4)
The President has established the following restrictions regarding Expression Activities.
- Expression Activities may only be conducted in locations that will not disrupt the normal operations of CVCC or activities previously scheduled by CVCC.
- Expression Activities may not be conducted at times when CVCC is closed. These closed times at a minimum would normally include 10:00 PM to 7:00 AM Monday through Saturday, all day on Sundays, and days identified in the CVCC institutional calendar as institutional holidays.
If in CVCC’s planning for requested expression activities it is determined that additional security or other resources will be needed, then authorization may be contingent upon those requesting agreeing to bear the costs incurred for those additional resources.
Maintain a policy that addresses information security for all personnel
6.4 Catawba Valley Community College Payment Card Industry (PCI) Procedure
Business Office: Only designated Business Office employees are authorized to process payment card transactions. All other personnel who wish to process payment card transactions require the approval of the Senior Vice President of Finance and Operations, or their appointed designee. Such persons are required to have adequate training in policy, processes, and internal control.
Other College Personnel: Any department outside of the Business Office processing payment card transactions must designate an individual within the department who will have primary authority and responsibility within the department for all payment card transactions.
Authorization Process: Submit a IS Help Desk ticket. After review, the request will be sent from IS to the Business Office. After that review, the Business Office will communicate with the person or department the approval or denial and the next steps required.
Standards for Business Processes: All personnel must comply with these standards, based on PCI-DSS, regardless of what method (swipe terminal, online/telephone processing, paper acceptance, etc.) is used for processing payment cards.
- Keep storage of cardholder data to an absolute minimum. This means only information necessary for processing a single transaction be retained and once processed be destroyed unrecoverable.
- Do not record, store, or collect sensitive payment card data in any fashion:
- Full contents from a magnetic stripe
- Primary account number (PAN) showing more the last four digits
- Card security code (CAV2/CVC2/CVV2/CID)
- Personal Identification Number (PIN)
- Only when absolutely necessary that cardholder data be physically collected, record that information where it may be easily removed and destroyed once processed.
- Destroy cardholder data properly. Cardholder data must be disposed of in a certain manner that renders all data unrecoverable by any known means. This includes paper documents, electronic media (computers, hard drives, magnetic tapes, USB storage devices, payment card terminal hardware devices, recorded voice transcripts, etc.). Cross-shred, incinerate, or pulp paper documentation immediately after processing so that cardholder data cannot be reconstructed. Paper documentation may also be disposed of using one of the colleges contracted secure disposal services. Disposal or repurposing of all electronic media should be done in compliance with college policy or current industry standards.
- Limit access of cardholder data only to those with a business need. Physically restrict payment card processing areas to those individuals with authority to access such areas. Maintain a list of those with access to payment card data. Assign access privileges based on job classifications and responsibilities. Separate duties to ensure proper internal controls.
- Review at least annually all data access controls and make changes as appropriate.
Reporting a Breach: In the event of a breach or suspected breach of payment card data, personnel must immediately notify Senior Vice President of Finance and Operations, or their appointed designee, and follow the instructions below:
- Document every action you take from the point of suspected breach forward, preserving any logs or electronic evidence available. Include in the documentation the date and time, action taken, location, person performing action, person performing documentation, and all personnel involved.
- Contact Information Technology (ITS) for proper direction of preservation of electronic data.
- Notify the Business Office and the Dean/Director/Department Head of the unit experiencing the breach. Do not communicate with anyone outside the college about any details or generalities surrounding any suspected or actual incident. The Senior Vice President of Finance and Operations will coordinate all communications with law enforcement.
- Prevent any further access to or alteration of the compromised system. Disconnect from the network and wait for further instruction from ITS.
- If a suspected or confirmed intrusion/breach of a system has occurred, the Senior Vice President of Finance and Operations, along with the PCI Compliance Committee, will alert the merchant bank, credit card processor, and other respective authorities as required.
Non-Compliance: Non-compliance with PCI DSS regulations may have severe financial and legal consequences to the College. It is the duty of all college personnel to report any non-compliance immediately to the President, Senior Vice President of Finance and Operations, or College Compliance Officer. It is there duty to then report and respond to non-compliance situations.
Catawba Valley Community College Payment Card Industry (PCI Compliance Committee
Payment Card Industry Data Security Standards (PCI-DSS) are technical and operational requirements set by the PCI Security Standards Council (PCI SSC) to protect cardholder data. These standards are a set of mandated requirements agreed upon by the five major payment card companies: VISA, MasterCard, Discover, American Express, and JCB. The standards include requirements for security management, policies, procedures, network architecture, software design, and other critical protective measures.
The standards are intended to assist organizations in protecting customer account data. All College departments and information systems used in the processing of payment card transactions must be PCI-DSS compliant and must follow the College’s PCI Compliance Policy and Procedure.
The PCI Data Security Standards (PCI-DSS) applies to all entities that store, process, and/or transmit cardholder data. In the event of a data compromise, the College may incur large fines and/or be subject to a forensic examination. If a security breach occurs, the College is required to notify all customers whose data was compromised. In the event of a breach, the College may suspend payment card transaction processing until required remediation is met.
It is the duty of the College’s PCI Compliance Committee to ensure the college complies with PCI-DSS standards.
The PCI Compliance Committee is a committee comprised of representatives from Operations, Business Office, Information Services, Information Technology, and the College’s Compliance Officer.
The Committee will perform the following functions:
- Annually review PCI-DSS standards and implement necessary updates
- Establish requirements for payment card processing to ensure PCI-DSS compliance
- Review payment card processing procedures to ensure PCI-DSS compliance
- Monitor, support, and follow-up to ensure all corrective actions are applied in cases of non-compliance
- Provide advice to senior administration on the commerce policy, process, vendors, dissemination of commerce information, and e-commerce matters in general
- Assist with implementing changes to PCI-DSS and reduce the scope of items that will need to be compliant
- Evaluate and monitor vendor relationships for testing and accreditation
- Review the college’s PCI-DSS Compliance Policy at least annually
|Build and Maintain a Secure Network
- Install and maintain a firewall configuration to protect cardholder data
- Do not use vendor-supplied defaults for system passwords and other security parameters
|Protect Cardholder Data
- Protect stored cardholder data
- Encrypt transmission of cardholder data across open, public networks
|Maintain a Vulnerability Management Program
- Use and regularly update anti-virus software and programs
- Develop and maintain secure systems and applications
|Implement Strong Access Control Measures
- Restrict access to cardholder data by business need to know
- Assign a unique ID to each person with computer access
- Restrict physical access to cardholder data
|Regularly Monitor and Test Networks
- Track and monitor all access to network resources and cardholder data
- Regularly test security systems and processes
|Maintain a PCI Compliance Policy
- Maintain a policy that addresses information security for all personnel
top of page | Procedure Manual Table of Contents