Policy Manual

Imaging, Secure Document Procedure


Document imaging has become a necessary tool to satisfy the need to archive extremely large amounts of paperwork that the University is required to maintain.  As protected information is digitized, it becomes necessary to protect it in a manner different than one would protect a tangible paper document.  Digital documents must be protected not only at their final storage facility, but at the time of digitization, and during transmission as well.  Likewise the controls necessary to protect the electronic documents in their final location are vastly different than those used to protect a filing cabinet, a safe, or a warehouse.

This procedure outlines the measures necessary to help ensure the prudent protection of digital documents and specifically applies to the Banner Document Management System (BDMS) (aka. Xtender) suite of applications including, but not limited to:  Document Manager, Image Capture, and WebXtender (https://bdms.gcsu.edu).  This procedure address the controls necessary to secure to a reasonable measure the data store or file servers used with the Legato applications as well.

System Access

Ensuring both the functionality of the Legato product and the security of the information housed on BDMS/Xtender data stores, it is imperative that:

  • File server direct access shall be for the purpose of system administration.
  • Access will be authenticated via. individual username and password.  User names and passwords are created by IT administrators only after authorization has been received, and only to those data stores approved (by the data owner).


Access to BDMS/Xtender systems or functions shall be with supervisor authorization and database owner approval.  Access requests must be submitted in writing by the supervisor on behalf of the employee.  Requests shall be submitted to the GC Information Security Officer on an Xtender Access Request form.  The GC ISO approval shall only be granted provided that there is a documented and proven need for the named employee to be granted access to the Legato systems.  Access may be restricted to specific functions by the CIO or supervisor depending upon the needs of the employee to effectively do their job.

Database Owner Responsibilities

  • Monitoring the Legato systems to ensure that they are used appropriately.  
  • Notifying the Division of Information Technology if access to Legato is no longer needed.
  • Reporting to the CIO unusual activity or behavior of the Legato systems.
  • Providing appropriate training to employees based upon their job function.

Legato Access Request Form

Please obtain the Access Request Form from the CIO or the ISO.