Franklin & Marshall College Franklin & Marshall College

Access Control Policy

Scope

The scope of this security policy includes all information assets owned, operated, or maintained by F&M, whether the information is on electronic media, printed as hardcopy, or transmitted over public/private networks. At their discretion, the College Information Technology Committee reserves the right to modify this policy at any point in time. Information security requires the participation and support from all members of the F&M community with access to information assets. It is the responsibility of every member of the F&M community to help ensure that all information assets are kept secure and available.

Audience

This policy applies to all members of the F&M community, which includes, but is not limited to employees, students, visitors, volunteers, third parties, contractors, consultants, clients, temporaries, and others (collectively known as "users"), who have access to, support, administer, manage, or maintain F&M information assets.

Policy Maintenance The F&M Committee on Administrative Computing and the Committee on Academic Technology will review this policy on an annual basis. All revisions will be presented to the Chief Information Officer (CIO) for approval.

Policy Statement

F&M's information assets are essential to its success. Therefore, access to all information assets will be granted in a controlled manner based on need to know and subject to the approval of the designated information asset owner. Users will be explicitly granted access to information assets; there is no implicit right of access. Controls must be developed, implemented, monitored and maintained to create user accountability and to prevent any compromise of the confidentiality, availability, and integrity of information assets.

Acceptable Use Agreement

Users must sign an Acceptable Use Agreement prior to being granted access to F&M information assets.

Account Creation

Upon employment and/or admission to the College, an F&M user account is created for everyone. Typically this account includes access to F&M email, eDisk and InsideF&M. Access to other F&M information assets are granted as per the policies outlined below.

Requirements for Access

Users must obtain permission from the designated information asset owner and demonstrate a justifiable case to access data. Authorization must be documented and authorization forms must be retained for historical purposes. Information asset owners will grant access on a need to know basis, as required by job functions. Access requestors must not approve their own access. Applicable legislation and/or regulatory restrictions must be considered when granting access to information assets.

Background Checks

Before receiving access to information assets, members of the Professional Staff must undergo background checks performed by Human Resources (HR). Background checks may include criminal checks and verification of employment records. At the discretion of Human Resources, certain F&M positions may require more or less extensive background checks. Credentials for members of the Faculty are reviewed as per normal hiring procedures as outlined by the Office of the Provost and the Academic Departments.

Role Based Access

User access should be established based upon job description, duties, or function. The use of roles provides consistent and efficient administration of access rights. Information asset owners must understand the security controls and privileges for the systems they are responsible for in order to make and recommend appropriate controls.

User Role Changes

Access for users who change roles or transfer to other areas of the college should be immediately given the access required for the new role. Access that is no longer required for the new role should be removed or disabled immediately.

User Responsibility

When access is granted, users are responsible for all system activity under their unique account. Users have the responsibility to protect their account by creating and maintaining passwords compliant with the Password Policy. In addition, users are responsible for maintaining the confidentiality of their unique ID and password by not sharing it with any other party.

Review of Access Privileges

Designated information asset owners should re-evaluate the privileges granted to F&M users annually to ascertain that the access is still commensurate with the user's job responsibilities. User accounts found to be invalid should be disabled and investigated by the IT Security Analyst.

Non-employee user accounts and access privileges, including visitors, volunteers, third parties, contractors, consultants, clients, and temporaries, should be re-evaluated every six months. User accounts found to be invalid should be disabled and investigated by the IT Security Analyst.

Temporary Access Control Privileges

If privileged access must be temporarily granted to a user, the privilege should be removed at a pre-set expiration time. The appropriate information asset owner needs to approve all temporary access in writing.

Terminated Users

User accounts of terminated or resigned users should be disabled from all information systems immediately upon notification from Human Resources (HR). Every week, HR should send a summary email notification of all new departures to all relevant system administration teams. At the discretion of HR, some terminated or resigned users with extensive access to sensitive and/or confidential data will require written verification of the steps taken to disable access to information systems.

Unauthorized Testing of Information Assets

F&M users with full-time responsibility for information security and Internal Audit are chartered by F&M Management to perform information security tests to ensure the company is adequately protecting information assets. All other users must not test, or attempt to compromise internal controls unless specifically approved in advance and in writing by the Chief Information Officer (CIO).

Users must not exploit vulnerabilities or deficiencies in information systems security. Users must not attempt to access assets beyond those they have been authorized to obtain or modify other users' level of access, unless specifically approved in advance and in writing by the CIO. Vulnerabilities found by users must be promptly reported to the Information Security Analyst.

Modification and Testing of Production Data

System privileges allowing the modification of F&M production information must be restricted to production applications. Privileges should be established such that users are not able to modify production data in an unrestricted manner. Users may only modify production data in predefined ways that preserve or enhance its integrity. Users must be permitted to modify production data only when employing a controlled process approved by Management.


Last Update: 9 July 2013