User Access to Data and Services Policy

This User Access to Data and Services Policy was previously known as the Access Control Policy.

Privileged Account Management Policy
________________________________________

Scope

The scope of this security policy includes all information assets owned, operated, or maintained by F&M, whether the information is on electronic media, printed as hardcopy, or transmitted over public/private networks. At their discretion, the College Information Technology Committee reserves the right to modify this policy at any point in time. Information security requires the participation and support from all members of the F&M community with access to information assets. It is the responsibility of every member of the F&M community to help ensure that all information assets are kept secure and available.

Audience

This policy applies to all members of the F&M community, which includes, but is not limited to employees, students, visitors, volunteers, third parties, contractors, consultants, clients, temporaries, and others (collectively known as "users"), who have access to, support, administer, manage, or maintain F&M information assets.

Policy Maintenance 

The F&M College Information Technology Committee will review this policy on an annual basis. All revisions will be presented to the Chief Information Officer (CIO) for approval.

Policy Statement

F&M's information assets are essential to its success. Therefore, access to all information assets will be granted based on principles of least privilege and business need.  Access to confidential data, as defined by the College’s data classification policy, must be requested and approved in writing from the appropriate data steward. Controls must be developed, implemented, monitored and maintained to create user accountability and to prevent any compromise of the confidentiality, availability, and integrity of information assets.

Acceptable Use Policy

Users must comply with the College's Acceptable Use Policy (link) and may be asked to sign a written Acceptable Use Policy prior to being granted access to F&M information assets.

Account Creation

Upon employment and/or admission to the College, an F&M user account is created for each individual.  Typically this account includes access to F&M email, core productivity suites, and the Inside F&M portal. Access to other F&M information assets are granted as per the policies outlined below.

Requirements for Access

Users must obtain permission from the appropriate data steward(s) and demonstrate a clear business need in order to be granted access to data.  Authorization must be documented and this documentation retained for audit purposes. Information owners will grant access on a need to know basis, as determined by a clearly defined and stated business need. Access requestors may not approve their own access. Adherence to regulatory, legislative, or contractual obligations must be considered before approving access to any requested information asset.

Background Checks

Before receiving access to information assets, members of the Professional Staff must undergo background checks performed by Human Resources (HR). Background checks may include criminal checks and verification of employment records. At the discretion of Human Resources, certain F&M positions may require more or less extensive background checks. Credentials for members of the Faculty are reviewed as per normal hiring procedures as outlined by the Office of the Provost and the Academic Departments.

Role Based Access

User access should be established based upon job description, duties, or function. The use of roles provides consistent and efficient administration of access rights. Data Stewards must understand the security controls and privileges for the systems they are responsible for in order to make and recommend appropriate controls.

User Role Changes

Access for users who change roles or transfer to other areas of the College should be immediately given the access required for the new role following approval from the appropriate data steward(s). Access that is no longer required for the new role must be removed or disabled following a reasonable overlap and transition period of no more than thirty days.

User Responsibility

When access is granted, users are responsible for all system activity conducted using their unique account. All users have the responsibility to protect their account by creating and maintaining passwords compliant with F&M’s Password Policy (link). In addition, users are responsible for maintaining the confidentiality of their unique ID and password by not sharing it with any other party or re-using their College password on any other sites or services.

Review of Access Privileges

Data Stewards should re-evaluate the privileges granted to F&M users at least annually to ascertain whether or not access is still necessary based on current business needs and job responsibilities.  User accounts or access rights found to be invalid, expired, no longer necessary based on lack of business need, or in violation of policy must be immediately disabled.

Non-employee user accounts and access privileges, including visitors, volunteers, third parties, contractors, consultants, clients, and temporaries, must include an expiration date before the account can be created and rights assigned.  Accounts that are not manually renewed by way of a written request from the appropriate data steward(s) will be automatically disabled on the expiration date.

Temporary Access Control Privileges

If privileged access must be temporarily granted to a user, the privilege should be removed at a pre-set expiration time. The appropriate data steward(s) must approve all temporary access in writing.

Terminated Users

User accounts of terminated or resigned users should be disabled from all information systems immediately upon notification from Human Resources (HR). Every week, HR should send a summary email notification of all new departures to all relevant system administration teams. At the discretion of HR, some terminated or resigned users with extensive access to sensitive and/or confidential data will require written verification of the steps taken to disable access to information systems.

Unauthorized Testing of Information Assets

F&M users with full-time responsibility for information security and/or Internal audit are chartered by F&M senior staff to perform information security tests to ensure the college is adequately protecting information assets. All other users must not test, or attempt to compromise internal controls unless specifically approved in advance and in writing by the Chief Information Officer (CIO) or Chief Information Security Officer (CISO).

Users who may discover vulnerabilities, misconfigurations, or deficiencies of information security of College systems must immediately report their findings to the CIO or CISO.  Users must not attempt to access assets beyond those they have been authorized to obtain or modify other users' level of access, unless specifically approved in advance and in writing by the CIO or CISO.

Modification and Testing of Production Data

Accounts which possess the ability to change or delete mission-critical College data must be highly restricted and carefully monitored. Technical and/or operational controls must be established to ensure that such accounts are not able to modify production data in an unrestricted and/or unmonitored fashion.  Automatic audit mechanisms must be in place to ensure that an appropriately detailed and automated audit log is created which clearly indicates the date and time, location, change made, and account ID which made the change. Users may only modify production data in predefined ways that preserve or enhance its integrity, availability, and confidentiality. Users must be permitted to modify production data only when employing a controlled process approved by the Data Steward associated with the impacted data or systems.

--------
Policy Maintained by: Information Technology Services, Vice President and Chief Information Officer
Last Reviewed:  18 September 2017