- Acceptable Use Policy and User Agreement
- Cell Phone and other Personal Electronic Device Policy
- Chosen First Name Use Policy
- Data Classification Policy
- Guest User Acceptable Use Policy
- Mobile and Remote Device Policy
- Password Policy
- Personal Computing Support Policy
- Screening Movies on Campus Policy
- User Access to Data and Services Policy
- Backup Retention Policy
- Copyright & Fair Use Policy
- Cloud Vendor Policy
- F&M Account Content Access by Non-Account Holder Policy
- Information Security Policy
- Network Security Policy
- Payment Card Industry (PCI) Compliance Policy
- Privacy Notice for F&M Website
- Privileged Account Management Policy
- Technology Hardware Acquisition, Disposition and Replacement Policy
- Wireless Network Policy
I. Justification and Statement of Policy
The scope of this security policy includes all information assets owned, operated, or maintained by F&M, whether the information is on electronic media, printed as hardcopy, or transmitted over public/private networks. At their discretion, the College Infrastructure Committee reserves the right to modify this policy at any point in time. Information security requires the participation and support from all members of the F&M community with access to information assets. It is the responsibility of every member of the F&M community to help ensure that all information assets are kept secure and available.
This policy applies to all members of the F&M community, which includes, but is not limited to employees, students, visitors, volunteers, third parties, contractors, consultants, clients, temporaries, and others (collectively known as "users"), who have access to, support, administer, manage, or maintain F&M information assets.
F&M's information assets are essential to its success. Therefore, access to all information assets will be granted based on principles of least privilege and business need. Access to confidential data, as defined by the College’s data classification policy, must be requested and approved in writing from the appropriate data steward. Controls must be developed, implemented, monitored and maintained to create user accountability and to prevent any compromise of the confidentiality, availability, and integrity of information assets.
Acceptable Use Policy
Users must comply with the College's Acceptable Use Policy and may be asked to sign a written Acceptable Use Policy prior to being granted access to F&M information assets.
Upon employment and/or admission to the College, an F&M user account is created for each individual. Typically this account includes access to F&M email, core productivity suites, and the Inside F&M portal. Access to other F&M information assets are granted as per the policies outlined below.
Requirements for Access
Users must obtain permission from the appropriate data steward(s) and demonstrate a clear business need in order to be granted access to data. Authorization must be documented and this documentation retained for audit purposes. Information owners will grant access on a need to know basis, as determined by a clearly defined and stated business need. Access requestors may not approve their own access. Adherence to regulatory, legislative, or contractual obligations must be considered before approving access to any requested information asset.
Before receiving access to information assets, members of the Professional Staff must undergo background checks performed by Human Resources (HR). Background checks may include criminal checks and verification of employment records. At the discretion of Human Resources, certain F&M positions may require more or less extensive background checks. Credentials for members of the Faculty are reviewed as per normal hiring procedures as outlined by the Office of the Provost and the Academic Departments.
Role Based Access
User access shall be established based upon job description, duties, or function. The use of roles provides consistent and efficient administration of access rights. Data Stewards must understand the security controls and privileges for the systems they are responsible for in order to make and recommend appropriate controls.
User Role Changes
Access for users who change roles or transfer to other areas of the College shall be immediately given the access required for the new role following approval from the appropriate data steward(s). Access that is no longer required for the new role must be removed or disabled following a reasonable overlap and transition period of no more than thirty days.
When access is granted, users are responsible for all system activity conducted using their unique account. All users have the responsibility to protect their account by creating and maintaining passwords compliant with F&M’s Password Policy. In addition, users are responsible for maintaining the confidentiality of their unique ID and password by not sharing it with any other party or re-using their College password on any other sites or services.
Review of Access Privileges
Data Stewards shall re-evaluate the privileges granted to F&M users at least annually to ascertain whether or not access is still necessary based on current business needs and job responsibilities. User accounts or access rights found to be invalid, expired, no longer necessary based on lack of business need, or in violation of policy must be immediately disabled.
Non-employee user accounts and access privileges, including visitors, volunteers, third parties, contractors, consultants, clients, and temporaries, must include an expiration date before the account can be created and rights assigned. Accounts that are not manually renewed by way of a written request from the appropriate data steward(s) will be automatically disabled on the expiration date.
Temporary Access Control Privileges
If privileged access must be temporarily granted to a user, the privilege shall be removed at a pre-set expiration time. The appropriate data steward(s) must approve all temporary access in writing.
User accounts of terminated or resigned users shall be disabled from all information systems immediately upon notification from Human Resources (HR). Every week, HR shall send a summary email notification of all new departures to all relevant system administration teams. At the discretion of HR, some terminated or resigned users with extensive access to sensitive and/or confidential data will require written verification of the steps taken to disable access to information systems.
Faculty departing in good standing may retain access to their accounts, including whatever respective files to which they have been granted access, for 10 days after the end of their contract, upon request. Employees departing in good standing will have access to their accounts, systems, and files up through their last day of employment. Requests for archival download access can be made to ITS before these time periods elapse.
Any requests for information or access after these respective time periods will require approval from the Provost, Human Resources, and/or General Counsel.
An archive of the requested information will be provided in digital form.
If the digital archive is made available electronically through file sharing technology, the digital archive will be available for no longer than 30 days. Longer terms must be approved by the CIO.
It is the sole responsibility of the requestor to access the contents of the digital archive. The College is not responsible for problems with access, including, but not limited to, connectivity, compatibility, technical complications, etc.
Unauthorized Testing of Information Assets
F&M users with full-time responsibility for information security and/or Internal audit are chartered by F&M senior staff to perform information security tests to ensure the college is adequately protecting information assets. All other users must not test, or attempt to compromise internal controls unless specifically approved in advance and in writing by the Chief Information Officer (CIO) or Chief Information Security Officer (CISO).
Users who may discover vulnerabilities, misconfigurations, or deficiencies of information security of College systems must immediately report their findings to the CIO or CISO. Users must not attempt to access assets beyond those they have been authorized to obtain or modify other users' level of access, unless specifically approved in advance and in writing by the CIO or CISO.
Modification and Testing of Production Data
Accounts which possess the ability to change or delete mission-critical College data are highly restricted and carefully monitored. Technical and/or operational controls [deleted] ensure that such accounts are not able to modify production data in an unrestricted and/or unmonitored fashion. Audit logs shall be configured to clearly indicate the date and time, location, account ID and change made. Users shall only modify production data in predefined ways that preserve or enhance its integrity, availability, and confidentiality. Users shall be permitted to modify production data only when employing a controlled process approved by the Data Steward associated with the impacted data or systems.
V. Related Documents and Forms
Policy Maintained by: Information Technology Services, Vice President and Chief Information Officer
Original Effective Date:
Revision Dates: September 14, 2022