arrow_circle_left Back to All Policies

Access Control Policy and Procedure

JSCC Policy Number: 1.08.03.00

TBR Policy Reference: 1:08:03:00

TBR Guideline Reference: Not Applicable

Approved By: President's Cabinet

Original Date Effective: 2015-02-02

Last Modified: 2023-07-10

Responsible Office: Office of Information Technology

Purpose

The purpose of this guideline is to establish a minimum expectation with respect to access controls in order to protect data stored on computer systems throughout the system.

Definitions

Access request/change form – form that must be completed to acquire access or change security on a Banner INB account. This form can be found on jWeb.

Active Directory Accounts (AD) – accounts that provide access to technology (computers, network, portal system, etc.) on the JSCC and off campus centers.

 Authentication – A process that allows a device or system to verify the unique identity of a person, device or other system that is requesting access to a resource.

Digital identity – Information on an entity used by computer systems to represent an external agent. That agent may be a person, organization, application, or device. Also referred to as a user account or user profile.

Admin Pages in Banner 9 – accounts that provide more access to the ERP system (Human Resources, Student, Finance, Financial Aid, and Advancement), not Self-Service Banner (SSB). Security access to INB/Admin Pages must be requested.

Privileged account – An account with elevated access or privileges to a secure system or resource. This type of account is authorized and trusted to perform security relevant functions that an ordinary user account is not authorized to perform. Privileged accounts are assigned to individual users.

Self Service Banner (SSB) – security access to SSB is given to a user by their role (employee, student, faculty advisor, etc.) at the institution.

System account – A special account used for automated processes without user interaction or for device management. These accounts are not assigned to an individual user for login purposes.

Policy 

    1. JSCC shall control user access to information assets based on requirements of individual accountability, need to know, and least privilege.
    2. Access to institutional information assets must be authorized and managed securely in compliance with appropriate industry practice and with numerous applicable legal and regulatory requirements (e.g., the Health Insurance Portability and Accountability Act, Family Educational Rights and Privacy Act, the Open Records Act of Tennessee, Gramm Leach Bliley Act, and identity theft laws).
    3. Institutional information assets include data, hardware and software technologies, and the infrastructure used to process, transmit, and store information.
      1. Any computer, laptop, printer or device that an authorized user connects to the campus network is subject to this policy.
      2. Guest, unauthenticated access may be provisioned commensurate with usage and risk.
      3. Authorized users accessing institutional computing resources and network with their own personal equipment are responsible for ensuring the security and integrity of the systems they are using to establish access.
      4. For systems that contain critical or confidential classified data, JSCC shall use secure methods that uniquely identify and authenticate users. Such methods can include multi-factor authentication, passwords, data loss prevention, device management, biometrics and public/private pairs.

Access Controls

    1.  Access to information assets must be restricted to authorized users and must be protected by appropriate physical, administrative, and logical authentication and authorization controls.
    2. Protection for information assets must be commensurate with the classification level assigned to the information.
    3. Each computer system shall have an automated access control process that identifies and authenticates users and then permits access based on defined requirements or permissions for the user or user type.
    4. All users of secure systems must be accurately identified, a positive identification must be maintained throughout the login session, and actions must be linked to specific users.
    5. Access control mechanisms may include user IDs, access control lists, constrained user interfaces, encryption, port protection devices, secure gateways/firewalls, and host-based authentication.

User Identification, Authentication, and Accountability

    1.  User IDs:
      1. The access control process must identify each user through a unique user identifier (user ID) account.
      2. User IDs are assigned by the JSCC office of information technology and application support personnel.
      3. Users must provide government-issued, picture IDs for positive proof of identity when receiving account access.
      4. Users must provide their user ID at logon to a computer system, application, or network.
    2. Individual Accountability:
      1. Individual accountability must be maintained.
      2. Each user ID must be associated with an individual person who is responsible for its use.
      3. Individuals with authenticated access cannot share their login credentials with anyone with the penalty of having their access rescinded immediately.
    3. Authentication:
      1. Auhentication is the means of ensuring the validity of the user identification.
      2. All user access must be authenticated.
        1. The minimum means of authentication is a personal secret password that the user must provide with each system and/or application logon.
        2. All passwords used to access information assets must conform to certain requirements relating to password composition, length, expiration, and confidentiality.

Access Privileges

    1. Each user’s access privileges shall be authorized on a need-to-know basis as dictated by the user’s specific and authorized role.
    2. Authorized access will be based on least privilege.
      1. This means that only the minimum privileges required to fulfill the user’s role shall be permitted.
      2. Access privileges shall be defined so as to maintain appropriate segregation of duties to reduce the risk of misuse of information assets.
      3. Any access that is granted to data must be authorized by the appropriate data trustee.
    3. Access privileges should be controlled based on the following criteria, as appropriate:
      1. Identity (user ID);
      2. Role or function;
      3. Physical or logical locations;
      4. Time of day/week/month;
      5. Transaction based access;
      6. Access modes such as read, write, execute, delete, create, and/or search.
    4. Privileged access (e.g., administrative accounts, root accounts) must be granted based strictly on role requirements.
      1. The number of personnel with special privileges should be carefully limited.

Access Account Management

  1.  User ID accounts must be established, managed, and terminated to maintain the necessary level of data protection.
  2. The following requirements apply to network logons as well as individual application and system logons, and should be implemented where technically and procedurally feasible:
      1. Account creation requests must specify access either explicitly or a role that has been mapped to the required access.
        1. New accounts created by mirroring existing user accounts must be audited against the explicit request or roles for appropriate access rights.
      2. Accounts must be locked out after five consecutive invalid logon attempts.
        1. When a user account is locked out, it should remain locked out for a minimum of five minutes or until authorized personnel unlocks the account.
      3. User interfaces must be locked after no more than sixty minutes of system/session idle time.
        1. This requirement applies to workstation and laptop sessions as well as application sessions where feasible.
        2. The office of information technology shall implement measures to enforce this requirement and to require the user to re-authenticate to reestablish the session.
      4. Systems housing or using restricted information must be configured in such a way that access to the restricted information is denied unless specific access is granted.
        1. Access to restricted information is never to be allowed by default.
      5. Information Technology personnel revoke access upon notification that access is no longer required in accordance with the following procedures.
        1. Access privileges of terminated or transferred users must be revoked or changed as soon as notification of termination or transfer occurs and in accordance with stakeholders of contract control at JSCC.
        2. In cases where an employee is not leaving on good terms, the user ID must be disabled simultaneously with departure.
        3. Access for users who are on leave of absence or extended disability must be suspended until the user returns.
        4. Adjunct faculty members are never granted access to Banner Admin Pages formerly referred to as (INB).
        5. Adjunct faculty member account access shall be controlled by a procedure using contract status, defined dates of employment and information from other stakeholders with contract control for adjunct faculty.
        6. Using the above-mentioned procedure, JSCCwill run this process on a campus-defined schedule according to academic calendars and direction from stakeholders with contract control for adjunct faculty. This process shall be determined by JSCC.
        7. Adjunct faculty members shall be granted limited access before and after their course start and end dates to perform the duties necessary for their position, upon request involving reasons for the extension and specific access.
      6. User IDs will be disabled after a period of inactivity that is determined appropriate by the current business process and JSCC administration.
      7. All third party access (contractors, business partners, consultants, vendors) must be authorized and monitored using processes determined by JSCC.
      8. Appropriate logging will be implemented commensurate with sensitivity/criticality of the data and resources.
        1. Logging of attempted access must include failed logons.
        2. Where practical, successful logons to systems with restricted information shall be logged.
        3. Logs should be monitored and regularly reviewed to identify security breaches or unauthorized activity.
        4. Logs should be maintained for at least ninety days.
      9. A periodic audit of secured systems to confirm that access privileges are appropriate must be conducted.
        1. The audit will consist of reviewing and validating that user access rights are still needed and are appropriate.
      10. Applications requiring an account not tied to a single user shall employ service-based accounts
        1. Users oversee these accounts and maintain their passwords.
        2. Applications requiring these accounts shall be monitored and audited by individual campus documented procedures dictated by the application for which they are provisioned.
        3. Service-based accounts, due to their application centric user, are not subject to standard user account management rules.

Compliance and Enforcement

  1.  The policy applies to all users of information resources including students, faculty, staff, temporary workers, vendors, and any other authorized users who are permitted access.
  2. Persons in violation of this policy are subject to a range of sanctions (determined and enforced by institution management), including the loss of computer network access privileges, disciplinary action, dismissal from the institution, and legal action.
  3. Some violations may constitute criminal offenses, per Tennessee and other local, and federal laws. The institution will carry out its responsibility to report such violations to the appropriate authorities.

Exceptions

  1.  Documented exceptions to this policy may be granted by the information security officer for the institution based on limitations to risk and use.

PROCEDURES

 Digital Identity and Authentication Management

Password (and Passphrase) Construction

    1. The effectiveness of passwords to protect access to the institution’s information directly depends on strong password construction and handling practices. All users must construct strong passwords for access to all institution networks and systems, using the following criteria (unless the technology does not support these requirements):
    2. For all directions concerning password lengths, password change schedules and the use of passphrases rather than passwords, JSCC will follow NIST standards.
    3. Passwords must be a minimum of 8 characters in length.
    4. Passwords must be composed of a combination of at least three of the following four types of characters:

               (1).  Upper case alphabetic character;

    (2). Lower case alphabetic character;

    (3).  Numeric character;

    (4).  Non-alphanumeric character (if the application permits), OR:

    (5).  Passphrases may be used instead of passwords and must be composed of a minimum of 14 characters. Passphrases do not require the complexity rules mentioned immediately               above.

Password Management

    1. The following requirement apply to end-user password management.
      1. Storage and Visibility
        1. Passwords must not be stored in a manner which allow unauthorized access.
        2. Passwords will not be stored in a clear text file.
        3. Passwords will not be sent via unencrypted e-mail.
      2. Changing Passwords
        1. If 14-character minimum pass phrases are used, there is no requirement for routine password expiration /rotation. Otherwise, users with non-privileged accounts must change their passwords ever 90 days. Student accounts are exempt from this requirement.
        2. Users with privileged accounts (such as those with root or administrator level access) must change their passwords at least every 90 days.
        3. Passwords must be changed with one business day if any of the following events occur:
          1.  Unauthorized password discovery or usage by another person;
          2. System compromise (unauthorized access to a system or account);
          3. Insecure transmission of a password;
          4. Accidental disclosure of a password to an unauthorized person;
          5. Status changes for personnel with access to privileged and/or system accounts.
    2. The following requirements apply to password files and hashes.
      1. Password files or hashes should not be shared with any entity without formal written consent.
    3. The following requirements apply to system accounts.
      1. System Accounts are not required to expire but must meet the password construction requirements above (where support by underlying technologies).
      2. Vendor-provided passwords must be changed upon installation using the password construction requirements above (where supported by the underlying technologies).

Compliance and Enforcement

    1. The policy applies to all users of information resources including students, faculty, staff, temporary workers, vendors, and any other authorized users.
    2. Persons in violations of this policy are subject to a range of sanctions determined and enforced by Jackson State Community College.
    3. Justification for exceptions to this policy must be documented by the institution and must be approve by the institution’s President or designee.

Account Management Procedures

Creation of Accounts

Most active directory accounts are created automatically when a user becomes a student or employee. Employee accounts are created when HR enters the employee into the Banner system on the PEAEMPL form with a job code and start date. Student accounts are created when an applicant has been accepted as a student of JSCC. Occasionally AD accounts have to be manually created for individuals that need to use technology resources on campus but are not an employee or student. Request for accounts created manually can be requested via the Information Technology work order system.

Banner INB/Admin pages accounts are created when an access request/change form has been completed and signed by the appropriate personnel including the data security officer responsible for the requested data.

 Modification of Banner Access

Security on Banner Accounts may need to be changed on a periodic basis especially if an employee changes positions or job duties. Many times, changes that occur during regular updates require that additional privileges be granted to a user. To modify or change security access on a user account that directly accesses Banner INB/Admin page, an access request/change form must be completed and signed by appropriate personnel including the data security officer responsible for the requested data access.

 Deletion of Accounts

Employee’s Active Directory accounts are disabled on the user’s last day on campus based on notification from Human Resources or as soon as Information Technology is notified by Human Resources that the user is no longer employed by JSCC.

Student AD accounts are disabled after 3 semesters of inactivity.

Banner INB accounts are expired and locked on the user’s last day on campus based on notification from Human Resources or as soon as Information Technology is notified by Human Resources that the user is no longer employed by JSCC.

Banner INB accounts are also locked when a user has not logged into the system within 120 days. When this happens, the user must contact Information Technology to gain access. Locking and expiring the Banner INB account on an active user may lock SSB access. If this happens the user needs to contact Information Technology for assistance.