Effective Date: 03/27/2024
Owner: PPAC
Team Members: PPAC
1.0 PURPOSE
1.1 The purpose of this policy is to establish procedures and guidelines for the administration of computing accounts that facilitate access to or on behalf of Baker College information resources.
2.0 SCOPE DETAIL
2.1 This policy is applicable to those responsible for the management of user accounts for access to shared information or network resources. Such information can be held within a database, application, or shared file space. This policy covers all account management including individual user accounts, service accounts, and shared accounts.
3.0 DEFINITIONS
AD
Active Directory defining structure which allows access to Baker College resources.
Alumni
Student whom receives diploma or certificate of a Baker College program
AUP
Acceptable Use Policy
EAS
The Enterprise Application Services team
ISS
The Infrastructure Security and Support team.
IT
Information Technology
ITSC
The Information Technology Solution Center team
Least Privilege
The principle means giving to an account only those privileges which are essential to perform its intended function.
Non-Domain Accounts
Accounts that do not directly exist within Active Directory. These accounts are often local to various systems and/or services.
Position Code
Every employee is assigned one or more specific position codes that allow proper access to be granted, based on campus, department, division, etc.
SLA
Service Level Agreement defines the level of service expected by a customer from a supplier.
SME
Subject Matter Experts are the individuals responsible for documenting instructions and reviewing the compatibility of a resource with the College’s systems.
System Administrator
Administrator of all Networking Infrastructure whether it’s Network Hardware or Servers
TSS
The Technology Services and Support team.
UID
User Identity
4.0 GUIDELINES
4.1 Authentication
4.1.1 Authentication is critical because it is the process by which a system confirms that a person or device really is who or what it is claiming to be and through which access to the requested resource is authorized.
4.1.2 All information that Baker College deems as protected information, is to be stored on servers that require user authentication.
4.1.3 Strong authentication protocols help both to protect personal and organizational information and prevent misuse of organizational resources.
4.1.4 Authenticating to any Baker College system constitutes full acceptance of the terms and conditions of the Acceptable Use Policy.
4.2 Active Directory Accounts
4.2.1 Passwords
a.) Complexity
i.) The Baker College system will enforce password complexity requirements based on industry standards and to address security concerns.
b.) Faculty, staff, and vendor account passwords expire after 90 days.
c.) If there is a reason to believe that any AD account has been jeopardized, an investigation will be conducted and mitigation will occur, as applicable.
4.2.2 Life cycle
a.) Baker College uses a formal account management process to create, manage, and remove user accounts.
b.) Accounts must be unique and cannot be recycled.
c.) A supervisor may request access to an individual’s electronic records once an account is terminated by contacting Human Resources.
d.) Current students and alumni who are also staff may receive a new account in the event of employment termination based on what their role and permissions were.
4.2.3 Account Permissions
a.) When possible, applied via Position Codes or AD group membership using the principle of least privilege.
b.) Manually enabled permissions can be utilized where necessary.
c.) Accounts belonging to employees who transition to another department or role should be audited to ensure associated permissions are still relevant.
4.3 Non-AD Accounts
4.3.1 Passwords
a.) Default passwords are prohibited and should be changed upon device or service implementation.
b.) Passwords must be changed in accordance with respective procedures or triggering event(s) (e.g. staffing changes, security breach).
c.) Complexity
i.) When possible, Non-AD passwords should follow the AD password complexity requirements.
4.3.2 Life cycle
a.) Account lifecycles must be SME defined for all non-domain accounts.
b.) Accounts must be unique and cannot be recycled.
4.3.3 Account Permissions
a.) When possible, applied via Position Codes or AD group membership using the principle of least privilege.
b.) Manually enabled permissions can be utilized where necessary.
c.) Permissions are to be granted and maintained by an SME using the principle of least privilege.
d.) Accounts belonging to employees who transition to another department or role should be audited to ensure associated permissions are still relevant.
4.3.4 Temporary Account Access
a.) Temporary account access (pending approval when necessary) will be provided for the following:
i.) Wireless access
ii.) Computer access
iii.) Access to secure physical areas (card access)
5.0 RESPONSIBILITIES
5.1 IT
5.1.1 Responsible for ensuring IT systems, products, and services are used to support the institution while striving to achieve the IT SLA’s.
5.2 Supervisors
5.2.1 Request account creation and access modifications for employees reporting directly to them.
5.3 SME’s
5.3.1 Manage accounts and permissions for systems that they’re responsible for.
5.3.2 Responsible for maintaining a process to audit and manage accounts and access for any given application.
5.4 Admissions
5.4.1 Verify the student’s information is accurate.
5.5 Human Resources
5.5.1 Verify faculty and staff information is accurate.
5.5.2 Assign and maintain applicable Position Codes.
5.6 ISS
5.6.1 Investigate any suspicion of an account being compromised.
5.6.2 After an account has been identified as compromised:
a.) Scramble access to the specified account.
b.) Assist the account owner with regaining access.
5.7 End User
5.7.1 Responsible for understanding and adhering to all Federal and State regulations that apply to their role(s).
5.7.2 Adhere to all guidelines as specified by the AUP, Student Handbook, Faculty Handbook, and Employee Handbook.