IT Foundational Policy: Accounts (IT 300-000)

1.0 Purpose

The purpose of this policy is to establish procedures and guidelines for the administration of computing accounts that facilitate access to or on behalf of Baker College information resources.

2.0 Definitions

AD - Active Directory defining structure which allows access to Baker College resources.

Alumni - Student whom receives diploma or certificate of a Baker College program

AUP - Acceptable Use Policy

EAS - The Enterprise Application Services team

ISS - The Infrastructure Security and Support team.

ITSC - The Information Technology Solution Center team

Least Privilege - The principle means giving to an account only those privileges which are essential to perform its intended function.

Non-Domain Accounts - Accounts that do not directly exist within Active Directory.  These accounts are often local to various systems and/or services.

Position Code - Every employee is assigned one or more specific position codes that allow proper access to be granted, based on campus, department, division, etc.

SLA - Service Level Agreement defines the level of service expected by a customer from a supplier.

SME - Subject Matter Experts are the individuals responsible for documenting instructions and reviewing the compatibility of a resource with the College’s systems.

System Administrator - Administrator of all Networking Infrastructure whether it’s Network Hardware or Servers

TSS - The Technology Services and Support team.

UID - User Identity

3.0 Scope

This policy is applicable to those responsible for the management of user accounts for access to shared information or network resources. Such information can be held within a database, application, or shared file space. This policy covers all account management including individual user accounts, service accounts, and shared accounts.

4.0 Policy Statement

Authentication

Authentication is critical because it is the process by which a system confirms that a person or device really is who or what it is claiming to be and through which access to the requested resource is authorized.

All information that Baker College deems as protected information, is to be stored on servers that require user authentication.

Strong authentication protocols help both to protect personal and organizational information and prevent misuse of organizational resources.

Authenticating to any Baker College system constitutes full acceptance of the terms and conditions of the Acceptable Use Policy.

Active Directory Accounts

Passwords

• Complexity
  • The Baker College system will enforce password complexity requirements based on industry standards and to address security concerns.
• Faculty, staff, and vendor account passwords expire after 90 days.
• If there is a reason to believe that any AD account has been jeopardized, an investigation will be conducted and mitigation will occur, as applicable.

Life cycle

• Baker College uses a formal account management process to create, manage, and remove user accounts.
• Accounts must be unique and cannot be recycled.
• A supervisor may request access to an individual’s electronic records once an account is terminated by contacting Human Resources.
• Current students and alumni who are also staff may receive a new account in the event of employment termination based on what their role and permissions were.

Account Permissions

• When possible, applied via Position Codes or AD group membership using the principle of least privilege.
• Manually enabled permissions can be utilized where necessary.
• Accounts belonging to employees who transition to another department or role should be audited to ensure associated permissions are still relevant.

Non-AD Accounts

Passwords

• Default passwords are prohibited and should be changed upon device or service implementation.
• Passwords must be changed in accordance with respective procedures or triggering event(s) (e.g. staffing changes, security breach).
• Complexity
  • When possible, Non-AD passwords should follow the AD password complexity requirements.

Life cycle

• Account lifecycles must be SME defined for all non-domain accounts.
• Accounts must be unique and cannot be recycled.

Account Permissions

• When possible, applied via Position Codes or AD group membership using the principle of least privilege.
• Manually enabled permissions can be utilized where necessary.
• Permissions are to be granted and maintained by an SME using the principle of least privilege.
• Accounts belonging to employees who transition to another department or role should be audited to ensure associated permissions are still relevant.

Temporary Account Access

• Temporary account access (pending approval when necessary) will be provided for the following:
  • Wireless access
  • Computer access
  • Access to secure physical areas (card access)

5.0 Procedures

None

6.0 Responsibilities

 IT

Responsible for ensuring IT systems, products, and services are used to support the institution while striving to achieve the IT SLA’s.

Supervisors

Request account creation and access modifications for employees reporting directly to them.

SME’s

Manage accounts and permissions for systems that they’re responsible for.

Responsible for maintaining a process to audit and manage accounts and access for any given application.

Admissions

Verify the student’s information is accurate.

Human Resources

Verify faculty and staff  information is accurate.

Assign and maintain applicable Position Codes.

ISS

Investigate any suspicion of an account being compromised.

After an account has been identified as compromised:

• Scramble access to the specified account.
• Assist the account owner with regaining access.

End User

Responsible for understanding and adhering to all Federal and State regulations that apply to their role(s).

Adhere to all guidelines as specified by the AUP, Student Handbook, Faculty Handbook, and Employee Handbook.

7.0 Citations & Related Information

None