Access Control Policy
Scope:
This policy applies to LEADx staff, contractors and vendors that connect to servers, applications or network devices that contain or transmit LEADx Protected Data, per the Data Classification Policy. All servers, applications or network devices that contain, transmit or process LEADx Protected Data are considered “High-Security Systems”.
Purpose:
Access controls are designed to minimize potential exposure to the University resulting from unauthorized use of resources and to preserve and protect the confidentiality, integrity and availability of the University networks, systems and applications.
Policy:
Segregation of Duties
Access to High-Security Systems will only be provided to users based on business requirements, job functions, responsibilities, or need-to-know. All additions, changes, and deletions to individual system access must be approved by the appropriate supervisor and the UISO, with a valid business justification. Access controls to High-Security Systems are implemented via an automated control system. Account creation, deletion, and modification as well as access to protected data and network resources is completed by the Server Operations group.
On an annual basis, the University Information Security Office will audit all user and administrative access to High-Security Systems. Discrepancies in access will be reported to the appropriate supervisor in the responsible unit and remediated accordingly.
User Account Access
User Access
All users of High-Security Systems will abide by the following set of rules:
- Users with access to High-Security Systems will utilize a separate unique account, different from their normal University account. This account will conform to the following standards:
- The password will conform, at a minimum, to the published ITS Password Standards.
- Inactive accounts will be disabled after 90 days of inactivity.
- Access will be enabled only during the time period needed and disabled when not in use.
- Access will be monitored when the account is in use.
- Repeated access attempts will be limited by locking out the user ID after not more than six attempts.
- Lockout duration must be set to a minimum of 30 minutes or until an administrator enables the user ID.
- If a session has been idle for more than 15 minutes, the user is required to re-authenticate to re-activate the terminal or session.
- Users will not login using generic, shared or service accounts.
- Service providers with remote access to customer premises (for example, for support of POS systems or servers) must use a unique authentication credential (such as a password/phrase) for each customer.
RemoteApp Access
Users may only gain access to the RemoteApp environment if:
- A user’s manager must submit the request.
- The Director, Cash Management, Assistant Director, Cash Management or Sr Treasury Analyst, eCommerce must approve all requests.
- Users will abide by the above user access guidelines.
- Users must complete annual PCI training through the Treasurer’s Office.
- Password reset requests must be submitted to the Treasurer’s Office and verified with the user’s manager.
Administrative Access
- Administrators will abide by the Privileged Access Policy.
- Users will abide by the above user access guidelines.
- Administrators will immediately revoke all of a user’s access to High Security Systems when a change in employment status, job function, or responsibilities dictate the user no longer requires such access.
- All service accounts must be used by no more than one service, application, or system.
- Administrators must not extend a user group’s permissions in such a way that it provides inappropriate access to any user in that group.
- All servers, applications and network devices shall contain a login banner that displays the following content:
“This computer and network are provided for use by authorized members of the LEADx community. Use of this computer and network are subject to all applicable LEADx policies, including Information Technology Services policies, and any applicable LEADx Handbooks. Any use of this computer or network constitutes acknowledgment that the user is subject to all applicable policies. Any other use is prohibited. Users of any networked system, including this computer, should be aware that due to the nature of electronic communications, any information conveyed via a computer or a network may not be private. Sensitive communications should be encrypted or communicated via an alternative method.”
Remote Access
All users and administrators accessing High Security Systems must abide by the following rules:
- No modems or wireless access points are allowed on high security networks, or other unapproved remote access technology.
- All remote access must be authenticated and encrypted through the company's VPN, LEADx Secure Access (LSA).
- All remote access will be accomplished through the use of two factor authentication; a username and password or PIN combination, and a second method not based on user credentials, such as a certificate or token, provisioned to the user.
- Any machine used for remote access must have antivirus and host-based firewall software installed, running, and enabled. This requirement is enforced by a host checker component of the University’s VPN software, and remote access to the High Security Network is only possible after a machine has passed these configured checks.
- Any third party, non-LEADx affiliate that requires remote access to High Security Systems for support, maintenance or administrative reasons must designate a person to be the Point of Contact (POC) for their organization. In the event the POC changes, the third party must designate a new POC.
- All third party access to High Security Systems must be approved by the Information Security Officer or their designee.
- Third parties may access only the systems that they support or maintain.
- All third party accounts on High Security Systems will be disabled and inactive unless needed for support or maintenance. Requests for enabling access must follow the procedure outlined in The LEADx Vendor Access to Internal Systems Policy. Requests for access outside of this policy are expressly denied. The server System Administrator will be responsible for enabling/disabling accounts and monitoring vendor access to said systems. All third parties with access to any High Security Systems must adhere to all regulations and governance standards associated with that data (e.g. PCI security requirements for cardholder data). Third-party accounts must be immediately disabled after support or maintenance is complete.
- Data must not be copied from high-security systems to a user’s remote machine.
- Access will be disconnected automatically after 24 hours.
- Users will abide by the above user access guidelines.
Physical Access
All data centers will abide by the following physical security requirements:
- Video surveillance will be installed to monitor access into and out of ITS data centers.
- Access to ITS data centers will be accomplished the use of electronic badge systems.
- Only the Facilities Department, ITS Infrastructure Services Director, and the Network Services Team will have physical key access.
- Physical access to ITS data centers is limited to ITS personnel, designated approved LEADx employees or contractors whose job function or responsibilities require such physical access.
- These individuals will be classified appropriately in the ITS Roles and Responsibilities Matrix.
- LEADx badges will be prominently displayed.
- Visitors accessing ITS data centers will be accompanied by authorized ITS personnel, and all access will be logged via the ITS Data Center Visitor Access Log.
- This log will be stored at each ITS Data Center.
- Each visitor, and accompanying authorized ITS personnel, must sign in and out of the data center.
- The log will be kept for at least a period of three months.
- Modification, additions or deletions of physical access to ITS data centers will be accomplished by utilizing the ITS High Security Authorization Form.
- All terminated onsite personnel and expired visitor identification (such as ID badges)” will have their access revoked immediately.
- Physical access requires the approval of the ITS Infrastructure Services Director.
- The Information Security Team and the ITS Infrastructure Services Director will audit physical access to ITS data centers on an annual basis.
Policy adherence:
Failure to follow this policy can result in disciplinary action as provided in the Employee Staff Handbook, Employment Guide, Disciplinary action for not following this policy may include termination, as provided in the applicable handbook or employment guide.