User Access Control PolicyTechnology Services

Purpose

The User Access Control Policy is established to ensure secure and controlled access to information technology resources at Gustavus Adolphus College. This policy aims to protect sensitive data, maintain the integrity of critical IT systems, and comply with regulatory requirements. It defines the principles and procedures for granting, modifying, and revoking user access to various technology assets at the College.

Scope

This policy applies to all College employees, departments, and areas that deal with sensitive data, or manage processes that expose institutional data to risk. Third party vendor relationships and external accounts not directly managed by Technology Services should also be considered as part of this policy. All College employees and areas should consider security in the routine performance of their duties and work with Technology Services to remediate any areas of concern.

Access Request and Approval

Access Request

All requests for user access, including changes to existing access, must be submitted through currently approved processes as established by Technology Services.

Approval Process

Access requests will be reviewed and approved by the respective department heads or other authorized personnel. Approval is contingent on the principle of least privilege, ensuring users receive only the access necessary for their roles.

Disputation

Disputes over user access will be resolved through formal petition to the CTO or designated personnel. In general, such requests will be resolved in accordance with the principle of least privilege, with the burden being on the requester to prove that the disputed access is necessary for the fulfillment of their assigned role and duties.

User Roles and Responsibilities

Role Definition

Distinct user roles will be defined based on job responsibilities and the principle of least privilege. Each role will have predefined access levels to specific systems and data.

Responsibilities

Users are responsible for using their assigned access privileges for legitimate job-related activities only. Sharing or unauthorized use of access credentials is strictly prohibited.

Account Provisioning/Deprovisioning

New Users

Upon hiring and onboarding, new employees, contractors, or other authorized individuals will receive access to any necessary technology resources pursuant to the performance of their assigned role and duties. Full account provisioning will typically be completed within five business days of the user's start date.

Role Changes

Access levels will be modified promptly to reflect changes in job responsibilities. Access removals or modifications will be implemented within five business days following notification of the role change. In some cases, a longer transition period may be required to successfully facilitate a shift in roles and responsibilities.

Termination

Access for terminated employees, contractors, and other authorized individuals will be promptly revoked on their last day of employment or service, or when specified. Human Resources will notify Technology Services of impending terminations to facilitate timely access removal.

Passwords and Authentication

Requirements

Users will be required to create strong passwords that meet specified complexity requirements. Accounts will also be protected from unauthorized access by multi-factor authentication (MFA).

Password and Access Sharing

Sharing of passwords or facilitating unauthorized access is strictly prohibited. Each user is responsible for safeguarding their credentials and account(s)..

Remote Access

Secure Connection

Remote access to technology resources and institutional data must be through secure and approved methods. VPNs or other encrypted connections are mandatory for off-campus access.

Training and Awareness

Cybersecurity Training and Security Compliance

Continued access requires the adoption and maintenance of good security practices, including the completion of any mandatory training required by law, or assigned by Technology Services. Knowledge of applicable technology policies is an ongoing requirement.

Access Review

Regularity

Access permissions will be reviewed periodically to ensure alignment with known roles and responsibilities. Reviews will be conducted by authorized personnel within Technology Services who will work directly with the appropriate department heads, or system leads. This review should occur at least once per calendar year.

Audit Trail

Audit trails and logs will be maintained and regularly reviewed to identify and investigate any unauthorized or suspicious activities.

Policy Enforcement

Non-Compliance

Violations of this policy may result in penalties up to and including the temporary or permanent suspension of privileged access and/or termination of employment/service.

Policy Implementation Assistance

Contact the Chief Technology Officer with questions or comments related to this policy.

Policy Authority

The XLT has responsibility for this policy and will obtain necessary approvals for changes.