ACCESS CONTROL AND AUTHENTICATION POLICY
Policy Objective
This policy is intended to set forth requirements for granting and denying access to Parkland College information resources and systems and controlling the access through authentication.
Scope
All information systems and services used to transact Parkland College business as well as all users and accounts that may exist or be created on Parkland systems or the Parkland network.
Policy
Section 1 – Access Control
On-campus or remote access to information assets containing Confidential or Private data must be based on operational and security requirements and must comply with the Access Control Standard.
Appropriate controls must be in place to prevent unauthorized access to classified information assets, including all backups, secondary copies, extracts, archives, and other copies of the data, either full or partial, unless the data has been de-identified in such a way as to attain the Public classification level.
Section 1a – Access Changes and Authorization
- There must be a documented procedure or process for approving and making changes, including additions, modifications, and terminations, of access rights. Access to data assets classified as Confidential or Private must be denied until specifically allowed.
- Access rights and authorization to access data assets must be specified by the data owner or their authorized delegate and must adhere to the principles of least privilege and need-to-know.
- Authentication mechanisms and controls must be implemented for access to Parkland College information assets appropriate to their classification level, must be unique to each person, and may not be shared unless specifically authorized. Such authorization must be documented in detail and reviewed at least annually.
Section 1b – Separation of Duties / Role-based Access
- Separation of Duties must be maintained when assigning job roles related to critical resources or restricted systems.
- An appropriate level of duty separation must be maintained when issuing credentials to individuals who may have or gain access to data at any classification other than Public.
- Credentials shall not be issued that grant a user greater authority or access to data than is required by the performance of the assigned duties of the individual's role.
- Credentials for privileged access must be restricted, separate differentiated from a standard credential, and have all activity monitored and recorded.
Section 1c – Account Uniqueness
- All Parkland College user accounts must be unique to an individual.
- Any allowed generic accounts must be limited in scope and purpose and must not have credentials shared if the technology supports any alternative.
Section 1c – Access Review
- Reviews shall be conducted by data, system, and service owners at least annually to determine appropriateness of current access granted to their data, systems, and services.
- This access review shall be documented and made available upon request.
Section 1d – Account Termination and Access Revocation
- Upon separation from the college, all Parkland accounts must have access restricted, and be terminated.
Section 2 – Physical Access
- Physical access to sensitive areas must be limited to authorized individuals who have a need to know and valid reason to be in the sensitive areas.
- Appropriate controls must be in place, such as locking mechanisms and security cameras, to prevent unauthorized access to sensitive areas.
- Periodic reviews of physical access controls and authorized individuals must be performed and documented to ensure they are current, effective, and appropriate.
Section 3 – Authentication
Section 3a – Identity
- The identity of each person to be granted access to Parkland College resources shall be validated prior to granting any credential or access to any non-public information or system.
Section 3b – Credentials
- A credential shall be issued to each validated person for the purpose of granting access to Parkland College systems and information resources.
- The credential shall be compliant with the Authentication Standard and must use the strongest available permutation of the credential, given the technology currently in use.
Section 3c – Authentication and Credential Management
- Authentication shall be made utilizing a centralized system for verifying identity wherever possible.
- Any systems that utilize, store, manage, validate, verify, or transmit credentials must be designed and configured to protect credentials from disclosure during storage, transmission, and use.
- Any individual assigned a Parkland College credential shall take all required measures to protect their assigned credential and ensure its secrecy.
- Credentials for individually assigned Parkland accounts may not be shared.