/Institutions/Keuka-College/json/2024-2025/Information-Technology-Policies-local.json

/Institutions/Keuka-College/json/2024-2025/Information-Technology-Policies.json

Identity and Access Management

Purpose

The purpose of this Policy is to establish the rules that govern the issuance and maintenance of Digital Identities at Keuka College.

Scope

Part 1 of the policy is applicable to individual account holders. It defines account holders’ responsibilities to protect their accounts and properly use their authorizations. Part 2 of the policy is applicable to Information System operators responsible for Identity and Access Management for information systems.

Overview

This policy describes types of electronic identities in use for systems and applications; criteria for creating identities and accounts; how identities should be authenticated; how authorizations should be managed; and how accounts and privileges should be deprovisioned. Why is identity and access management so important?

Security

With cyber threats becoming increasingly sophisticated, a robust IAM policy helps protect the organization from unauthorized access and data breaches. It acts as the first line of defense against malicious actors.

Compliance

Many organizations are subject to strict regulations regarding data protection. An IAM policy helps your organization meet compliance requirements, avoiding potential legal and financial consequences.

Efficiency

IAM policies streamline the process of onboarding and offboarding employees, reducing the risk of insider threats. It also simplifies password management and access requests.

Enhanced Productivity

With the right access permissions in place, employees can focus on their work without unnecessary distractions or roadblocks. 

Definitions

The following definitions apply throughout this Policy:

Access: The ability to use, modify or manipulate an information resource or to gain entry to a protected system or physical area.

Access Control: The process of granting or denying specific requests for obtaining and using information or entry to a physical location.

Authentication: The process of identifying an individual, usually based on a username, password, and some type of additional verification. Authentication confirms that an individual is who they claim to be.

Authorization: The process of granting or denying access to a network resource. After a user is authenticated, authorization verifies the user can access the items to which they claim to have access.

Availability: Protection of IT systems and data to ensure timely and reliable access to and use of information to authorized users.

Confidentiality: Protection of sensitive information so that it is not disclosed to unauthorized individuals, entities, or processes.

Enterprise Directory Services: Information about centrally created accounts and identities are stored in central directory run by Information Technology.

Integrity: Protection of sensitive information so that it is in the expected format and has not been changed by unauthorized people or processes.

Multi-factor Authentication (MFA): An electronic authentication process that provides extra layers of security to an application or service against various cyber attacks. Can also be referred to as 2-factor authentication (2FA), MFA requires a minimum of two pieces of authentication to log in to an application either through verification code, biometrics, or browser notifications.

Principle of Least Privilege (PoLP): Access privileges for any user should be limited to resources absolutely essential for completion of assigned duties or functions, and nothing more. This is a strategy to limit attack risk and risk of malware spread.

Privileged Accounts: Certain accounts may have extra privileges related to the management of a device or application. 

Separation of Duties: Whenever practical, no one person should be responsible for completing or controlling a task, or set of tasks, from beginning to end when it involves the potential for fraud, abuse, or other harm.

Service Accounts: A service account is used when it is necessary for systems or applications to authenticate to other systems or applications without any association to a person. These accounts should be created sparingly and documentation of the purpose for them should be kept.

Shared Accounts: Accounts are created to support multiple users sharing the same identity. 

User Accounts: These are uniquely associated with a specific person with the intention of providing identification. 

Roles and Responsibilities

PART 1: Responsibilities of the Individual

Every person with access to Keuka College's systems is responsible for selecting strong passwords, keeping the passwords secure, and reporting any unauthorized use of accounts. Users must follow these guidelines:

• Create passwords that conform to best practices.
• Change passwords in cycle with the requirements of the current Password Policy.
• No sharing of passwords.
• No reuse of passwords.
• Immediately change passwords and notify the appropriate system administrator if there is reason to believe that a password has been improperly disclosed, accessed or used by an unauthorized person.
• Use privileges associated with an account only for the purpose for which they were authorized and no more.
• Use privileged accounts and authorizations only when such privilege is needed to complete a function.
• Log off or use screen locking technologies that require authentication when leaving a device unattended.

PART 2: Responsibilities of Information Systems Staff

This part of the policy applies to all College community members who configure and/or maintain devices and applications for the College.

• Account management
• Authentication requirements
• Authorization processes
• Auditing

Policy

The following will define the areas of the Identity and Access Management policy, and is broken into nine areas:

• Access Control
• Account Management
• Administrator Access
• Authentication and Authorization
• Managing Access Privileges
• Remote Access
• Vendor Access
• Deprovisioning
• Auditing Access Control

Access Control

Access to organizational resources and data will be determined by the manager of the department where the account will be used with guidance from IT Department. Access will follow the principle of Least Privilege, granting a user only the access rights required for them to successfully complete the tasks of their role. 

The granting of access rights (initial or changes) will be performed by the IT Department or local administrators through a request from the department manager and reviewed by the Associate Vice President of Technical Solutions. 

Account Management

All user IDs/accounts are created for individuals within the following categories:

Students

Student accounts are created at the application phase of "Move to Student (MS)." This process is conducted several months prior to the start of classes. Students must have deposited and had their application moved to student in order to have an active Keuka College account. Student accounts are deactivated on the day that a student withdraws or 6 months after their degree has been conferred.

Employees/Vendors/Emeriti

Employee account creation begins once the necessary data has been processed by HR after the employee has formally accepted their employment offer. Accounts are typically made available to new employees the day before their official start date. Employee accounts are deactivated once the employee has been placed on leave or terminated.

Service Accounts

A service account is used when it is necessary for systems or applications to authenticate to other systems or applications without any association to a person. These accounts should be created sparingly and documentation of the purpose for them should be kept. Their use must be periodically reviewed. 

All College Accounts will be created as per the organization’s defined user ID format and will contain an individual’s first and last name, assigned user ID, department, email address, and password as per the password creation guidelines. The official repository for accounts will be the College's Directory Services.

The benefits of managing accounts in this manner provides the following benefits:

Enhanced Security: Account management helps you enforce rigorous security policies, ensuring that only authorized individuals can access sensitive data and applications. 
Efficient Resource Allocation: Account management simplifies the process of assigning and revoking access rights. Your team can allocate resources more efficiently, particularly useful in large organizations with numerous users and applications. 
Compliance and Auditing: People can work efficiently knowing that their identity and access management policy templates incorporate account management. By conducting routine audits, your organization can comply with industry regulations and internal policies. 
Simplified User Experience: Account management ensures that users have access to the resources they need and nothing more, allowing users to focus on their tasks without grappling with unnecessary access complexities.

Authentication and Authorization

Authentication is the process by which a system or application confirms that a person or device really is who or what it is claiming to be and through which access to the requested resource is authorized. Strong authentication protocols help both to protect personal and organizational information and prevent misuse of organizational resources.

Authorizations are the implicit or explicit permission to use a resource associated with an account. Once the use of an account is authenticated, a system or resource may determine if the person or software requesting access is authorized to use it. The management and maintenance of authorizations is shared responsibility of IT and local system and application administrators. 

Multifactor Authentication (MFA)

Multifactor Authentication (MFA) involves combining more than one authentication type and generally provides a stronger assurance of the person’s identity.

Authentication Policy

1. Whenever possible and reasonable, any application or system, whether on premise or in the cloud, should use federated authentication over local accounts and passwords.
2. The minimum password length as specified through Microsoft Authenticator services.
3. Passwords must be complex. The password must contain an uppercase letter, lowercase letter, number, and symbol.
4. Use multifactor authentication for all systems and applications and where otherwise reasonable to do so. If a system or application cannot support multifactor authentication a compensating control must be used and the plan must approved by IT.

Authorization Policy

1. Use role-based authorization schemes over individual authorizations whenever practical.
2. Be as granular as possible in your authorizations.
3. Ensure that the authorization has the appropriate approvals.
4. Privileged access may be granted permanently only if that specific person’s job duties routinely require that level of access, otherwise, the access must be temporary.
5. All authorization requests must be documented, including the nature of the request, the time period for which it has been granted, all related approvals that were obtained, and the names of the approvers.

Managing Access Privileges

1. Administrative and Technical approvals are always required. These approvers must:
a. Ensure the principles of Least Privilege and Separation of Duties are applied.
b. When approving privileges to a shared account consider everyone who has access to that account and whether such privilege is appropriate for everyone.
2. All requests for access to data must have been approved by Information Technology and the owner of the data.
3. All approved requests will be implemented by the IT Department

Remote Access

Remote access are subject to the same requirements as laid out in this policy document as any other type of user account.

Deprovisioning

Systems and applications should be designed and deployed in a way that facilitates easy removal of a person’s authorizations and accounts at appropriate times.

Centrally Managed Accounts and Authorizations

The enterprise level accounts or authorizations that are listed in the enterprise directory service and have authentication credentials in our enterprise authentication services shall be deprovisioned in accordance with the policies of our Identity and Access Management service, adhering to the principles that:

1. Individuals with no affiliation with the university should not have an account.
2. Accounts for individuals with no lasting associations with the College, identified as affiliates within our IAM policies, should only exist for a limited period of time without reauthorization.

Non-Centrally Managed Accounts and Authorizations

When accounts or authorizations are created outside of the enterprise directory and/or enterprise authentication system, the unit creating the accounts must define a mechanism to deprovision the account in a timely fashion (generally within a few business days unless a specific time frame is requested) and consistent with the conditions expressed for centrally managed accounts.

Auditing

All accounts and account access will be audited on a regular basis to ensure that everyone has the proper access to keep with the principle of Least Privilege and to help combat Privilege Creep.

Audit Trail

Data Stewards are responsible for ensuring that an audit trail of activity exists that includes the following:

• Ensuring that any account or authorization created, delete, removed, or changed is audited in a system of record and available for review. This log would contain proof of approvals for the creation, deletion, removal, or change and the system and any system or application-level log that the account or authorization was modified, if such can be logged.
• Any system or application that authenticates or authorizes an account to take an action should log that activity to a standard location and format. The log should include both successful and failed authentications and authorizations.
• Ensuring that the system or application audit logs are properly configured and functioning normally over time.
• Conducting routine audits of account and authorization activity to ensure that only authorized use is occurring and maintain audit documentation accordingly. As part of this audit:
  • Provide a list of accounts with privileged access to the appropriate management approvers for review.
  • Support and encourage periodic review by Data Trustees for information covered under a Trustee’s responsibilities.

Account and Authorization Audits

The Information Technology Department may audit routinely or on an ad-hoc basis the accounts and authorizations of any College information system along with the associated audit trail. These audits will ensure that accounts and authorizations are consistent with this document, including that:

1. There is a request for every account with elevated privilege, shared account, or service/process account;
2. The request was approved both by an administrative and technical manager;
3. The request is compliant with applicable regulation, policy, best practice;
4. The granted privileges were indeed required for the approved administrative use;
5. Requests for temporary privileges are expired on the agreed expiration date;
6. Every account is held by a person still at the institution; and
7. The account holder’s job function still requires the granted privilege.

Enforcement

Enforcement is the responsibility of the Vice President overseeing the IT Department, or designee. Users who violate this policy may be denied access to the organizational resources and may be subject to penalties and disciplinary action both within and outside of Keuka College. The organization may temporarily suspend or block access to an account, prior to the initiation or completion of disciplinary procedures, when it reasonably appears necessary to do so in order to protect the integrity, security, or functionality of the organization or other computing resources or to protect Keuka College from liability.

Users are subject to disciplinary rules described in the Employee Handbook, and other policies and procedures governing acceptable workplace behavior. 

Reporting Violations

Users who believe they have witnessed or been a victim of a violation of this Policy should notify or file a complaint with the Associate Vice President of Technical Solutions.

Violations of Privacy

Violations of this Policy will be addressed under the policies and rules regarding students, faculty, and staff. The violations described in this Policy range from minor to extremely serious; even a minor offense may be treated severely depending on the circumstances. Certain violations may also be subject to prosecution under federal, state or local laws.

Penalties for Violations

The range of possible sanctions as a result of violations of this Policy includes, but is not limited to, the following:

• Loss of Electronic Resources privileges;
• Disciplinary sanctions as outlined in the Employee Handbook;
• Reassignment or removal from Keuka College housing and/or suspension or separation from the Colleges;
• Prosecution by governmental authorities or third parties to the fullest extent of the law;
• Referral to other authorities for civil litigation and criminal prosecution under applicable civil or criminal laws; and
• Discipline of employees up to and including termination of employment.

Nothing in this policy shall supersede any grievance procedures in the Employee Handbook or applicable collective bargaining agreement.

Appeals

Users may appeal a decision through existing grievance and appeal policies/procedures with the Employee Handbook or other policies or procedures governing acceptable behavior.

Exceptions

Exceptions to the policy may be granted by the Vice President overseeing the IT Department, or by their designee. All exceptions are subject to review.