Administrative Regulation Title: Authentication and Access Control

Regulation Number:  7.1.4

_____________________________________________________________________________________

Purpose:

This Authentication and Access Control Administrative Regulation (this “Admin Reg”) outlines the identification and authentication standards that enable the College to manage access to Institutional Resources. Limiting access to Institutional Resources to only Authorized Users helps ensure the confidentiality, integrity, and availability of Institutional Data are maintained. Institutional Resources are vital assets to the College and limiting access to those with a legitimate business purpose is essential to the mission and operation of the College.

Definitions:

Capitalized terms not defined in this Admin Reg have the meaning set forth in the Information Security Policy.

Scope:

This Admin Reg applies to all accounts, persons, or entities that provide or have access to Non-Public Institutional Resources.

Roles and Responsibilities:

The Office of Information Technology (“OIT”) manages and executes the identification, authentication, and access control practices of the College, in conjunction with applicable Personnel, including the Human Resources Department.

Authentication:

Authentication is the verification process of ensuring the identification of a user, document, or credential is genuine. Authentication is performed when users provide a username and password. Multi-factor authentication is the process of requiring the user to verify their identity by performing different methods of authentication, such as password authentication and SMS text one-time passcode.

The College will implement and maintain an authentication process that complies with applicable law or at minimum:

  • Requires user accounts to use a password with the following complexity requirements:
    • Contains 10 or more characters;
    • Does not contain specific patterns, such as 3 or more repeating characters;
    • Has not been used in the previous twenty-four (24) password changes;
  • Requires multi-factor authentication for access to Institutional Resources (Level 2 and Level 3), through verification of at least two of the following types of authentication factors:
    • Knowledge factors, such as a password;
    • Possession factors, such as a token; or
    • Inherence factors, such as biometric characteristics; and
  • Limits unsuccessful logon attempts.

Access Control:

Access to Institutional Resources is granted on the principle of least privilege access, which means access rights to Institutional Resources are limited to only that which is necessary for the Authorized User to perform their job/task. The College will implement, maintain, and review a process for granting access to user accounts that includes, at minimum:

  • Limiting Authorized Users’ system access to the types of transactions and functions that are required based on the role the Authorized User performs;
  • Segregating Institutional Resources behind access control checkpoints that is proportionate to the confidentiality and sensitivity of the resource;
  • Periodically reviewing access control parameters to ensure access to resources is limited only to those accounts that continue to require such access;
  • Offboarding Authorized Users upon their separation from the College and de-credentialing the account to prevent the exploitation of the account;
  • Monitoring and logging of system activities, in accordance with the Monitoring and Logging Administrative Regulation, to detect misuse of accounts and ensure access remains properly limited;
  • Utilizing session locks and automatic session termination to prevent access to and viewing of data after periods of inactivity and other defined conditions;
  • Monitoring and controlling remote access sessions to ensure such sessions, and the data accessed, remain appropriately secure and confidential; and
  • Ensuring individuals who have been provided any level of authorized access to Institutional Resources are made aware of relevant policies and procedures applicable to their access to and use of such resources, including, but not limited to, the Acceptable Use Policy.

Identification:

The College will maintain a set of linked records, or credentials, identifying all Authorized Users who use Institutional Resources and the permission associated with such Authorized User. The College will implement and maintain identification practices that include, at minimum:

  • Clearly defined account types and privileges, roles, and memberships associated with accounts;
  • Establishing change management procedures to identify when accounts, or their related privileges, roles, or memberships, should be created, modified, or removed;
  • Upon approval of account creation by appropriate Personnel, as applicable, providing appropriate credentials to individuals; and
  • Ensuring individuals are not assigned more than one unique identifier and unique identifiers are never reassigned to individuals other than the initial assignee.

 

References:

Acceptable Use Policy

Information Security Policy

Monitoring and Logging Administrative Regulation

 

Revision History:

Original Adoption Date:  1/29/24

Revision Date(s):

Date Reviewed, no change: