Information Technology Policies
User Access to Data and Services Policy
I. Justification and Statement of Policy
The scope of this security policy includes all information assets owned, operated, or maintained by F&M, whether the information is on electronic media, printed as hardcopy, or transmitted over public/private networks. At their discretion, the College Infrastructure Committee reserves the right to modify this policy at any point in time. Information security requires the participation and support from all members of the F&M community with access to information assets. It is the responsibility of every member of the F&M community to help ensure that all information assets are kept secure and available.
This policy applies to all members of the F&M community, which includes, but is not limited to employees, students, visitors, volunteers, third parties, contractors, consultants, clients, temporaries, retirees, and others (collectively known as "users"), who have access to, support, administer, manage, or maintain F&M information assets.
Data Steward - A Data Steward has administrative control and has been officially designated as accountable for a specific information asset dataset. This is usually the senior most officer in a division.
Information Asset - – An information asset can be described as information or data that is of value to the College, including such information as educational records, employee records, intellectual property, student information, etc. These assets can exist in physical form (on paper, CDs, or other media) or electronically (stored on databases, in files, on personal computers).
F&M's information assets are essential to its success. Therefore, access to all information assets will be granted based on principles of least privilege and business need. Access to confidential data, as defined by the College's data classification policy, must be requested and approved in writing from the appropriate data steward. Controls must be developed, implemented, monitored and maintained to create user accountability and to prevent any compromise of the confidentiality, availability, and integrity of information assets.
Acceptable Use Policy
Users must comply with the College's Acceptable Use Policy and may be asked to sign a written copy of the Acceptable Use Policy prior to being granted access to F&M information assets.
Upon employment and/or admission to the College, an F&M user account is created for each individual. Typically this account includes access to F&M email, core productivity suites, and the MyDiplomat portal. Access to other F&M information assets are granted as per the policies outlined below.
Requirements for Access
Users must obtain permission from the appropriate data steward(s) and demonstrate a clear business need in order to be granted access to data. Authorization must be documented and this documentation retained for audit purposes. Information owners will grant access on a need to know basis, as determined by a clearly defined and stated business need. Access requestors may not approve their own access. Adherence to regulatory, legislative, or contractual obligations must be considered before approving access to any requested information asset.
Before receiving access to information assets, members of the Professional Staff must undergo background checks performed by Human Resources (HR). Background checks may include criminal checks and verification of employment records. At the discretion of Human Resources, certain F&M positions may require more or less extensive background checks. Credentials for members of the Faculty are reviewed as per normal hiring procedures as outlined by the Office of the Provost and the Academic Departments.
Role Based Access
User access shall be established based upon job description, duties, or function. The use of roles provides consistent and efficient administration of access rights. Data Stewards must understand the security controls and privileges for the systems they are responsible for in order to make and recommend appropriate controls.
User Role Changes
Access for users who change roles or transfer to other areas of the College shall be immediately given the access required for the new role following approval from the appropriate data steward(s). Access that is no longer required for the new role must be removed or disabled following a reasonable overlap and transition period of no more than thirty days.
When access is granted, users are responsible for all system activity conducted using their unique account. All users have the responsibility to protect their account by creating and maintaining passwords compliant with F&M's Password Policy. In addition, users are responsible for maintaining the confidentiality of their unique ID and password by not sharing it with any other party or re-using their College password on any other sites or services.
Review of Access Privileges
Data Stewards shall re-evaluate the privileges granted to F&M users at least annually to ascertain whether or not access is still necessary based on current business needs and job responsibilities. User accounts or access rights found to be invalid, expired, no longer necessary based on lack of business need, or in violation of policy must be immediately disabled.
Non-employee user accounts and access privileges, including visitors, volunteers, third parties, contractors, consultants, clients, and temporaries, must include an expiration date before the account can be created and rights assigned. Accounts that are not manually renewed by way of a written request from the appropriate data steward(s) will be automatically disabled on the expiration date.
Temporary Access Control Privileges
If privileged access must be temporarily granted to a user, the privilege shall be removed at a pre-set expiration time. The appropriate data steward(s) must approve all temporary access in writing.
Users Departing From the College
User accounts of terminated or resigned users shall be disabled from all information systems immediately upon notification from Human Resources (HR).
Faculty departing in good standing may retain access to their accounts, including whatever respective files to which they have been granted access, for 10 days after the end of their contract, upon request. Employees departing in good standing will have access to their accounts, systems, and files up through their last day of employment. Requests for archival download access of one’s own information can be made to ITS before these time periods elapse.
Retirees retain access to their F&M email account and drive storage. Ownership of certain documents necessary for ongoing College operations may be transferred to an employee or shared drive.
Student accounts will be deleted 1 year after graduation or leaving the College.
Generally, user accounts and user services provided through F&M are transitory with few exceptions and are meant to cease when an individual no longer has an active relationship of working, teaching, or learning at F&M. The nature of some positions is difficult to assign to a schedule such as an intern that returns every Summer, an adjunct faculty member or athletic coach that teaches or coaches every other semester, etc. To address accounts that may otherwise be abandoned, the following time periods and actions will apply:
Accounts that have not been logged into for 1 year will be disabled. Disabled accounts can be re-enabled by contacting the ITS helpdesk.
Accounts that have not been logged into for 2 years will be deleted. Deletion of an account is irreversible. Every effort will be made to preserve files that have been shared from employee accounts in the event others at F&M continue to rely on those files. However, all other content associated with the account will be deleted.
These timeframes and processes apply to all accounts including retirees.
Unauthorized Testing of Information Assets
F&M users with full-time responsibility for information security are chartered by F&M senior staff to perform information security tests to ensure the college is adequately protecting information assets. All other users must not test, or attempt to compromise internal controls unless specifically approved in advance and in writing by the Chief Information Officer (CIO) or Chief Information Security Officer (CISO).
Users who may discover vulnerabilities, misconfigurations, or deficiencies of information security of College systems must immediately report their findings to the CIO or CISO. Users must not attempt to access assets beyond those they have been authorized to obtain or modify other users' level of access, unless specifically approved in advance and in writing by the CIO or CISO.
Modification and Testing of Production Data
Accounts which possess the ability to change or delete mission-critical College data are highly restricted and carefully monitored. Technical and/or operational controls [deleted] ensure that such accounts are not able to modify production data in an unrestricted and/or unmonitored fashion. Audit logs shall be configured to clearly indicate the date and time, location, account ID and change made. Users shall only modify production data in predefined ways that preserve or enhance its integrity, availability, and confidentiality. Users shall be permitted to modify production data only when employing a controlled process approved by the Data Steward associated with the impacted data or systems.
V. Related Documents and Forms
Policy Maintained by: Information Technology Services, Vice President and Chief Information Officer
Last Reviewed: June 22, 2023