Information Systems Access Control
Short Description
Policy for access to systems, data, and resources at Teachers College.
Purpose
The purpose of this Access Control Policy is to establish guidelines and procedures for managing access to information systems, data, and resources within Teachers College. This policy is aligned with the National Institute of Standards and Technology (NIST) Special Publication 800-171 Rev. 2, which provides recommendations for protecting Controlled Unclassified Information (CUI).
Scope
This policy applies to TC employees (faculty and staff), students, and other covered individuals (e.g., affiliates, vendors, independent contractors) who access, use, or manage information systems, data, and resources owned or controlled by Teachers College. It encompasses all electronic systems, networks, and data repositories that store, process, or transmit CUI.
Policy
- Roles and Responsibilities
1.1 Data Owners
Data Owners are responsible for defining the access control requirements for the information they own or manage. They should classify data according to its sensitivity and specify the appropriate access control based on the TC Data Classification Policy.
1.2 System Administrators
System Administrators are responsible for implementing and maintaining access controls on the information systems and resources under their jurisdiction. They must ensure that access controls are aligned with the data owner's requirements and based on TC Data Classification Policy.
1.3 Users
All users are responsible for complying with the access control policies and procedures defined by Teachers College. They must use their assigned credentials only for authorized purposes and protect their access credentials from unauthorized disclosure.
- Access Control Measures
2.1 User Identification and Authentication
2.1.1 User Account Creation
- User accounts will be created for all authorized users based on their roles and responsibilities.
- Accounts will be provisioned by the system administrator or designated personnel using a secure and documented process.
2.1.2 Password Management
- Users must choose strong, unique passwords that meet the following requirements:
- Minimum length of 12 characters.
- Combination of upper and lower case letters, numbers, and special characters.
- Changed at least every 365 days.
- Passwords must not be shared or stored in an unsecured manner.
2.1.3 Multi-factor Authentication
- Multi-factor authentication (MFA) will be implemented for accessing systems unless an exception has been granted by the CIO and Executive Director of Information Security.
- MFA methods may include tokens, smart cards, biometrics, or other approved mechanisms.
2.2 Access Control Policies
2.2.1 Least Privilege
- Access privileges will be granted based on the principle of least privilege, meaning users will be granted only the access necessary to perform their job functions.
- Requests for additional access privileges must be approved by the data owner and documented.
2.2.2 Separation of Duties
- Access control will be implemented to separate conflicting duties, such as those related to system administration and data management.
- Segregation of duties will be enforced to prevent a single user from having complete control over critical functions.
2.2.3 User Access Reviews
- Regular access reviews will be conducted to ensure that user access privileges are appropriate and up to date.
- Access reviews will be performed at least annually or whenever there are changes in job roles or responsibilities.
2.2.4 Access Termination
- When a user's employment or affiliation with Teachers College is terminated, their access privileges will be promptly revoked.
- Access termination procedures will be documented and followed to ensure that all accounts and credentials associated with the user are deactivated.
2.3 Logging and Monitoring
- Access control mechanisms will be implemented to record and monitor user activities within the information systems.
- System logs and audit trails will be regularly reviewed for unauthorized access attempts or suspicious activities.
- An incident response plan will be in place to address security incidents or breaches related to access controls.
- Compliance
Non-compliance with this Access Control Policy may result in disciplinary action, up to and including termination of employment as well as possible legal consequences, as appropriate. Teachers College will periodically assess and review the effectiveness of this policy to ensure ongoing compliance with NIST 800-171 guidelines.
- Policy Review
This Access Control Policy will be reviewed annually by the TCIT Security Team and updated as necessary to address emerging security risks and changes in applicable laws, regulations, or industry standards.
- Document Management
This policy will be approved by the Office of the General Counsel and stored in the TC Policy Library.
By adhering to this Access Control Policy, Teachers College aims to ensure the confidentiality, integrity, and availability of sensitive information within its information systems.
Responsible Office: Teachers College Information Technology
Effective Date: 11/20/2023