IT Access Control Policy
Applies to: | Original Policy Date: | Date of Last Review: | Approved by: |
---|---|---|---|
Students, faculty, staff, consultants, contractors, agents, and authorized users | August 2024 | August 2024 | Dr. John Nicklow, President |
Policy Owner: Information Technology Department
Policy Purpose
The purpose of this policy is to protect access to IT systems and applications at Florida Institute of Technology, ensuring the security and integrity of technology and data. It aims to prevent unauthorized access and align with compliance requirements, including NIST SP 800-53 and other relevant standards.
Policy Scope
This policy applies to all students, employees, consultants, contractors, agents, and authorized users accessing Florida Tech’s IT systems and applications. It encompasses all IT systems or applications managed by Florida Tech, including network and computer hardware, software and applications, mobile devices, and telecommunication systems.
Policy Statement
Access to Florida Tech systems is restricted to authorized users based on the principles of strict need to know and least privilege. No employee will be granted access to University IT systems before their official start date for employees or contract start date for faculty or after their end date. This is in accordance with the US Department of Labor laws.
Procedures/Guidelines
- Access Requests: All access requests must be formally documented and approved through the designated ticketing system.
- User Account Management:
- User accounts must be created based on formal requests and approved by relevant authorities.
- Accounts must be disabled or removed promptly when users leave the University or no longer require access.
- Accounts inactive for three months will be disabled, with the exception of student and faculty accounts.
- Temporary access must be terminated immediately after the task is completed.
- Administrator and Shared Accounts:
- Requests for administrator accounts must be made by managers or supervisors and must be approved based on job requirements.
- Shared accounts should be used only when necessary, with proper documentation and monitoring. Documentation should include the account's purpose, access details, and responsible personnel, with regular audits and real-time monitoring to detect unauthorized use. Access logs should be maintained, and accounts should be periodically reviewed and re-authorized, particularly after organizational changes. Additionally, an incident response protocol should be in place to address any security issues related to shared accounts.
- Vendor/Contractor Access:
- Contracts with vendors/contractors should address data protection requirements.
- Access for contractors/vendors must be pre-approved and managed according to the contract terms.
Definitions
- Access Control: Process that limits and controls access to resources of a computer system.
- Users: Individuals authorized to access Florida Tech’s IT systems.
- System/Application Accounts: User IDs with specific access privileges.
- Administrator Account: Accounts with advanced permissions for system administration.
- Shared User Accounts: Accounts used by multiple users under controlled conditions.
Compliance Reference
This policy ensures compliance with NIST SP 800-53 standards, including but not limited to AC-2 (Account Management), AC-3 (Access Enforcement), and AC-6 (Least Privilege).
Responsibilities
- IT Department: Oversees the implementation and compliance with the policy.
- Supervisors/Managers: Ensure access requests are appropriate and approved.
- Users: Must comply with access control requirements and report any security issues.
Enforcement
Violations of this policy may result in disciplinary action, including termination of access privileges. Non-compliance may also lead to legal or regulatory penalties.