Skip to:

Office of General Counsel Policies & Guidelines

Access Control : G-052

Policy/Guideline Area

General Guidelines

Applicable Divisions

TCATs, Community Colleges, Universities, System Office, Board Members

Purpose

The purpose of this guideline is to establish a minimum expectation with respect to access controls in order to protect data stored on computer systems throughout the system.

Policy/Guideline

  1. Policy
    1. Tennessee Board of Regents institutions will control user access to information assets based on requirements of individual accountability, need to know, and least privilege.
    2. Access to institutional information assets must be authorized and managed securely in compliance with appropriate industry practice and with numerous applicable legal and regulatory requirements (e.g., the Health Insurance Portability and Accountability Act, Family Educational Rights and Privacy Act, the Open Records Act of Tennessee, Gramm Leach Bliley Act, and identity theft laws).
    3. Institutional information assets include data, hardware and software technologies, and the infrastructure used to process, transmit, and store information.
      1. Any computer, laptop, printer or device that an authorized user connects to the campus network is subject to this policy.
      2. Guest, unauthenticated access may be provisioned commensurate with usage and risk.
      3. Authorized users accessing institutional computing resources and network with their own personal equipment are responsible for ensuring the security and integrity of the systems they are using to establish access.
  2. Access Controls
    1. Access to information assets must be restricted to authorized users and must be protected by appropriate physical, administrative, and logical authentication and authorization controls.
    2. Protection for information assets must be commensurate with the classification level assigned to the information.
    3. Each computer system shall have an automated access control process that identifies and authenticates users and then permits access based on defined requirements or permissions for the user or user type.
    4. All users of secure systems must be accurately identified, a positive identification must be maintained throughout the login session, and actions must be linked to specific users.
    5. Access control mechanisms may include user IDs, access control lists, constrained user interfaces, encryption, port protection devices, secure gateways/firewalls, and host-based authentication.
  3. User Identification, Authentication, and Accountability
    1. User IDs:
      1. The access control process must identify each user through a unique user identifier (user ID) account.
      2. User IDs are assigned by the campus office of information technology and application support personnel.
      3. Users must provide their user ID at logon to a computer system, application, or network.
    2. Individual Accountability:
      1. Individual accountability must be maintained.
      2. Each and every user ID must be associated with an individual person who is responsible for its use.
    3. Authentication:
      1. Authentication is the means of ensuring the validity of the user identification.
      2. All user access must be authenticated.
        1. The minimum means of authentication is a personal secret password that the user must provide with each system and/or application logon.
        2. All passwords used to access information assets must conform to certain requirements relating to password composition, length, expiration, and confidentiality. Please refer to G-051, Password Management for additional requirements.
  4. Access Privileges
    1. Each user’s access privileges shall be authorized on a need-to-know basis as dictated by the user’s specific and authorized role.
    2. Authorized access will be based on least privilege.
      1. This means that only the minimum privileges required to fulfill the user’s role will be permitted.
      2. Access privileges must be defined so as to maintain appropriate segregation of duties to reduce the risk of misuse of information assets.
      3. Any access that is granted to data must be authorized by the appropriate data trustee.
    3. Access privileges should be controlled based on the following criteria, as appropriate:
      1. Identity (user ID);
      2. Role or function;
      3. Physical or logical locations;
      4. Time of day/week/month;
      5. Transaction based access;
      6. Access modes such as read, write, execute, delete, create, and/or search.
    4. Privileged access (e.g., administrative accounts, root accounts) must be granted based strictly on role requirements.
      1. The number of personnel with special privileges should be carefully limited.
  5. Access Account Management
    1. User ID accounts must be established, managed, and terminated to maintain the necessary level of data protection.
    2. The following requirements apply to network logons as well as individual application and system logons, and should be implemented where technically and procedurally feasible:
      1. Account creation requests must specify access either explicitly or a role that has been mapped to the required access.
        1. New accounts created by mirroring existing user accounts must be audited against the explicit request or roles for appropriate access rights.
      2. Accounts must be locked out after five consecutive invalid logon attempts.
        1. When a user account is locked out, it should remain locked out for a minimum of five minutes or until authorized personnel unlocks the account.
      3. User interfaces must be locked after no more than twenty minutes of system/session idle time.
        1. This requirement applies to workstation and laptop sessions as well as application sessions where feasible.
        2. The office of information technology will implement measures to enforce this requirement and to require the user to re-authenticate to reestablish the session.
      4. Systems housing or using restricted information must be configured in such a way that access to the restricted information is denied unless specific access is granted.
        1. Access to restricted information is never to be allowed by default.
      5. Access must be revoked immediately upon notification that access is no longer required.
        1. Access privileges of terminated or transferred users must be revoked or changed as soon as possible.
        2. In cases where an employee is not leaving on good terms, the user ID must be disabled simultaneously with departure.
        3. Access for users who are on leaves of absence or extended disability must be suspended until the user returns.
      6. User IDs will be disabled after a period of inactivity that is determined appropriate by the current business process.
      7. All third party access (contractors, business partners, consultants, vendors) must be authorized and monitored.
      8. Appropriate logging will be implemented commensurate with sensitivity/criticality of the data and resources.
        1. Logging of attempted access must include failed logons.
        2. Where practical, successful logons to systems with restricted information should be logged.
        3. Logs should be monitored and regularly reviewed to identify security breaches or unauthorized activity.
        4. Logs should be maintained for at least ninety days.
      9. A periodic audit of secured systems to confirm that access privileges are appropriate must be conducted.
        1. The audit will consist of reviewing and validating that user access rights are still needed and are appropriate.
  6. Compliance and Enforcement
    1. The policy applies to all users of information resources including students, faculty, staff, temporary workers, vendors, and any other authorized users who are permitted access.
    2. Persons in violation of this policy are subject to a range of sanctions (determined and enforced by institution management), including the loss of computer network access privileges, disciplinary action, dismissal from the institution, and legal action.
    3. Some violations may constitute criminal offenses, per Tennessee and other local, and federal laws. The institution will carry out its responsibility to report such violations to the appropriate authorities.
  7. Exceptions
    1. Documented exceptions to this policy may be granted by the information security officer for the institution based on limitations to risk and use.

Sources

New Guideline approved at President's Meeting August 19, 2014, effective September 26, 2014.

Related Policies

Contact

Mickey Sheen
615-366-4437
mickey.sheen@tbr.edu