Policy 903 - Access Control Policy

Section: Information Technology
Policy Number: 903
Responsible Office: Information Technology
Effective Date: 5/1/19
Revised: 5/1/19

Policy Statement

This policy ensures that access control mechanisms provide for the control, administration, and tracking of access to University information assets and protect information assets from unauthorized access, tampering, and destruction.

Scope and Applicability

This policy applies to the University Community.  Adherence to this policy helps safeguard the confidentiality, integrity and availability of the University’s information assets, and protects the interest of the University, its customers, personnel and business partners.

Policy

Access Control Measures

St. John’s ensures that its systems and processes strictly prohibit unauthorized access to its critical data. Access to St. John’s critical information is based on Need to Know and according to job responsibilities. “Need to know” is when access rights are granted to only the least amount of data and privileges needed to perform a job.

A number of general principles are used when designing access controls for St. John’s systems and services.  

They are: 

  • Defense in Depth – security should not depend upon any single control but be the sum of a number of complementary controls 
     
  • Least Privilege – the default approach taken should be to assume that access is not required, rather than to assume that it is 
     
  • Need to Know – access is only granted to the information required to perform a role, and no more 
     
  • Need to Use – Users are only able to access physical and logical facilities required for their role 

Adherence to these basic principles helps to keep systems secure by reducing vulnerabilities and therefore the number and severity of security incidents that occur.  

St. John’s implements a mechanism to restrict access based on user’s Need to Know principle to ensure that cardholder data is only accessible to those that require such information. Additionally, a default “denial-all” setting will be set to ensure that no accidental grant is provided to users. 

On a regular basis (at least annually) asset and system owners are required to review who has access within their areas of responsibility and the level of access in place. This will be to identify: 

  • People who should not have access (e.g. leavers) 
     
  • User accounts with more access than required by the role 
     
  • User accounts with incorrect role allocations 
     
  • User accounts that do not provide adequate identification e.g. generic or shared accounts 
     
  • Any other issues that do not comply with this policy 

Definitions

The following are the definitions relevant to the policy:

Computing Resources: All University information processing resources including all University owned, licensed, or managed computing services, hardware, software, and use of the University network via physical or wireless connection regardless of the ownership of the computer or device connected to the network.

Institutional Data: All data owned or licensed by the University

University Community: Includes faculty, administrators, staff, student workers, graduate/technical assistants, alumni, interns, guests or agents of the administration, external individuals and organizations accessing University network services, and other authorized users.

Compliance

The University reserves the right to audit networks and systems on a periodic basis to ensure compliance with this policy. Instances of non-compliance must be presented to and reviewed and approved by the CIO, the Director of Information Security, or the equivalent officer(s).

All breaches of information security, actual or suspected, must be reported to, and investigated by the CIO and the Director of Information Security. 

Those who violate security policies, standards, or security procedures are subject to disciplinary action up to and including loss of computer access and appropriate disciplinary actions as defined by the University’s Human Resources department.

Related Policies, Standards or Regulations

  • STD-AC-001 User Access Management Standards 
     
  • STD-AC-002 Identification & Authentication Standards
     
  • STD-AC-003 System and Application Access Control
     
  • 910 Remote Access Policy
     
  • 912 Password Policy
     
  • 927 Network Security Policy
     
  • 916 Third Party Services Policy