Section: Information Technology
Policy Number: 903Responsible Office: Information Technology
Effective Date: 5/1/19Revised: 5/1/19
This policy ensures that access control mechanisms provide for the control, administration, and tracking of access to University information assets and protect information assets from unauthorized access, tampering, and destruction.
This policy applies to the University Community. Adherence to this policy helps safeguard the confidentiality, integrity and availability of the University’s information assets, and protects the interest of the University, its customers, personnel and business partners.
St. John’s ensures that its systems and processes strictly prohibit unauthorized access to its critical data. Access to St. John’s critical information is based on Need to Know and according to job responsibilities. “Need to know” is when access rights are granted to only the least amount of data and privileges needed to perform a job.
A number of general principles are used when designing access controls for St. John’s systems and services.
Adherence to these basic principles helps to keep systems secure by reducing vulnerabilities and therefore the number and severity of security incidents that occur.
St. John’s implements a mechanism to restrict access based on user’s Need to Know principle to ensure that cardholder data is only accessible to those that require such information. Additionally, a default “denial-all” setting will be set to ensure that no accidental grant is provided to users.
On a regular basis (at least annually) asset and system owners are required to review who has access within their areas of responsibility and the level of access in place. This will be to identify:
The following are the definitions relevant to the policy:
Computing Resources: All University information processing resources including all University owned, licensed, or managed computing services, hardware, software, and use of the University network via physical or wireless connection regardless of the ownership of the computer or device connected to the network.
Institutional Data: All data owned or licensed by the University
University Community: Includes faculty, administrators, staff, student workers, graduate/technical assistants, alumni, interns, guests or agents of the administration, external individuals and organizations accessing University network services, and other authorized users.
The University reserves the right to audit networks and systems on a periodic basis to ensure compliance with this policy. Instances of non-compliance must be presented to and reviewed and approved by the CIO, the Director of Information Security, or the equivalent officer(s).
All breaches of information security, actual or suspected, must be reported to, and investigated by the CIO and the Director of Information Security.
Those who violate security policies, standards, or security procedures are subject to disciplinary action up to and including loss of computer access and appropriate disciplinary actions as defined by the University’s Human Resources department.