Policy 903 - Access Control Policy

Section: Information Technology
Policy Number: 903
Responsible Office: Information Technology
Effective Date: 5/1/19
Revised: 5/1/19; 6/11/20; 5/23/22

Policy Statement

This policy ensures that access control mechanisms provide for the control, administration, and tracking of access to St. John’s University (St. John’s) information assets, and protect information assets from unauthorized access, tampering, and destruction.

Scope and Applicability

This policy applies to the University community. Adherence to this policy helps safeguard the confidentiality, integrity, and availability of St. John’s information assets, and protects the interest of St. John’s, its customers, personnel, and business partners.


Access Control Measures

St. John’s ensures that its systems and processes strictly prohibit unauthorized access to its critical data. Access to St. John’s critical information is based on need to know and according to job responsibilities. “Need to know” is when access rights are granted to only the least amount of data and privileges needed to perform a job.

A number of general principles are used when designing access controls for St. John’s systems and services.

They are 

  • Defense in Depth – security should not depend upon any single control but be the sum of a number of complementary controls 
  • Least Privilege – the default approach taken should be to assume that access is not required, rather than to assume that it is 
  • Need to Know – access is only granted to the information required to perform a role, and no more 
  • Need to Use – Users are only able to access physical and logical facilities required for their role 

Adherence to these basic principles helps to keep systems secure by reducing vulnerabilities—and, therefore, the number and severity of security incidents that occur.  

St. John’s implements a mechanism to restrict access based on user’s Need to Know principle to ensure that data, including cardholder data, is only accessible to those that require such information. Additionally, a default “denial-all” setting will be set to ensure that no accidental grant is provided to users. 

On a regular basis (at least annually), asset and system owners are required to review who has access within their areas of responsibility and the level of access in place. This will be to identify: 

  • People who should not have access (e.g. leavers) 
  • User accounts with more access than required by the role 
  • User accounts with incorrect role allocations 
  • User accounts that do not provide adequate identification (e.g. generic or shared accounts)
  • Any other issues that do not comply with this policy 


The following are the definitions relevant to the policy:

  • University community: Includes faculty, administrators, staff, student workers, graduate/technical assistants, alumni, interns, guests or agents of the administration, external individuals and organizations accessing St. John’s network services, and other authorized users.


St. John’s reserves the right to audit networks and systems on a periodic basis to ensure compliance with this policy. Instances of non-compliance must be presented to, reviewed, and approved by the Chief Information Officer (CIO), the Director of Information Security, or the equivalent officer(s).

All breaches of information security, actual or suspected, must be reported to and investigated by the CIO and the Director of Information Security. 

Those who violate security policies, standards, or security procedures are subject to disciplinary action, up to and including loss of computer access and appropriate disciplinary actions as defined by St. John’s Human Resources department.

Related Policies, Standards, or Regulations