Section: Information Technology
Policy Number: 903Responsible Office: Information Technology
Effective Date: 5/1/19Revised: 5/1/19; 6/11/20; 5/23/22
This policy ensures that access control mechanisms provide for the control, administration, and tracking of access to St. John’s University (St. John’s) information assets, and protect information assets from unauthorized access, tampering, and destruction.
This policy applies to the University community. Adherence to this policy helps safeguard the confidentiality, integrity, and availability of St. John’s information assets, and protects the interest of St. John’s, its customers, personnel, and business partners.
St. John’s ensures that its systems and processes strictly prohibit unauthorized access to its critical data. Access to St. John’s critical information is based on need to know and according to job responsibilities. “Need to know” is when access rights are granted to only the least amount of data and privileges needed to perform a job.
A number of general principles are used when designing access controls for St. John’s systems and services.
Adherence to these basic principles helps to keep systems secure by reducing vulnerabilities—and, therefore, the number and severity of security incidents that occur.
St. John’s implements a mechanism to restrict access based on user’s Need to Know principle to ensure that data, including cardholder data, is only accessible to those that require such information. Additionally, a default “denial-all” setting will be set to ensure that no accidental grant is provided to users.
On a regular basis (at least annually), asset and system owners are required to review who has access within their areas of responsibility and the level of access in place. This will be to identify:
The following are the definitions relevant to the policy:
St. John’s reserves the right to audit networks and systems on a periodic basis to ensure compliance with this policy. Instances of non-compliance must be presented to, reviewed, and approved by the Chief Information Officer (CIO), the Director of Information Security, or the equivalent officer(s).
All breaches of information security, actual or suspected, must be reported to and investigated by the CIO and the Director of Information Security.
Those who violate security policies, standards, or security procedures are subject to disciplinary action, up to and including loss of computer access and appropriate disciplinary actions as defined by St. John’s Human Resources department.