Body
Scope:
Finance, Administration and Technology
|
Policy Administration:
Information Security Officer
|
Applies to:
Assigned Roles
|
Version:
Updated as of 2022-02-24
|
Approved by:
Executive Vice President of Finance, Administration and Technology
|
Approved on:
2019-05-17
|
1. PURPOSE
This policy defines the rules for the provisioning, management, and de-provisioning of access to Framingham State University (FSU) information systems.
2. POLICY STATEMENT
Access to FSU information systems[1] shall be restricted to authorized individuals who have been properly authenticated. Access rights will be issued, re-issued, maintained, modified, or terminated based on the user’s verified identity, employment status, appropriate management approvals, and business justification.
The rules, practices, and procedures in this policy for the provisioning, management, and de-provisioning of access to FSU information systems shall be based on generally-accepted information security best practices within Higher Education.
[1] The access controls outlined in this policy pertain to protected information systems that require login credentials that are centrally managed by the University’s Information Technology Services department, and/or the designated third party service providers under this office’s supervision. This policy applies to any user of these systems including business partners, contractors and consultants.
3. ASSIGNED ROLES AND RESPONSIBILITIES
Role |
Assigned Responsibilities |
Director of Enterprise Application Services |
- Ensure that user accounts provisioned within the Director’s scope of responsibility (e.g., Banner) are provisioned, authenticated, and maintained in a manner consistent with this policy.
- Notify the Information Security Officer of any known or suspected instances of policy non-compliance.
|
Director of Systems and Networking |
- Ensure that user accounts provisioned within the Director’s scope of responsibility (e.g., Active Directory and E-mail) are provisioned, authenticated, and maintained in a manner consistent with this policy.
- Notify the Information Security Officer of any known or suspected instances of policy non-compliance.
|
Director of Information Technology Services Management |
- Notify the Information Security Officer of any known or suspected instances of non-compliance with this policy which become apparent from incident reporting or the planning or delivery of end user services.
|
Assistant Vice President of Human Resources and Equal Opportunity |
- Ensure that the Office of Human Resource staff notify ITS of payroll employee hiring and terminations in a timely manner.
|
Associate Vice President of Academic Affairs |
- Ensure that Academic Affairs staff notify ITS non-payroll contract faculty hiring and terminations in a timely manner.
|
University Registrar |
- Ensure that Students’ enrollment status and registrations are recorded in a timely manner.
|
Information Security Officer |
- Monitor this policy for compliance.
- Document, and communicate, any patterns, or significant instances, of non-compliance to the Chief Information Officer.
|
4. RULES AND PROHIBITIONS
4.1 Provisioning: Individuals are automatically assigned a persistent, unique identifier that cannot be re-assigned (a.k.a. username) only after information about them has been entered into the University’s administrative and student information system (a.k.a. Banner). Banner is the authoritative source of information used to verify employment status and/or relationship with the University. The association between the username and person is maintained in the University’s enterprise directory.
Once students are accepted and declare their intent to attend, or when they register for a course, they are also provisioned for authentication to the campus computing network, myFramingham portal, Microsoft 365 applications and services, and Canvas.
Anyone employed by the University is provisioned for authentication to the campus computing network, myFramingham portal, Microsoft 365 applications and services, and Canvas only after the Office of Human Resources or the Division of Graduate and Continuing Education enters information about them into Banner.
Supervisors of independent contractors, consultants, third party service providers, and any other individual that is not on the University’s payroll must submit a formal request for access to Information Technology Services (ITS) for a pre-determined amount of time.Banner and the enterprise directory are the authoritative source of information used to verify the individual’s relationship with the University.The association between the username and person is maintained in the University’s enterprise directory.
4.2 Credentialing: Individuals are issued one set of login credentials (username and password) to access the campus computing network, myFramingham portal, Microsoft 365 applications and services, and Canvas. New users are issued a temporary one-time use password to an automated self-service application they use to verify their own identity in order to activate their login credentials to these systems. During this process they are also required to indicate that they have read and agree to the University’s Acceptable Use Policy. The user is then prompted to change the temporary password after completing this process and create a new one. The new password (known only by them) is then used in combination with the username as the login credential to access information systems for authorized use.
Login credentials will not be activated until this process is complete. Login credentials for access to Banner are not activated as part of this process until additional criteria are met according to the University’s policy on “Granting Access Privileges to Administrative and Student Information Systems”.
4.3 Password Management: Passwords to protected information systems are never distributed and are known only by the individual authorized to use it. Use of strong passwords and periodic changes are enforced. The University’s policy on passwords to information systems and network services specifies the required composition of strong passwords, what must be done to protect passwords, and the minimum time interval for changing passwords. Individuals must reset passwords themselves using a similar process as described above by first answering a challenge question that they provided an answer to when originally activating their login credentials. Passwords are never transmitted over the network in the clear.
4.4 Application Level Security: Additional access controls (beyond login credentials) that are used to restrict and grant permissions to perform certain functions pertaining to the administration of protected information and systems must be maintained in accordance with the following policies:
- Granting Access via Multi-Factor Authentication (MFA)
- Granting Access to the Campus Computing Network
- Granting Access to the my.Framingham Portal
- Granting Access to Microsoft 365 Applications and Services
- Granting Access to the Canvas Academic Suite of Applications
- Granting Access Privileges to Administrative and Student Information Systems
4.5 De-provisioning: The Office of Human Resources must provide Information Technology Services timely notification of any change of employment status for all personnel on the payroll along with a formal request to modify or remove electronic access privileges (including deactivating their username and password) for an individual no longer needing or authorized to have access to secured University information systems. The Division of Graduate and Continuing Education, academic departments and administrative offices must also provide Information Technology Services with the same notification and request to modify or remove access for all non-payroll contractors, consultants and all other third party users of information systems to whom they provided authorization to grant access. All contractor accounts will be disabled at the end of each fiscal year unless formal requests with appropriate authorizations are provided. Student access and credentials will be deprovisioned after 6 consecutive semesters of non-access.
5. RELATED UNIVERSITY PROGRAMS, POLICIES, OPERATIONAL PLANS AND PROCEDURES
Documentation Name |
Documentation Steward |
Framingham State University’s Comprehensive Written Information Security Program |
Information Security Officer |
Safeguards for Systems and Network Infrastructure Policy |
Information Security Officer |
6. ENFORCEMENT OF POLICY VIOLATIONS
Failure to comply with this policy, intentionally or unintentionally, may result in one or more of the following:
- Termination, without notice, of access privileges to information and technology resources.
- Disciplinary action, up to and including termination of employment.
- Civil or criminal penalties as provided by law.
7. REVIEW AND REVISION HISTORY
Policies must be reviewed annually by the policy owner. If a policy has been revised, then it must have all necessary approvals before being published. In the last column, indicate whether the activity was a review or a revision; if a revision, summarize the changes.
Date |
Name and Title |
Summary of Review and Revision |
2010-09-10 |
N/A |
Approved by members of the Information Security Council and The President’s Council |
2017-04-07 |
Bryce Cunningham, Information Security Officer |
Adapted to new ITS policy template, new template sections filled out (particularly Roles and Responsibilities) and language corrected and clarified. |
2017-05-17 |
Bryce Cunningham, Information Security Officer |
Updated with input from CIO and ITS Directors. |
2019-05-29 |
Patrick Laughran, Chief Information Officer |
Adapted to updated policy template, new template sections filled out (e.g. “Purpose”) and added the following “assigned responsibilities” to the Associate Provost and Dean of Continuing Education; Ensure that Academic Affairs staff notify ITS non-payroll contract faculty hiring and terminations in a timely manner. |
2022-02-16 |
Patrick Laughran, Chief Information Officer |
Incorporated updates to the functional titles of positions listed under “Assigned Roles and Responsibilities”. Removed references to “Blackboard” and replaced them with “Canvas” instead. Removed references to “E-mail and replaced them with “Microsoft 365 applications and services” instead. Added “Granting" |