865.00   Identity and Access Management (IAM) 

Scope

This policy applies to those responsible for managing user accounts or access to shared information or network devices. Such information can be held within a database, application, or shared file space. This policy covers departmental accounts as well as those managed centrally.

Purpose

The purpose of this policy is to define required access control measures for all College systems and applications to protect the privacy, security, and confidentiality of College information technology resources.

Audience

The Salish Kootenai College IAM Policy applies to individuals responsible for managing Salish Kootenai College Information Resource access and those granted access privileges, including special access privileges, to any Salish Kootenai College Information Resource.

1. Policy
   1. Access Control
      1. Access to Salish Kootenai College Information Resources as defined in Policy 860.00 must be justified by a legitimate business requirement prior to approval.
      2. Where multi-factor authentication is employed, user identification must be verified in person before access is granted.
      3. Salish Kootenai College Information Resources must have corresponding ownership responsibilities identified and documented.
      4. Access to confidential information is based on a “need to know.”
      5. Confidential data access must be logged.
      6. Access to the Salish Kootenai College network must include a secure log-on procedure.
      7. Workstations and laptops must force an automatic lock-out after a pre-determined period of inactivity.
      8. Documented user access rights and privileges to Information Resources must be included in disaster recovery plans whenever such data is not included in backups.
   2. Account Management
      1. All accounts created must have an associated and documented request and approval.
      2. Segregation of duties must exist between access request, access authorization, and access administration. In other words, the people that request access must not be the people that authorized the access and the people that administer the access must be different than the people that authorized access.
      3. Information Resource owners are responsible for the approval of all access requests.
      4. User accounts and access rights for all Salish Kootenai College Information Resources must be reviewed and reconciled annually, and actions must be documented.
      5. All accounts must be uniquely identified using the username assigned by Salish Kootenai College IT Services and include verification that redundant user IDs are not used.
      6. All accounts, including default accounts, must have a password expiration that complies with the Salish Kootenai College Authentication Standard.
      7. Only the level of access required to perform authorized tasks may be approved, following the concept of “least privilege.”
      8. Whenever possible, access to Information Resources should be granted to user groups, not granted directly to individual accounts.
      9. Employee accounts to access Information Resources must not be shared.
      10. User accounts set up for third-party cloud computing applications used for sharing, storing, and/or transferring Salish Kootenai College confidential or internal information must be approved by the resource owner and documented.
      11. Upon user role changes, access rights must be modified promptly to reflect the new role.
      12. Creation of user accounts and access right modifications must be documented and/or logged.
      13. Any accounts that have not been accessed within a defined period will be disabled.
      14. Accounts must be disabled and/or deleted promptly following employment termination, according to a documented employee termination process.
      15. System Administrators or other designated personnel:
          1. Are responsible for modifying and/or removing the accounts of individuals that change roles with Salish Kootenai College or are separated from their relationship with Salish Kootenai College.
          2. Must have a documented process to modify a user account to accommodate situations such as name changes, accounting changes, and permission changes.
          3. Must have a documented process for periodically reviewing existing accounts for validity.
          4. Are subject to independent audit review.
          5. Must provide a list of accounts for the systems they administer when requested by authorized Salish Kootenai College IT Services management personnel.
          6. Must cooperate with authorized Salish Kootenai College Information Security personnel investigating security incidents at the direction of Salish Kootenai College executive management.
   3. Administrator/Special Access
      1. Administrative/Special access accounts must have account management instructions, documentation, and authorization.
      2. When technically feasible, Administrative/Special access accounts should employ multi-factor authentication for all account logins.
      3. Personnel with Administrative/Special access accounts must refrain from abuse of privilege and must only perform the tasks required to complete their job function.
      4. Personnel with Administrative/Special access accounts must use the account privilege most appropriate with work performed (i.e., user account vs. administrator account).
      5. Shared Administrative/Special access accounts should only be used when no other option exists.
      6. The password for a shared Administrative/Special access account must change when an individual with knowledge of the password changes roles, moves to another department, or leaves Salish Kootenai College altogether.
      7. If a system has only one administrator, there must be a password escrow procedure in place so that someone other than the administrator can gain access to the administrator account in an emergency.
      8. Special access accounts for an internal or external audit, software development, software installation, or other defined need must be administered according to the Salish Kootenai College Authentication Standard.
      9. General users will not be assigned Administrator privileges or special accounts except for the following:
         1. Special use computers such as instrument control computers
         2. Special use Internet of Things (IoT) devices
         3. Computers and Virtual Machines used in IT Education courses
         4. Other specialized computers require non-IT Service personnel to have administrative rights to accomplish their duties.
   4. Authentication
      1. All passwords, including initial and/or temporary passwords, must be constructed according to the Salish Kootenai College Authentication Standard,
      2. Unique passwords should be used for each system whenever possible.
      3. Where other authentication mechanisms are used (i.e., security tokens, smart cards, certificates, etc.), the authentication mechanism must be assigned to an individual, and physical or logical controls must be in place to ensure only the intended account can use the mechanism to gain access.
      4. Stored passwords are classified as confidential and must be encrypted.
      5. All vendor-supplied default passwords should be immediately updated and unnecessary default accounts removed or disabled before installing a system on the network.
      6. User account passwords must not be divulged to anyone. Salish Kootenai College support personnel and/or contractors should never ask for user account passwords.
      7. Security tokens (i.e., Smartcard) must be returned on demand or upon the termination of the relationship with Salish Kootenai College if issued.
      8. If the security of a password is in doubt, the password should be changed immediately.
      9. Administrators/Special Access users must not circumvent the Salish Kootenai College Authentication Standard for ease of use.
      10. Users should not circumvent password entry with application remembering, embedded scripts, or hardcoded passwords in client software. Exceptions may be made for specific applications (like an automated backup) with the approval of the Salish Kootenai College IT Services.
      11. If a password management system is employed, it must be used in compliance with the Salish Kootenai College Authentication Standard.
      12. Computing devices should not be left unattended without enabling a password-protected screensaver or logging off of the device.
      13. Salish Kootenai College IT Services password change procedures must include the following:
          1. change to a strong password
          2. require the user to change the password at first login.
      14. If a user’s password is compromised or discovered, the password must be immediately changed, and the security incident reported to Salish Kootenai College IT Services.
   5. Remote Access
      1. All remote access connections to the Salish Kootenai College networks will be made through the approved remote access methods employing data encryption and multi-factor authentication.
      2. Remote users may connect to the Salish Kootenai College networks only after formal approval by the requestor’s manager and Salish Kootenai College IT Services.
      3. The ability to print or copy confidential information remotely must be disabled.
      4. Users granted remote access privileges must be given remote access instructions and responsibilities.
      5. Remote access to Information Resources must be logged.
      6. Remote sessions must be terminated after a defined period of inactivity.
      7. A secure connection to another private network is prohibited while connected to the Salish Kootenai College network unless approved in advance by Salish Kootenai College IT Services.
      8. Non-Salish Kootenai College computer systems that require network connectivity must conform to all applicable Salish Kootenai College IT standards and must not be connected without prior written authorization from IT Management.
      9. Remote maintenance of organizational assets must be approved, logged, and performed in a manner that prevents unauthorized access.
   6. Vendor Access
      1. Vendor access must be identifiable, provide non-repudiation, and comply with all existing Salish Kootenai College policies. Non-repudiation means that the form of vendor access provides assurance that the sender of information is provided with proof of delivery and the recipient is provided with proof of the sender’s identity, so neither can later deny having processed the information.
      2. External vendor access activity must be monitored.
      3. All vendor maintenance equipment on the Salish Kootenai College network that connects to the outside world via the network, telephone line, or leased line, and all Salish Kootenai College Information Resource vendor accounts will remain disabled except when in use for authorized maintenance.

References

• ISO 27002: 6, 7, 8, 9, 12, 15
• NIST CSF: PR.AC, PR.IP, PR.MA, PR.PT, DE.CM
• Policy 841.00, Data Access and Security
• Policy 705.00, Incident Management and Recovery

History:

Approved: 3/17/2023