Saint Francis University - Policies Portal

Policy Title: Logical Access Control

Responsible Office: IT Services
Policy Officer: VP for Finance and Administration
Scope: |Faculty |Staff |Student

Approved By: President's Council

Approved Date: 4/27/2022

Effective Date: 4/27/2022

Category: Institutional

Description/Purpose:

The purpose of this policy is to ensure access to the university information technology network by authorized persons as intended by University leadership, and the Department of Information Technology Services. This policy defines the levels of intended access by user type (role) and authorizes the Department of Information Technology Services to monitor for, detect and take actions to remedy violations of the Logical Access Policy.

Details:

I. PURPOSE AND APPLICATION

II. SCOPE

This policy applies to all employees, faculty, vendors and partners at Saint Francis University.

III. IMPLEMENTATION
The University reserves the right to monitor and manage access control on its networks to prevent unauthorized access or misuse of network resources or data loss according to University policies, and local, state or federal laws, and to take other actions as necessary.

IV. STATEMENT OF POLICY AND PROCEDURE

A logical access framework will be established, maintained, and periodically audited to detect or prevent any violations of intended access as defined herein.

The university will follow implemented on and off boarding procedures informing all respective departments including IT of changes in work status for all users.
University leadership and human resources will enforce appropriate procedures for maintaining logical intended access and will take or prescribe appropriate action to avoid unauthorized access to university systems.
Logical intended access will be periodically monitored by IT for compliance.

A. Intended Access by User Type

User Type	Password Policy	Account Expiration	Notes
Admin Account	90 Days	None	Administrative accounts must also comply with the privileged user access policy
W2 Employees	180 Days	None	All employees on university payroll
Adjunct Faculty	180 Days	One Year	All adjunct faculty
Student Workers	180 Days	730 Days/ 2 Years	All student worker accounts should follow the same onboarding and off-boarding procedure as other W2 employees.
Retired/ Emeritus	180 Days	None	All accounts must be approved by HR, and reviewed by HR at least annually.
Agency Staff	180 Days	180 Days Maximum	Agency staff should include within their on-boarding the length and termination date of the contract
Vendor Accounts	180 Days	Expiration of Vendor Contract	All vendor accounts must be validated by the department lead, manager, supervisor, or IT prior to its creation.
Contractor	180 Days	Expiration of Contract	1099 contractors should include within their onboarding the length and termination date of the contract
Augment Staff	None	30 Days	Temporary staff to augment a particular project or campus activity. Accounts are not specific to the user, and passwords are set to reset on the first login.
Test Accounts	None	30 Days	Test accounts are to be created through the resolution of a service ticket, the passwords to these accounts are to be stored in a password vault.
Service Accounts	None	None	Service account are to be created through the resolution of a service ticket, passwords are to be stored in a password vault, and accounts are also set to have passwords never expire.

B. Password Policy

Users shall conform to the following standards when creating a password:
Passwords must be at least 8 characters in length
Password expiration complies with intended access specified above
Users cannot reuse any of the last 5 used passwords
Accounts will be locked for 15 minutes after 10 failed login attempts
Passwords must meet complexity requirements (having a single character using 3 of the following 4 criteria)
- Upper Case Letter(s)
- Lower Case Letter(s)
- Number(s)
- Symbol(s)
Passwords shall not be written down by the user
Passwords shall not be communicated with other account information in any written communication. Passwords may be communicated through either a secondary communication method or in a separate communication without any identifications or labels of this being a password.

C. Account Management

Account Creations	All account creations should be the result of a service ticket either through appropriate onboarding processes, or direct requests from department lead, manager, supervisor, university HR, or IT. Test accounts may be requested by an appropriate member of the IT team, but must also follow the standard account creation process through the ticketing system.
Access Changes	Account changes should be the result of a service ticket either through a direct request from department lead, manager, supervisor, university HR, or IT. Test accounts may be changed by an appropriate member of the IT team, but must also follow the standard account creation process through the ticketing system.
Unlocking Accounts	Account lockouts will last for no longer than 15 minutes. However, users may request their account be unlocked through contacting the Support Center and following the normal ticketing process.
Password Resets	Users may contact the Support Center for password resets, and following the normal ticketing process.
Account Extensions	An automated email message will be delivered to the owner of an expiring account through the last 10 days of availability. Extensions to these accounts may be requested by the department lead, manager, supervisor, university HR, or IT office to the Support Center, and a ticket will be generated. Account extensions may not exceed 180 days.
Disabling Accounts	Accounts will be disabled within 24 hours of the request either through appropriate offboarding processes, or direct request from department lead, manager, supervisor, university HR, or IT. Audit findings the cyber security office will notify the university HR of any audit findings where either HR shows a user as active, and IT shows the user as inactive, or vice versa. After 2 periodic reviews, if no actions are taken and there has been no activity on the audited accounts, IT will perform a long term decommission of the account. Expired Accounts Accounts that have been expired for 90 day or more will be automatically disabled and set for standard decommissioning. Expired Passwords Accounts with an expired password and inactivity for 1 year or more will be automatically set for long term decommissioning.
Standard Decommissioning Process	Disabled accounts will be held within the system for 90 days. Then afterward, a change request will be drafted, and executed including the names of the accounts that will be permanently deleted.
Long Term Decommissioning	Accounts placed into long term decommissioning will be disabled and held in this container for 1 year, then placed into the appropriate standard decommissioning container for deletion after 90 days.

D. User Responsibilities

User IDs, usernames, and passwords must not be shared with others.
Users shall be made aware of and required to implement security procedures for protecting equipment, media, and printed information from unauthorized use.
Following Clear-Screen, Clean-Desk procedures (desk cleared and data secure when desk unattended) when leaving their work areas unattended.
Understand that no IT nor university personnel will ever ask a user for their password, and any such actions are prohibited through this policy.

V. KEYWORDS AND DEFINITIONS (in alphabetical order)

"Network" - refers to the computing resources owned and operated by Saint Francis University.

"Clean Screen / Desk Procedures" - refers to ensuring that data used during work at a workstation is not visible by unauthorized persons while the workstation is unattended.

VI. RELATED POLICIES, FORMS AND RESOURCES

A. Related Policies

"Logical Access Control"

"Information Security Policies"

VII. POLICY REVISION HISTORY

Click here to print this page