ROWAN UNIVERSITY POLICY
Title: Affiliate Access Policy
Subject: Information Security
Policy No: ISO:2019:01
Issuing Authority: Senior Vice President for Information Resources and Technology and Chief Information Officer
Responsible Officer: Director of Information Security
Date Adopted: 08/29/2019
Last Revision: 08/29/2019
Last Review: 08/29/2019
This policy sets forth the guidelines and procedures for the granting of access to the Universities’ network and buildings to individuals not affiliated with Rowan University.
Under the direction of the President, the Chief Information Officer and Director of Information Security shall ensure compliance with this policy. The Vice Presidents, Deans, and other members of management will implement this policy in their respective areas.
This policy applies to individuals who are defined as affiliates of Rowan University and Rowan University employees who sponsor affiliates.
Refer to the Rowan University Technology Terms and Definitions for terms and definitions that are used in this policy.
Affiliates are required to adhere to Rowan University Acceptable Use Policy, and to all policies of the university which are applicable to their access.
Sponsors are Rowan University employees that have been certified to act as a sponsor of an affiliate. Only certified sponsors can initiate the request for affiliate’s access to Rowan systems or for RowanCard access to a university building. The sponsor will work with the system/data stewards to determine which systems or university building access will be made available to the affiliate.
Sponsors are responsible for completing the due diligence to validate an affiliate before sponsoring the affiliate’s access to Rowan systems or for a RowanCard access to a university building. Due diligence includes but is not limited to:
Background checks or identity document verification completed by the Human Resources department at Rowan University. It is the responsibility of each Sponsoring Unit to ensure background checks are conducted in compliance with Human Resource's policies. The cost of background checks are the responsibility of the Sponsoring Units.
Supporting documentation validating that the responsibility and due diligence for background checks or identity document verification has been completed by the affiliate’s organization as part of the purchase order, business contract, or other binding agreement established with the affiliate or affiliate’s organization and Rowan University
Sponsors are responsible to ensure that only those privileges necessary for the affiliate to fulfill their specific role are requested and ensuring that the affiliate receives only the privileges needed for their specific role at the University and that the privileges are not extended beyond a sufficient time frame.
Sponsors shall ensure that all procedures for requesting and approving affiliate access to Rowan systems or for a RowanCard access to a university building are followed. This includes ensuring that any required training, certifications, or background checks are completed before the affiliate is granted access to the Rowan systems or for RowanCard access to a university building.
Sponsors are responsible for notifying affiliates of the Affiliate Access Policy and the affiliate’s responsibilities described in the policy.
Sponsors are responsible for identifying a backup to handle renewals or other tasks associated with maintaining the affiliate’s access at the University. At any time during the period of the affiliate’s access, if the affiliate’s sponsor is no longer employed with Rowan University, the original sponsor’s supervisor or manager will become the new sponsor of the affiliate’s access to Rowan systems or RowanCard access to a university building.
System/Data stewards (Information Owners) shall implement procedures for regularly auditing access to sensitive data by affiliate accounts. Procedures may vary from data steward to data steward as necessary to accommodate different mission/resources/etc. and different groups of affiliates such as vendor affiliates that have direct access. However, all procedures shall include sufficient tracking of requests, approvals, and revocations such that authorized access to sensitive data is auditable, and ineligible accounts are suspended or terminated.
All affiliates’ access to Rowan systems or RowanCard access to a university building must have a life cycle of no longer than 12 months, after which they must be renewed/re-initiated by the sponsor.
The university reserves the right to modify and/or eliminate services to any affiliate without prior notification.
VI. POLICY COMPLIANCE
Violations of this policy may subject the violator to disciplinary actions up to or including termination of employment or dismissal from school, subject to applicable collective bargaining agreements and may subject the violator to penalties stipulated in applicable state and federal statutes. Affiliates, contractors and vendors who fail to adhere to this Policy and the Procedures and Standards may face termination of their business relationships with the University. Sanctions shall be applied consistently to all violators regardless of job titles or level in the organization per the Acceptable Use Policy.
By Direction of the CIO:
SVP and Chief Information Officer