Page tree

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

ROWAN UNIVERSITY POLICY


Title: Access Control Policy
Subject: Information

...

Security                                                    
Policy No: ISO:2013:

...

13                                                                      
Applies: University-

...

Wide                   
Issuing Authority:  Senior 

...

Vice President for Information Resources and Technology and Chief Information

...

Officer
Responsible Officer: 

...

Director of Information Security
Date Adopted: 07-01-2013
Last Revision: 06-01-2014
Last Review:

...

07-

...

02-

...

2018


I.  PURPOSE

To establish the access controls necessary to safeguard the University’s electronic information and information systems.

...

Under the President, the Chief Information Officer and Chief Director of Information Security Officer shall ensure compliance with this policy.    The The Vice Presidents , and Deans shall implement this policy.

...

  1. Health Insurance Portability and Accountability Act of 1996 http://www.hhs.gov/ocr/privacy/hipaa/understanding/srsummary.html
       
  2. Guest Account Registration Process
      
  3. ROWAN Code of Conduct http://www.ROWAN.edu/complweb/code/Statement of Principles

VI. POLICY

  1. Access to the University’s electronic information and information systems, and the facilities where they are housed, is a privilege that may be monitored and revoked without notification.     Additionally Additionally, all access is governed by law, other University policies, and the ROWAN Code of Conduct.
      
  2. Persons or entities with access to the University’s electronic information and information systems are accountable for all activity associated with their user credentials.  They are responsible to protect the confidentiality, integrity, and availability of information collected, processed, transmitted, stored, or transmitted by the University, irrespective of the medium on which the information resides.
       
  3. Access must be granted on the basis of least privilege - only to resources required by the current role and responsibilities of the person.     In addition to  the  administrativethe administrative, physical,  and  technical  safeguards and technical safeguards presented in this policy, the security requirements defined in the University’s Information Classification policy must be followed.
      
  4. Requirements:
    1. Access controls to the University’s information systems must be established to ensure the confidentiality, integrity, and availability of the data accessible via those systems.
    2. Registration of Access
      1. With respect to registration of access to the University’s information systems:
        • There must be a formal authorization process documented for access requests.
        • The requester’s identity must be confirmed and authenticated.
        • User activity must be logged and tied to the user ID provisioned to the user.
        • User IDs must be unique and require a password.
        • Requests for access must be approved by the requester’s manager.
    3. Registration of Access for Non-ROWAN Personnel
      • Individuals who are not members of the ROWAN community and who have a justifiable business reason to gain access to ROWAN information services must go through the guest account registration process.
      • Registration must follow the requirements listed in section VI (A.1.).
      • De-Provisioning of Access
      • Cancellation of access to all University information systems, facilities, and information services (e.g., remote access) must be done in accordance with the procedures listed in University policy, Cancellation of Access to University Assets.
    4. Information System Identity Access Management
      • Information systems must, at minimum, require a user ID and password.
      • Requests for a deviation from this requirement are limited to clinical systems which have been identified by the school or unit as requiring a different access method in order to provide patient care.
      • Deviations must be reviewed and approved by the Chief Information Officer.
      • User ID Naming Conventions
      • User ID naming conventions must follow IR&T standards.
      • Passwords
      • User IDs must have an associated password.
      • Passwords  must  be  configured  to  follow  IR&T  standards  and/or  vendors’
      • recommendations for strong passwords.
    5. Generic Accounts
      1. In general, Generic Accounts are not permitted unless approved by the Information Security Office.  In the event that they are approved, they must adhere to the following:
        • Generic accounts are subject to the requirements in this policy.
        • The accounts must be restricted to a specific device and named according to the device’s naming convention.
        • Generic  accounts  must  be  restricted  to  kiosks  or  specialty  devices  where
        • standard authentication may impede the functionality of the device.
    6. Guest Accounts
      • Guest accounts are subject to the requirements in this policy.
      • The accounts must be sponsored by a ROWAN employee who is responsible for the safeguarding of the information or information system as detailed in Section IV.
      • The accounts must have a lifecycle no longer than 12 months, after which they must be re-approved by the sponsor.
    7. Service Accounts
      • Service accounts are subject to the requirements in this policy.
      • Service accounts can only be created by a member of ROWAN’s Active Directory or Domain Administrators team to facilitate an identified operational need.
      • Service accounts do not expire.
    8. System Default Service Accounts
      • Whenever possible, system default service accounts should be renamed or disabled as long  as  it  does  not  adversely  impact  the  operations  of  the  application  or  other dependencies.
      • System default Service Accounts do not expire.
    9. Physician Emergency Access Procedures to EPHI Information Systems (HIPAA § 164.312(a)(2)(ii)).
      • HIPAA requires that  each  school  and  unit  establish  documented  emergency  access procedures for EPHI information systems.
      • The procedures must satisfy the following two requirements:
      • The ability for physicians to access EPHI during a health emergency.
      • A contingency method for physicians to access EPHI if a natural or manmade disaster makes an information system unavailable.
      • Any deviation from HIPAA § 164.312(a)(2)(ii) must be documented and presented to the Office  of  Ethics,  Compliance  and  Corporate  Integrity  and  the  Office  of Legal Management.              
    10. Facility Access
      • Physical access to the facilities where information systems are housed must be limited to personnel specifically authorized to access those information systems in the facilities.
      • Access to the University’s data centers must be approved by the data center manager and follow  the Department of Public Safety’s access request process.
      • Access to facilities is managed by the Department of Public Safety, and the access request process is documented in University policy, Identification Cards.
    11. Separation of Duties
      • Access requests,  authorization,  and  administrative  responsibilities  for  information classified as Confidential or Private (otherwise considered sensitive) and their associated information systems should be separated.
      • Users should not have access privileges that would permit them to approve their own changes to an information system or electronic record.
      • If separation of duties is not possible due to staffing limitations, other mitigating controls must be in place to reduce the risk of fraud or tampering.
    12. Access Entitlement Review
      • Access to information systems with information classified as Confidential or Private, or otherwise considered sensitive as per the University’s Protection of Sensitive Electronic Information policy and Information Classification policy, must be, at minimum, reviewed quarterly.
      • Access to information systems with non-sensitive information must be reviewed semi- annually.
      • Access to the University’s data centers must be reviewed semi-annually.
    13. Responsibilities
      1. Vice Presidents and Deans:
        • Are responsible for safeguarding their organization’s electronic information and information systems.

        • Must ensure that each member of their organization understands the need to protect the University’s electronic information and information systems.
        • Must communicate this policy to all members of their organization.

      2. Business Unit Management:

        • Are  responsible  for  safeguarding  their  unit’s  electronic  information  and information systems.

        • Must perform and comply with the policy requirements relevant to their position and responsibilities.
        • Must ensure managers reporting to them perform and comply with the policy requirements relevant to their position and responsibilities.
      3. Information Owners (Data Stewards) must:
        • Establish access authorization procedures to their electronic information and information systems.
        • Establish physician emergency access procedures for EPHI information systems they own.
        • Perform and comply with the policy requirements relevant to their information systems.
        • Review access entitlements to their information systems as stipulated in this policy or  when  requested by  IR&T,  the  Information  Security  Office,  and/or Internal Audit.

...

  1. Any individual who violates this policy shall be subject to discipline up to and including dismissal from the University, as well as civil and criminal penalties. Sanctions shall be applied consistently to all violators.


By Direction of the CIO:

Image Removed                                        Mira Lalovic-Hand,
SVP and Chief Information Officer                                     

__________________________________

Mira Lalovic-Hand,

VP and Chief Information Officer