ROWAN UNIVERSITY POLICY

Title: Access Control Policy

Subject: Information Security                                                    

Policy No: ISO:2013:12                                                                       

Applies: University-wide                   

Issuing Authority:  Information Security Office - Chief Information Security Officer

Responsible Officer: Vice President for Information Resources and Chief Information Officer                             

Date Adopted: 07-01-2013

Last Revision: 06-01-2014

Last Review: 09-01-2014

I.  PURPOSE

To establish the access controls necessary to safeguard the University’s electronic information and information systems.

II.  ACCOUNTABILITY

Under the President, the Chief Information Officer and Chief Information Security Officer shall ensure compliance with this policy.   The Vice Presidents, and Deans shall implement this policy.

III.  APPLICABILITY

This policy applies to all members of the ROWAN community who access and use the University’s electronic information and information systems.   It presents administrative, physical, and technical safeguards necessary to manage and control access to ROWAN’s information systems.

IV. DEFINITIONS

  1. Administrative Safeguards – consists of policies and administrative procedures that manage the selection, development, implementation, and maintenance of security measures that protect the university’s electronic information and information systems.
       
  2. Application – a computer program that processes, transmits, or stores University information and which supports decision-making and other organizational functions.   It typically presents as a series of records or transactions.  These records and transactions are generally accessible by more than one user.
      
  3. Availability – the expectation that information is accessible by ROWAN when needed.
      
  4. Business Unit – the term applies to multiple levels of the university, such as a revenue generating unit or a functional unit (e.g., Compliance, Human Resources, Information Resources and Technology (IR&T), Legal, and Finance).  It may also be comprised of several departments.
      
  5. Confidential Information  –  the  most  sensitive  information,  which  requires  the  strongest safeguards to reduce the risk of unauthorized access or loss.  Unauthorized disclosure or access may 1) subject ROWAN to legal risk, 2) adversely affect its reputation, 3) jeopardize its mission, and 4) present liabilities to individuals (for example, HIPAA/HITECH penalties).
      
  6. Confidentiality – the expectation that only authorized individuals, processes, and systems will have access to ROWAN’s information.
      
  7. EPHI – electronic protected health information.
      
  8. Generic Account – an account that is shared among a group of individuals, and typically used for devices like kiosks and clinical workstations.  There is no corresponding employee account (i.e., RUID).
      
  9. Guest Account – accounts provisioned to individuals not employed by ROWAN, but who have a justifiable business reason to access University resources.
      
  10. Information System – consists of one or more components (e.g., application, database, network, or web) that is hosted in a University campus facility, and which may provide network services, storage services, decision support services, or transaction services to one or more business units.
     
  11. Least Privilege – giving every user, task, and process the minimal set of privileges and access required to fulfill their role or function. This includes access to information systems and facilities.
      
  12. Physical Safeguards – physical measures to protect the facilities that house the University’s electronic information and information systems.
      
  13. Private Information – sensitive information that is restricted to authorized personnel and requires safeguards, but which does not require the same level of safeguards as confidential information. Unauthorized disclosure or access may present legal and reputational risks to the University.
     
  14. RUID – Reserved User ID.
      
  15. Service Accounts   –   are   accounts   created   by   ROWAN’s Active   Directory   or   Domain Administrators teams to satisfy specific functions, such as communications between systems or to facilitate other operational requirements.
      
  16. System Default Service Accounts – are accounts created by a software vendor to facilitate installation or provide out-of-the-box functionality.
      
  17. ROWAN Community – faculty, staff, non-employees, students, attending physicians, contractors, covered entities, and agents of ROWAN.
      
  18. Technical Safeguards – the technology, policies, and procedures used to control access to and protect the University’s electronic information and information systems.
      
  19. User – refers to any member of the ROWAN community, as well as to visitors and temporary affiliates, who have been explicitly and specifically authorized to access and use the University’s data or information systems.

V. REFERENCES

  1. Health Insurance Portability and Accountability Act of 1996 http://www.hhs.gov/ocr/privacy/hipaa/understanding/srsummary.html
       
  2. Guest Account Registration Process
      
  3. ROWAN Code of Conduct http://www.ROWAN.edu/complweb/code/

VI. POLICY

  1. Access to the University’s electronic information and information systems, and the facilities where they are housed, is a privilege that may be monitored and revoked without notification.    Additionally, all access is governed by law, other University policies, and the ROWAN Code of Conduct.
  2. Persons or entities with access to the University’s electronic information and information systems are accountable for all activity associated with their user credentials.  They are responsible to protect the confidentiality, integrity, and availability of information collected, processed, transmitted, stored, or transmitted by the University, irrespective of the medium on which the information resides.
  3. Access must be granted on the basis of least privilege - only to resources required by the current role and responsibilities of the person.    In addition to  the  administrative, physical,  and  technical  safeguards presented in this policy, the security requirements defined in the University’s Information Classification policy must be followed.
  4. Requirements:
  5. Access controls to the University’s information systems must be established to ensure the confidentiality, integrity, and availability of the data accessible via those systems.
  6. Registration of Access
    With respect to registration of access to the University’s information systems:
  7. Registration of Access for Non-ROWAN Personnel
  8. Information System Identity Access Management
     
  9. Generic Accounts
    In general, Generic Accounts are not permitted unless approved by the Information Security Office.  In the event that they are approved, they must adhere to the following:
  10. Guest Accounts
  11. Service Accounts
  12. System Default Service Accounts
  13. Physician Emergency Access Procedures to EPHI Information Systems (HIPAA § 164.312(a)(2)(ii)).
  14. Facility Access
  15. Separation of Duties
  16. Access Entitlement Review
  17. Responsibilities
       

VII. NON-COMPLIANCE AND SANCTIONS                      

Any individual who violates this policy shall be subject to discipline up to and including dismissal from the University, as well as civil and criminal penalties. Sanctions shall be applied consistently to all violators.


By Direction of the CIO:

                                                                           

__________________________________

Mira Lalovic-Hand,

VP and Chief Information Officer