小黄猫传媒

College Policies

BP 8102 User Authentication

Statement of purpose

小黄猫传媒鈥檚 Information Security Policies support the following goals:

  1. Promote a 鈥渟ecurity is everyone鈥檚 responsibility鈥 philosophy to assist 小黄猫传媒 in meeting its business and legal commitments.
  2. Ensure that 小黄猫传媒 complies with all applicable laws and regulations.
  3. Ensure the integrity, reliability, availability, and superior performance of IT resources.
  4. Ensure that users are protected from data breach and cybercrime.
  5. Ensure that use of IT resources is consistent with the principles and values that govern the use of other college facilities and services.
  6. Prevent unauthorized disclosure of controlled sensitive data.
  7. Prevent disruption of the learning experience.
  8. Ensure the college is protected from financial, legal, regulatory, and reputational harm.
  9. Ensure that IT systems are used for their intended purposes.
  10. Establish processes for addressing policy violations and sanctions for violators.

As one of the largest metropolitan community college districts in the world, 小黄猫传媒 handles a large amount of sensitive information on a daily basis, including student and patient data regulated under federal law.

The Health Insurance Portability and Accountability Act of 1996 (HIPAA), and the the Health Information Technology for Economic and Clinical Health Act (HITECH), enacted as part of the American Recovery and Reinvestment Act of 2009, require strong safeguards for the protection of Patient Health Information (PHI) by covered entities such as 小黄猫传媒.

The Financial Modernization Act of 1999, also known as The Gramm-Leach-Bliley Act (GLBA) mandates similar safeguards for the financial information in the possession of financial institutions, including higher ed institutions obtaining student information from federal agencies, such as for Financial Aid processing.

The Department of Education, in two 鈥淒ear Colleague鈥 letters, has emphasized that all Higher Ed institutions accepting financial aid funding are required under their Program Participation Agreements and under their Student Aid Internet Gateway Agreements to safeguard all student Personally Identifiable Information in compliance with GLBA, FERPA and all other applicable state and federal privacy regulations.

In addition, in order to be allowed to accept payment from our customers in the form of credit card transactions, 小黄猫传媒 must pass regular audits to satisfy the Payment Card Industry Data Security Standards (PCI-DSS).

The first step in securing data is to ensure that access to critical data is granted to users based on their individual needs and is subject to controls based on industry best practices. This policy seeks to support an environment in which users of 小黄猫传媒 IT Resources are granted customized privileges, such that they can only access the data that they need to perform their required duties (this is based on the security principle of 鈥渓east access鈥 or 鈥渓east privilege鈥).

Scope statement

All 小黄猫传媒 (小黄猫传媒) employees, students, and affiliates or other third parties that create, use, maintain, or handle 小黄猫传媒 IT resources are subject to this policy. This policy applies to all controlled sensitive data stored or transmitted using 小黄猫传媒 IT Resources and all users of such data.

Policy summary

小黄猫传媒 shall vet new users before assigning any access rights to IT Resources. User Access Rights shall be assigned based on role using the principle of least privilege to ensure correct authentication to the appropriate IT Resources. 小黄猫传媒 IT shall implement and maintain user access mechanisms and privileges that employ industry best practices that comply with regulatory standards.

This policy shall be subject to and superseded by applicable regulations and laws.

Policy

New user onboarding
  1. All users shall read and acknowledge the applicable policies regarding acceptable use of IT Resources, prior to being granted access to 小黄猫传媒 information systems and networks.
  2. In addition, IT employees shall read and acknowledge the applicable policies regarding information security, prior to being granted access to 小黄猫传媒 information systems and networks.
  3. Before being assigned access credentials, new users shall:
    1. Prove identity through a method satisfying NIST 800-63A Identity Assurance Level 2 (IAL2) requirements
    2. Sign agreement to comply with all College policies and procedures for accessing and handling sensitive information
  4. Before being assigned access credentials, new employees and contracted service providers shall pass a Level 2 criminal background check.
  5. Employees are required to complete onboarding training appropriate for their role and responsibilities. Training shall be ongoing and completed by employees on a periodic basis.
Least privilege
  1. New employees or contracted service providers shall only be granted access to controlled sensitive data upon formal request showing need-to-know based on their specific job duties
  2. New students shall only be assigned access to the information required to provide services to them or information they have a legal right to obtain
  3. New employees and their supervisor shall be required to sign formal requests for access to information that indicates which systems and data they will need to access, how they will use that data, and what kind and level of access is needed.
  4. New contracted service providers and the 小黄猫传媒 manager authorizing the contracted service shall be required to sign formal requests for access to information that indicates which systems and data they will need to access, how they will use that data, and what kind and level of access is needed.
  5. Access permissions shall be updated to a least privileged state at any time an individual’s status or position at the college changes.
  6. Access permissions shall be auditable and producible upon request of data owners, the CISO, and/or the 小黄猫传媒 internal auditor.
  7. Access permissions shall be centrally logged and audited on at least an annual basis using centralized logging technology solution.
Multi-Factor Authentication
  1. 小黄猫传媒 shall implement Multi-Factor Authentication (MFA) for user accounts with access to any system administration functions, user credentials, or other controlled sensitive data.
  2. MFA secondary factors shall be of type 鈥渟omething you have,鈥 and either:
    1. reside uniquely in one physical client device, and never be copied, transferred or transmitted from that device;
    2. change with each use, reside in full only on one physical client device and one authentication server, and be transferred or transmitted between them only in a fragmented manner;
    3. be independent of one another such that access to one factor does not grant access to any other factor, and the compromise of any one factor does not affect the integrity or confidentiality of any other factor.
Authentication and passwords
  1. Every user shall use a unique user account (user ID) for access to 小黄猫传媒 IT resources.
  2. Passwords must be updated on a rotating 90 day schedule, and the new password shall not be a previously used password.
  3. Use of non-authenticated user IDs (e.g. no password) or user IDs not associated with a unique identified user are prohibited.
  4. Shared or group user IDs are not permitted.
  5. Where appropriate, IT Resources shall have an automated or procedural access control process to authenticate all system users.
  6. 小黄猫传媒 authentication systems shall use either a biometric authenticator (鈥渟omething you are鈥) or a password authenticator (鈥渟omething you know鈥) as their sole or primary authentication factor.
  7. Passwords shall be between nine and sixty-four characters long, allowing any printable ASCII character or Unicode character.
  8. Users failing authentication six consecutive times shall be locked out from further attempts for 30 minutes or until authorized personnel re-verifies the user鈥檚 identity and disables the lockout.
  9. No password shall be permitted that:
    1. contains sequential or repetitive characters;
    2. is a variant of a context specific word or set of words;
    3. is a variant of the user鈥檚 personally identifying information;
    4. is in a list of known compromised passwords or close variants.
  10. Users may not recover or reset their password (or other authentication factor) without either:
    1. first re-verifying their identity by the same method of identity proofing used for new users;
    2. authenticating via a multi-factor authentication mechanism satisfying the requirements of this policy.
  11. Any knowledge-based password recovery mechanisms shall be disabled, and all stored user-specific data used for such mechanisms destroyed.

Exemptions

  1. Elevated access permissions, such as local admin accounts, may be temporarily given to employees to perform specific job duties with a prior formal approval by their supervisor and Information Security department. Temporary access rights shall be removed when no longer needed to perform duties they were requested for.
  2. Shared or group user IDs may be permitted to address a specific departmental need and with Chief Information Security Officer approval.
  3. Until such time that MFA is fully implemented, the second factor may be a shared secret, securely transmitted.

Exceptions

Exceptions to this policy must be pre-approved in writing by the Chief Information Officer (CIO) / Chief Information Security Officer (CISO).

Policy violation

  1. Violation of this policy may result in disciplinary action in accordance with 小黄猫传媒 People, Strategy, Equity and Culture (PSEC) and/or Student Conduct guidelines.
  2. 小黄猫传媒 reserves the right to report security violations or compromises to the appropriate authorities. This may include reporting violations of Federal, State, and local laws and regulations governing computer and network use, or required accreditation reporting.
  3. Anyone who violates this policy may be held liable for damages to 小黄猫传媒 assets, including but not limited to the loss of information, computer software and hardware, lost revenue due to disruption of normal business activities or system down time, and fines and judgments imposed as a direct result of the violation.
  4. 小黄猫传媒 reserves the right to deactivate any User鈥檚 access rights (whether or not the User is suspected of any violation of this policy) when necessary to preserve the integrity of IT Resources.

Complaint procedures

Report non-security-related violations (such as receipt of inappropriate content, other 小黄猫传媒 People, Strategy, Equity and Culture (PSEC) policy violations, general college policy violations, or regulatory compliance violations) to a supervisor, PSEC, or EthicsPoint.

Report information security and general technical policy violations to the IT Service Desk at 971-722-4400 or servicedesk@pcc.edu, or contact the CIO or CISO.

Governing standards, policies, and guidelines

  • US Dept of Education: Guidance Letter 鈥 Protecting Student Information
  • US Dept of Education: Family Educational Rights and Privacy Act (FERPA)
  • US Dept of Homeland Security: Federal Information Security Management Act (FISMA)
  • Gramm-Leach-Bliley Act (GLBA)
  • FTC Red Flags Rule
  • Health Insurance Portability and Accountability Act (HIPAA)
  • International Organization for Standardization (ISO)
  • National Institute Standards and Technology (NIST)
  • Payment Card Industry Data Security Standard (PCI DSS)
  • Sarbanes-Oxley (SOX) for Colleges and Universities

Definitions

  • Access Control
    The selective restriction of access to a place or computing resource for security purposes.

    • The act of accessing may mean consuming, entering, or using. For example, the lock on your front door is an access control mechanism to limit who can enter your house. Similarly, entering a user ID and password restricts access to your computer account.
  • Affiliate
    Any person or entity that has been sponsored by a 小黄猫传媒 manager to receive controlled temporary access to 小黄猫传媒 services.

    • This is generally as a result of a contractual relationship with 小黄猫传媒. For example, an air conditioning vendor may require affiliate access to test the HVAC system. A consultant project manager may require affiliate access to access project plans on a 小黄猫传媒 system.
  • Authentication
    Any process by which a system verifies the identity of a user who wishes to access it.

    • Since access control is normally based on the identity of the user who requests access to a resource, authentication is essential to effective security. For example, when someone logs into my小黄猫传媒, the user-ID and password entered authenticates that the person logging in is the owner of the account.
  • Chief Information Officer (CIO)
    Senior manager of the Information Technology (IT) Department and a member of Cabinet.

    • At 小黄猫传媒, the CIO is responsible for all technology, with the exception of:
      • Online Learning (Academic Affairs)
      • Some specialized technology that supports CTE or other engineering programs (e.g. software that supports machine labs, specialized dental technology, etc.)
      • Some technology that supports auxiliary services (e.g. Point of Sale systems in the cafeterias and bookstores)
  • Chief Information Security Officer (CISO)
    Senior manager responsible for information security compliance at 小黄猫传媒.
  • Controlled Sensitive Data (CSD)
    A general categorization that is used in 小黄猫传媒鈥檚 Information Technology (IT) policies (primarily the Information Security Policy and the Acceptable Use Policy) to represent all confidential and private information governed by those policies.

    • CSD includes: PII, PHI, HIPAA, FERPA, regulated, private, personal, or sensitive information for which 小黄猫传媒 is liable if publicly disclosed.
  • Centralized Logging Technology Solution
    Technology that gathers log information from various information systems deployed across the college. One example of a centralized logging solution will be a Security Information and Event Management or SIEM.
  • Family Education Rights and Privacy Act (FERPA)
    A Federal law that protects the privacy of student education records.

    • FERPA applies to all schools that receive funds under an applicable program of the U.S. Department of Education.
  • Health Insurance Portability and Accountability Act (HIPAA)
    A federal government regulation to which 小黄猫传媒 is required to adhere and that imposes strict information security requirements regarding the protection of medical records.

    • Enacted by the United States Congress and signed by President Bill Clinton in 1996. Title I of HIPAA protects health insurance coverage for workers and their families when they change or lose their jobs. Title II of HIPAA, known as the Administrative Simplification (AS) provisions, requires the establishment of national standards for electronic health care transactions and national identifiers for providers, health insurance plans, and employers.
  • IT Resource
    (At 小黄猫传媒) All Information Technology (IT) resources that are the property of 小黄猫传媒 and include, but are not limited to, all network-related systems; business applications; network and application accounts; administrative, academic and library computing facilities; college-wide data, video and voice networks; electronic mail; video and web conferencing systems; access to the Internet; voicemail, fax machines and photocopiers; classroom audio/video; computer equipment; software and operating systems; storage media; Intranet, VPN, and FTP.

    • IT Resources include resources administered by IT, as well as those administered by individual departments, college laboratories, and other college-based entities.
  • Payment Card Industry Data Security Standard (PCI DSS)
    (Commonly just PCI) A data security standard that promotes the safety of credit card holder data across the globe.
  • Service Account
    A computer user account created to allow automated systems to perform actions on a computer.

    • An example of a service account is the account used by a SQL database to connect to an application securely access the database service.
  • System
    (In Information Technology [IT]) A computer system consists of hardware components that work with software components to achieve a defined outcome.

    • The main software component that runs on a system is an operating system that manages and provides services to other programs that can be run in the computer. Computer systems may also include peripheral devices such as printers, A/V equipment, operating machinery, etc.
  • User
    Any person who makes any use of any 小黄猫传媒 IT resource from any location (whether authorized or not).

Responsible executive

Chief Information Officer

Responsible officer

Chief Information Security Officer (CISO)

Responsible office

IT Information Security

Last revision date

09-09-2024