Procedure 7.04.01 - Information Systems Security


Guidelines

User Access Authorization

Each Southeastern Community College Information Systems Network (SCCNET) user/object must have an approved Access Authorization record, which is obtained through the following procedure:

  1. For all new access, the supervising vice president or president electronically submits an IS Access Request Form, which defines all the access requested for the new user.
  2. Current IS access changes can be submitted by the supervising vice president or president through email to the director of information technology. The email is electronically filed in the corresponding IS Access Authorization record. Current IS access can also be changed on the Annual IS Authorization Form submitted and signed by the supervising vice president or president.
  3. The IS Access Authorization database will be maintained and shows a current detailed record of each user’s/object’s authorized access.

Login/Password Protection

The IT staff builds each employee’s access on the system(s) for which the supervising vice president or president has authorized use. They also build or provide the information necessary to build student access. Users will be required to enter a unique username and password to gain access to the college’s information systems services or resources.

  1. The standard for employees’ and students’ login identification (user ID) is their first name (not to exceed 12 characters) as it appears on the college’s administrative server (unless they have specified a preferred name in the college administrative server, which will be used) plus their 2-digit birth day plus the last four (4) digits of their college administrative server identification number. Example: John J. Doe was born on June 5, 1988 and has a college administrative server identification number of 123456789. This user’s ID would be John056789.
    1. The new user ID convention will be used for all access and be incorporated into other applications as they are moved to Microsoft Active Directory or Microsoft Azure Active Directory services.
    2. Since we cannot have duplicate user ID’s, any duplicates will be resolved by adding a sequential number at the end of the user ID starting with the number 01. The user ID cannot exceed 20 characters so the first name will be reduced by two characters in these cases.
  2. The standard for the employees’ and students’ initial password is set by the system. The user will create their own password using either the college’s password reset portal or using the Self-Service forgot password link.
  3. Employees and students will use their user ID to log into their college email account.
    1. Employees email will be built with an alias email address that will be created from the college administrative server first name plus a “.” plus their last name unless they have specified a preferred name in the college administrative server. In that case, their alias email address will be the college’s administrative server preferred name plus a “.” plus their last name. If a duplicate alias email address occurs, a sequential number will be added after the last name starting with the number 1.
    2. Student email will be built using their user ID.
  4. Users are required to enter unique passwords the first time the data services are utilized. For the following services, users are encouraged to use unique passwords that include alphanumeric, upper and lower case, and special characters rather than common predictable passwords such as the names of pets and family members, addresses, birthdates, or social security numbers.
    1. Microsoft Active Directory (AD) network access
    2. Microsoft Azure Active Directory (AAD) network access
    3. Google
    4. CIS Administrative Software access
    5. Voice Mail access
    6. Windows access
  5. A password life of 90 days is in effect on the Microsoft Active Directory and the Administrative Software services. Both services require a new, never-before-used password.  When the 90 days have expired, the user must change the password to maintain access.
  6. Voicemail passwords are set during the user’s initial training and are not configured to expire. However, users are encouraged to change them periodically and especially when they suspect their passwords have been compromised.
  7. All system level administrative login passwords are changed at least every 45 days.
  8. Additional layers of security exist in the Administrative Software.
    1. CIS security is controlled through the specific security system built into the Ellucian Colleague software.
    2. The break parameter is disabled in all applications.
  9. No authorized users should provide anyone with their IDs or passwords, and no authorized or unauthorized users should use the IDs and passwords of another authorized user.
  10. Users who think their passwords may have been compromised should change them immediately.
  11. Multiple logins on any of the SCCNET services are discouraged. However, multiple sessions may be opened within the Administrative Software services with each requiring authentication.

Inactivity Protection

Any workstation inactivity for 10 minutes will have a password-protected screensaver invoked. Any workstation with a CIS session inactive for an hour is automatically logged out of that session by the system. Inactive VPN connections will be automatically terminated after 60 (sixty) minutes.

Physical Security

High tensile steel cables and Master locks physically secure IS hardware in public high traffic areas.

  1. All CPU’s, flat panel monitors, and printers are secured in instructional labs.
  2. All administrative network printers are secured.
  3. Computers designated for general use in public areas, e.g., the Internet, are secured.
  4. Telecommunication closets are secured by locks to which only the IT staff and the director of facilities have keys.
  5. The campus telecommunications demarcation room houses all outside SCCNET connections, servers, and server consoles access. Access to this area is restricted to the IT staff and director of facility only.  The demarcation room has a combination lock that is changed periodically.

Console Protection

The system consoles, housed in the campus demarcation room, are used only by IT staff. Off-campus access to the servers is occasionally necessary for support and maintenance purposes.  Access is gained through a VPN connection or through a secure remote-control session. The VPN creates a very secure encrypted tunnel between the client’s computer and specific IP addresses on the inside network. The secure remote-control session is setup through a secure tunnel via the Internet. The session must be accepted by the IT staff and monitored throughout the connection.

Once the VPN challenges are met, the user must enter valid Administrative Software or Microsoft Active Directory usernames and passwords.  In the case of the CIS server, remote access by root is disabled.

Unauthorized Access

Any instance of unauthorized access or attempted access discovered by employees should be immediately reported to the IT staff.

User Termination

IS Access removal is part of the IS Access Policy.  The IT staff removes the user access from all systems at 11:59 p.m. on the user’s last day of employment unless otherwise requested by the supervising vice president or president.

Reviewed and Last Updated on October 19, 2020