Identification/Authentication Policy:   IW

 

PURPOSE:

The purpose of the Identification/Authentication Policy is to ensure the security and integrity of SPC data and information technology resources by ensuring controls for securing user identification and authentication credentials. 

To ensure the security and integrity of SPC data, identified users will securely authenticate to SPC information technology resources and access only resources which they have been authorized to access. 

If user identities are not properly authenticated, SPC has no assurance that access to information technology resources is properly controlled.  This policy will mitigate the risk of unauthorized access of information, as well as establish user accountability and rules for access.

 

SCOPE:

The Identification/Authentication Policy applies to all individuals granted access to SPC information technology resources. 

POLICY STATEMENT:

SPC shall require that systems are protected from unauthorized access by establishing requirements for the authorization and management of user accounts, providing user authentication (any or all of the basic authentication methods), and implementing access controls on SPC information technology resources. Access control is provided at the firewall, network, operating system, and application levels. 

SPC managers/supervisors have the responsibility of requesting access to information systems and approving user access privileges based upon their assigned duties, as well as notifying Data Owners and SPC-IS of the termination of access to information technology resources. 

Prior to being granted access to SPC information technology resources, the needs of the employee, student worker, contractor, vendor, guest, or volunteer shall be given ample consideration and authorization granted to allow access to SPC information technology resources. Access should be granted according to the principle of least privilege as outlined in IT Administrator/Special Access Policy (IS).

SPC accounts will have a unique identifier that is associated with a single user. Once an identifier is assigned to a particular person, it is always associated with that person. It is never subsequently reassigned to identify another person. 

Use of the authentication service to identify oneself to an SPC system constitutes an official identification of the user to the College, in the same way that presenting an ID card does. Security is everyone’s responsibility, and everyone has a responsibility to protect their own “identity”. Users will be held accountable for all actions of their accounts. 

Regardless of the authentication method used, users must use only the authentication information that they have been authorized to use; i.e., must never identify themselves falsely as another person. Additionally, users must keep their authentication information confidential; i.e., must not knowingly or negligently make it available for use by an unauthorized person.  Anyone suspecting that their authentication information has been compromised should contact the Information Security Office immediately. 

Users must adhere to the requirements of the SPC User Accounts Password Policy (IC). 

SPC Data Owners shall be responsible for ensuring that authorization and account management processes are documented and that the appropriate people have been assigned the responsibility of creating and maintaining authorization records. 

SPC Data Owners may monitor related activities of individuals as a condition for continued access.  At a minimum, SPC Data Owners must review user access privileges annually.

 

DEFINITIONS:

Authentication Credentials: The verification of the identity of a user who wishes to access a system, commonly using a password in conjunction with a unique UserID. 

Data Owner: Departmental position responsible for classifying business data, approving access to data, and protecting data by ensuring controls are in place. 

Mitigate:  The elimination or reduction of the frequency, magnitude, or severity of exposure to risks in order to minimize the potential impact of a threat. 

Principle of Least Privilege: The practice of limiting user profile privileges on computers to only the information and resources that are necessary, based on users’ job necessities. 

Unauthorized Access: Access by a person who has not been given official permission or approval to access SPC systems. 

User Identification: A unique sequence of characters used to identify a user and allow access to a computer system or computer network.

 

Related Policies, References and Attachments:

An index of approved SPC-IS policies can be found on the SPC Policies website at https://www.southplainscollege.edu/human_resources/policy_procedure/?%20.  The SPC Information Security Program and SPC Information Security User Guide are also available on the Information Technology Services Policies website.

DIR Security Controls Catalog Control Group: AC-1 

Approved by:  Executive Council, September 24, 2018

Next Review: October 1, 2020