1.0 PURPOSE
This procedure establishes a set of access controls to ensure the appropriate level of authorization to College data and information resources.
2.0 SCOPE
The procedure applies to all users of information resources within the College.
3.0 PROCEDURE
Account Creation
All College users (employees and students) will be issued accounts in the network directory system, Enterprise Resource Planning (ERP) system, and electronic mail system.
Employee Account Audits
A comprehensive review will be conducted annually, of all existing system users to ensure that access is granted to current employees for access rights that are commensurate with job functions based on descriptions.
Student Account
Student accounts are created with enrollment at the College. No form will be necessary other than the College’s enrollment form.
Access levels will be given to:
- Login to college workstations with basic user rights and assistive technologies such as printing, scanning, etc. as appropriate.
- Login to the college’s wireless networks under the student Service Set Identifier (SSID).
- Have access to ERP and Learning Management System (LMS) resources sufficient to view their student record and participate in online classroom activities.
- Have access to student email to send and receive messages.
Regular Employee Account
To create a regular employee account, the employee, the supervisor, or the Human Resources office must submit a request for account access. Requests shall be submitted electronically or in hard copy format using the appropriate Northland Pioneer College Electronic Systems Application Form (ESAF). When submitted, the ESAF must be filled out completely and signed by the employee, and the supervisor at a minimum and submitted to the Support Center for review and approval. Employees are responsible for all actions and functions performed by his/her login id (username).
Data Manager Responsibilities:
- Data Managers are responsible for granting access based on job title/role and shall provide the Information Services (IS) Division with a listing of detailed permissions based on job title.
- Data Managers may request special access rights based on special duties or assignments outside of those assigned by job title. These special rights must be clearly stated on the ESAF and approved by the Chief Information Officer (CIO) or Designee.
- Data Managers are responsible to ensure that users are only granted access rights that are appropriate for an employee’s individual job title/role requirements. This is known as “Least Privilege” access.
- Data Managers and associated area of responsibility are defined by organizational structure.
Guidelines for reference:
- The employee’s job title, role or function and department requirements will determine the level of access to system resources.
- At a minimum, all accounts will require a username and password.
- Sharing of password-protected accounts between users is prohibited.
- Upon account establishment, notification shall be sent to the employee and their supervisor.
- Information Services staff will not process an ESAF completed incorrectly, completed on an out of date form, or containing vague phrases not clearly or adequately describing the right(s) requested, such as “just like employee [x]”.
Requests for elevated access to any system will be strictly limited and must be approved in writing by the CIO. Employees with elevated access may be subject to monitoring by logging user activities in a separate log file accessible only by the CIO or designee.
Temporary Employees and Student Workers
All temporary employees and student workers with access to the network should be aware of the following:
- Accounts are created for temporary employees and student workers using the same process as regular employees.
- Clearly defined roles of temporary workers and student workers is required and guided by “Least Privilege” access and principles. Student worker supervision guidelines are to be followed.
- Temporary employees will be provided with a temporary account containing an account expiration date.
- Student workers will have accounts established until such responsibilities and roles expire.
Employee Account Modification
Current employees may request changes to their access by submitting an updated ESAF with necessary employee and supervisor approvals. Information Services will process the form and contact Data Managers for necessary approvals.
The Human Resources office will ensure that employees changing positions within the College adhere to the requirement of requesting a modification should their duties, and therefore access levels change. Submission of a request for user account modification does not automatically guarantee the request will be granted.
Shared Account
The IS Division will not support or grant any Shared Account access.
Managed Provider Account
Managed provider accounts (for example, potential 3rd party services) will be granted on a limited basis and under the same process as an ESAF request. Active accounts will be audited and reviewed at least annually. Inactive and terminated accounts will be disabled.
Account Removal
The IS Division will disable access to technology resources when notified of an employee’s separation from the College. The Human Resources department will initiate the process by
submitting an End of Employment form (also known as a “blue sheet”) to the Support Center.
Access to technology resources will be restricted by the close-of-business on the employee’s last working day, unless otherwise instructed by Human Resources, CIO or college President.
In the event of a need for urgent and immediate access suspension, a President’s staff member or the Chief Human Resources Officer will contact the CIO or designee. The CIO or designee will expedite the process of terminating access for the specified employee and will follow up with the Human Resource office for the End of Employment form for record-keeping purposes.
Retirees with or without Emeritus status will not retain access to any accounts upon separation of the College yet may request to retain their College email address and have those emails forwarded to another email address. Student e-mail access will be available to the student indefinitely.
Any situations outside the scope of the guidelines above must be submitted by a member of the College's Executive Team to the CIO for review.
Remote Access
Employees may request remote access to College resources by indicating this option on the ESAF.
- Remote access users shall not violate any college policies, perform any illegal activities, or use the remote access for outside college interests.
- Remote access privileges will be strictly limited and evaluated on a case-by-case basis for approval by the CIO or designee. A request for remote access is not guaranteed and will be evaluated based on specific role, job description and/or requirement for such access.
- A unique twenty-five plus character, complex-password will be required for all such accounts.
All accounts will have access suspended for inactivity after 180 days. Account auditing procedures are found in Procedure 2211.