Access Control Policy - Identity Management

Principle of Least Privilege – Business adheres to the principle of least privilege, 

specifying that users of Business systems will be given access to only the information and resources necessary to perform their job functions as determined by Senior Management, the Security Officer, Supervisor/Department Manager, or designee and by the Business  Mission, State, and Federal regulations, and accreditation requirements.

Documentation Responsibilities – The Security Officer or designee shall document the physical and logical access control rules, rights, and roles for each user or group of users for each system in operation.

Access Approval – Users needing access to resources must be approved by Senior Management and must have submitted a User Access Request form outlining the physical and logical access required to perform their job duties. The level of access required to each system, facility, or network will be determined on a per-user basis.

User Accounts – Users of Business systems will be provided a unique user ID that can be used to trace activities to the individual responsible for that account. Generic user accounts shall only be utilized in circumstances where there is a clear business benefit when user functions do not need to be traced when additional accountability controls are implemented, and only after approval by the Security Officer or designee. By ensuring each user is uniquely identified—instead of using one ID for several employees—an organization can maintain individual responsibility for actions and an effective audit trail per employee. This will help speed issue resolution and containment when a misuse or malicious intent occurs.

Administrator Accounts – Users performing privileged functions, such as system administrators, shall utilize a separate account that is different from their standard user account.

Access Acknowledgement – Each user is required to acknowledge, in writing, that they understand the level of access they are receiving, the security measures in place to protect the information and system(s) to which they have access, and that they understand the business requirements to be met by Business access controls before gaining access to resources.

Changes to Access – Changes to access level(s) such as in the case of promotion, demotion, termination, or change in job duties, shall be formally documented and approved by the appropriate Management representative. The IT Department is to be notified when users are terminated or transferred if their privileges change, or when accounts are no longer required and user access rights shall be reviewed and reallocated as necessary before changes are made.