Mar 28, 2024  
DMACC Policies and Procedures 
    
DMACC Policies and Procedures
Add to Portfolio (opens a new window)

IS7010 - User Access Management


Procedure

Section: INFORMATION SOLUTIONS PROCEDURES

SubSection: Information Security

Master List Section: Information Solutions

Purpose

The purpose of this procedure is to provide guidelines for appropriate management of access to DMACC resources. It covers digital environments.

Scope

All students and employees, whether full-time, part-time, contract workers, consultants, parttime staff, interns and temporary workers, and other personnel are covered by this procedure. It also applies to all DMACC-owned equipment, employee-owned equipment used to conduct DMACC business or material related thereto.

Exceptions

There are no exceptions to this User Access management procedure except where permitted in writing by the IT and security departments.

Access Management Procedure Details

Students and employees should only have the minimum access needed to do their work.

DMACC Managers must request access as needed for existing and new employees.

DMACC Managers must approve elevated access requests for employees.

Administrator-level access on workstations and devices is allowable with appropriate business justification.

Arrange access to files based on groups or departments and use group-based permissions where possible.

Administrators should rely on “user-level” access when and where possible (such as to do routine work); only use dedicated administrator or root-level access where needed.

Refer to the Password Security Procedure for password security guidelines at DMACC.

Users must not share individual passwords or DMACC-assigned devices (or personal devices permitted to be used for DMACC business).

DMACC resources should only be accessed via secure means, such as a VPN.

Users should log off or lock their devices when not in use.

Refer to the Logging and Monitoring Procedure for logging and monitoring guidelines at DMACC. notify staff if unauthorized access is attempted.

Accounts should be disabled immediately when employees depart DMACC and.

Student information will be kept 9 months from the end of the last semester attended. If the student is not registered for any classes after the 9-month period and the student is not an employee, all information will then be removed. Conduct routine checks for accounts which have been inactive for more than four weeks and disable these accounts.

Users should notify the IT/security department if they believe their password has been compromised.

If employees change roles, ensure that their access rights are updated accordingly.

Monitoring

The HR department and managers will monitor for adherence to this procedure. Any change to the User Access Management Procedure must be approved by IT or other groups designated as being responsible for revisions or updates.

Violations and Penalties

Any violation of the User Access Management Procedure must be immediately reported to any involved managers and the Human Resources department. Violating the User Access Management Procedure or any of its tenets could result in disciplinary action leading up to and including termination of employment and civil and/or criminal prosecution under local, state, and federal laws.



Add to Portfolio (opens a new window)