Access Management Policy

February 28, 2022

Purpose

The purpose of this policy is to mandate requirements for access management controls across the technological environment at St. George’s University, University Support Services, (collectively, the Enterprise). This policy will aid the Enterprise in managing access to its information systems.

Scope

This policy applies to all information systems used throughout the Enterprise, whether managed centrally or in a distributed fashion. This policy applies to all individuals and entities who intend to access the Enterprise’s information systems and data, including relevant third-party service providers and hosted/cloud-based systems.

Background

Access to the Enterprise’s electronic information resources must be managed in a manner that maintains the confidentiality, integrity, and availability of Enterprise resources, and in a manner that complies with any applicable legal and regulatory requirements.

Definitions

  • Authentication: The process of verifying the identity of a user, process, or device, often as a prerequisite to allowing access to resources in an information system.
  • Authorization:Access privileges granted to a user, program, or process or the act of granting those privileges
  • Multi-Factor Authentication (MFA):Authentication using two or more factors to achieve authentication. Factors include: (i) something you know (e.g. password/personal identification number (PIN)); (ii) something you have (e.g., token generation device); or (iii) something you are (e.g., biometric).
  • Least Privilege: The principle that a security architecture is designed so that each entity is granted the minimum system resources and authorizations that the entity needs to perform its function.
  • Privileged Access Management (PAM):The process of managing and protecting credentials to accounts that have some level of administrative access to devices or systems, including local administrator accounts and superusers.
  • User: Individual or (system) process, acting on behalf of an individual, authorized to access a system
      • Organization User: An organizational employee or an individual whom the organization deems to have equivalent status of an employee, including a contractor, guest researcher, or individual detailed from another organization.
      • Non-Organization User: A user who is not an organizational user
      • Privileged User: A user that is authorized (and, therefore, trusted) to perform security-relevant functions that ordinary users are not authorized to perform.

Policy Statement

Access Management is the process of identifying, tracking, controlling, and managing user access rights to information systems.  Any user who requests access to systems, applications, or data, must have their identity authenticated.  Additionally, user access should be further restricted following the principle of Least Privilege, and in alignment with any Enterprise defined segregation of duties guidelines.

User account provisioning must include creation of unique credentials for new users and disablement and revocation of a terminated user’s access privileges upon termination.

Privileged access must only be provided to users as needed.  Users with privileged user accounts must also have an organizational user account, which follows the principle of least privilege, and must use this organizational user account for their day-to-day job functions.  Privileged user accounts must only be used when elevated privileges are required by the system or application.

Where there is any requirement for shared usage of an account this must be signed off by the IT Security division and all usage must be audited and traceable to an individual authorized user account.

All remote access to the Enterprise’s network must utilize a secure solution, which employs multi-factor authentication, and a secure network encryption protocol.

Multi-Factor Authentication

The Office of Information Technology has taken several steps to protect and monitor our Information Systems.   As part of its efforts, the OIT has enabled Multi-Factor Authentication which provides a common method of protection for companies like ours, that utilize and store sensitive, personal, and financial information.