Scope
This policy governs which personnel are authorized to access constituent information and the system components that such data resides in. All personnel of Minneapolis College of Art and Design (MCAD) must comply with this policy. Demonstrated competence in the requirements of this policy is an important part of every employee’s responsibilities. Non-employee users are covered in a separate policy. Note that financial and confidential student data are also covered via supplemental guidelines.
Policy
Access Authorization
Access authorization is the process of determining whether a prospective data user should be granted access to MCAD data. A data user is a person who has been granted explicit authorization to access the organization’s data by MCAD. Access must be granted in accordance with this Access Authorization and other related policies.
Data users must comply with the following requirements:
- Use the data only for purposes authorized by MCAD.
- Comply with all policies and procedures governing customer information promulgated by MCAD.
- Not disclose data unless authorized to do so and then, only to the limits as determined by MCAD.
An immediate supervisor and/or department head will determine which personnel get access to customer information in accordance with this Policy. In making such determinations, department supervisors will follow these guidelines:
- Prospective data users will not be given access unless they have a documented professional need.
- Prospective data users will be given only the minimum access necessary to perform duties requiring such access.
- Employees should have access only to data they need to perform their job function.
- Access should be limited to necessary tasks, such as read-only, read and copy, read and edit, add and delete.
- Employees who become aware of access other than the minimum to perform their job functions are to notify management immediately.
Supervisors and/or department heads will submit names in writing of personnel needing access with recommended levels of access to MCAD Computer Support. The appropriate Information Technology Services (ITS) team member will ensure that all prospective data users have a signed acknowledgment of the applicable Information Technology Program policies. The organization (and vendor contracts) requires all users to be adequately trained before granting access to the system. In addition, regular employees that require certain data access levels will be required to complete a background check and sign a confidentiality agreement before being hired.
Access modifications must be accomplished in accordance with this policy and must be requested in writing by the immediate supervisor and/or department head.
Termination of access must be accomplished in the earliest fashion available, based on the circumstances of the termination.
Access Establishment
Access establishment is the process of granting access to an authorized data user, one who has been authorized access under the MCAD Access Control Policy section Access Authorization.
Upon receipt of request from an immediate supervisor and/or department head to provide access to a named individual, the ITS team will determine whether any reason exists to deny the request. Grounds for denial include, but are not limited to, the following:
- Noncompliance with requirements of the Access Authorization Policy above.
- Security risk unknown to requesting immediate supervisor and/or department head.
- Refusal of prospective data user to sign required documents.
- Inability of prospective data user to properly use applications and system assets after training.
The ITS team will work with the applicable supervisor and/or department head to resolve cases in which the former initially denies access. If the matter cannot be resolved, the appropriate ITS team member will report the matter to the AVP Technology.
Upon granting access, the appropriate ITS team member will take the following steps:
- Assign the data user unique user identification.
- Assign the data user an initial password that follows the Password and Authentication Controls policy below.
- Ensure that data users understand the use and security of passwords that prohibits them from:
- Storing written password in an insecure area (digital or physical),
- Disclosing the password to any other person.
- Transmitting the password online, particularly by email.
- Any other practice the ITS team believes would put the availability, accuracy, or confidentiality of MCAD data, media, or equipment at risk.
- Data users must also understand that failure to observe the rules governing passwords may result in disciplinary action, up to and including termination. See also "Conduct: Confidentiality & Telecommunications and Computer Use" sections in the MCAD Staff Handbook.
- Conduct periodic refresher training for data users in proper use and control of passwords.
- Provide emergency override access for necessary personnel as determined by immediate supervisor or department head.
- Suspend access when appropriate to a breach of confidentiality/security. See also "Conduct: Confidentiality & Telecommunications and Computer Use" sections in the MCAD Staff Handbook.
- Modify access when notified to do so by an immediate supervisor and/or department head in accordance with this policy’s Access Modification section below.
- Terminates access when notified to do so by an immediate supervisor and/or department head.
Access Modification
Access modification is the process of changing the access to MCAD’s data and systems for an authorized data user, one who has been authorized access under this policy’s Access Authorization section and has had access established under this policies Access Establishment section.
Bearing in mind that, under MCAD’s policies:
- No person should have access who does not need access
- No person should have more access than necessary
- Supervisors and/or department heads may determine that an individual or a group of individuals need more, less, or otherwise changed access because of a change in duties or a change in status, such as full-time to part-time, employee to outside contractor, completion of a project, and the like. When the supervisor or department head makes such a determination, he or she should submit the requests in writing to the MCAD Computer Support email account to change the current level of access to another level of access.
- Upon receipt of request from an immediate supervisor and/or department head to modify access to a named individual, the appropriate ITS team member will determine whether any reason exists to deny the request.
The appropriate ITS team member will work with the applicable supervisor and/or department head to resolve cases in which the former initially denies access as described earlier in this policy.
Upon granting the changed level of access, the appropriate ITS team member will take necessary measures to change the level of access and maintain records of the changed access.
Access Suspension
In order to maintain best practices for security, MCAD has decided that user accounts may be disabled during an employee’s extended leave, if requested in writing by the immediate supervisor and/or department head. Extended leave is defined by HR policies and/or immediate supervisor and/or department head.
Access Termination
Upon termination of an employee, HR will notify MCAD Computer Support via email. If the termination is voluntary, the email will state the individual's name and date of termination. Upon receipt of this voluntary termination email, the appropriate ITS team member will have all user account access disabled on the last day of employment. If the termination is involuntary, the email will also include the statement "Disable all user account access immediately.". Upon receipt of this involuntary termination email, the appropriate ITS team member will immediately disable all user account access.
Following a termination, the department head or other designated staff member will then have all documents stored in the individual’s server share reviewed. When possible, unneeded documents will be deleted or moved to another location. The individual’s folder and access will then be deleted after 2 weeks of final termination unless otherwise requested by HR or the department head.
Password and Authentication Controls
Password Requirements:
- Passwords must be at least 10 characters long
- Passwords must contain at least one uppercase alpha character or capital letter (A-Z)
- Passwords must contain at least one numeric character or number (0-9)
- Passwords must contain at least one special character or punctuation (examples: !, $, #, %)
- Passwords must NOT contain single quotes ('), double quotes ("), or backslashes (\)
When possible, MCAD Technology configures the various systems at MCAD to enforce the requirements.
Compliance and Enforcement
All immediate supervisors and/or department heads are responsible for enforcing this policy. Employees who violate this policy are subject to discipline up to and including termination.