Access Controls

1.0 Scope

The procedure applies to all users of information technology within the College.

2.0 Purpose

This procedure establishes a set of access controls to ensure the appropriate level of authorization to College data and information resources.

3.0 Definitions

3.1 Microsoft Azure Active Directory – A cloud-based identity and access management service that enables employees to securely access external and internal resources.

3.2 Enterprise Resource Planning system – Higher education Enterprise Resource Planning (ERP) systems manage and automate workflows at colleges and universities. They standardize and streamline the flow of information between all business functions and departments within an institution. This is made possible by the ERP combining the functionality of multiple systems such as a student information systems (SIS), school administration software, human resources, and financial management.

3.3 Customer Relationship Management system – Provides a central place where the college can store student and prospective student data to better track and engage with our students along their education journey.

3.4 Service Set Identifier – A sequence of characters that uniquely names a Wi-Fi network. A Service Set Identifier (SSID) is sometimes referred to as a network name.

3.5 Learning Management System – Learning Management Systems (LMS) provide a platform that helps the college create engaging eLearning experiences and manage and deliver online courses. It is a centralized hub for instructors to create, organize, and share educational content such as lectures, assignments, quizzes, and discussions. Students access the LMS to interact with the course material, submit assignments, participate in discussions, and track their progress. LMSs offer tools for communication, collaboration, assessment, and analytics, making them integral to both traditional classroom instruction and online instruction. At Northland Pioneer College, our current LMS is Moodle.

3.6 Data Managers – Individuals who have responsibility to ensure the quality and usability of their group’s data and controls access to it.

3.7 iSupport – The college’s ticketing system used by TAS to reroute and track requests and issues

4.0 Procedure

4.1 Account Creation

All College users (employees and students) will be issued accounts in the network directory system (Microsoft Azure Active Directory), Enterprise Resource Planning (ERP) system (Jenzabar CX), and electronic mail system (Microsoft Exchange for employees, Google Mail for students). Additionally, students and employees with certain roles will be issued accounts in the Customer Relationship Management (CRM) system (TargetX).

4.2 Account Audits

A comprehensive review will be conducted annually of all existing system users to ensure that access is granted to current employees for access rights that are commensurate with job functions based on descriptions.

4.3 Student Account

Students who engaged with the college prior to applying to the college will already have a CRM account created. Those students who did not engage with the college prior to their application will automatically have a CRM account created once they have applied.

Access levels will be given to:

a. Have access to CRM sufficient to view their user record and access an application portal.

All other student accounts are created after they have applied to the College. No form will be necessary other than the College’s enrollment form.

Access levels will be given to:

a. Login to college workstations with basic user rights and assistive technologies such as printing, scanning, etc. as appropriate.

b. Login to the college’s wireless networks under the student Service Set Identifier (SSID).

c. Have access to ERP and Learning Management System (LMS) resources sufficient to view their student record and participate in online classroom activities.

d. Have access to student email to send and receive messages.

4.4 Regular Employee Account

The employee, the supervisor, or the Human Resources office must submit a request for account access. Requests shall be submitted electronically by creating an iSupport ticket. When submitted, the iSupport ticket must be filled out completely and approved by the employee, or the supervisor at a minimum. The ticket will be routed to the Support Center for review and approval and sent to the appropriate Technology Advancement and Support (TAS) members for fulfillment. Employees are responsible for all actions and functions performed by their login id (username).

4.5 Data Manager Responsibilities:

a. Data Managers are responsible for granting access based on job title/role and shall provide the TAS Division with a listing of detailed permissions based on job title.

b. Data Managers may request special access rights based on special duties or assignments outside of those assigned by job title. These special rights must be clearly stated on the iSupport ticket and approved by the Chief Information Officer (CIO) or Designee.

c. Data Managers are responsible for ensuring that users are only granted access rights that are appropriate for an employee’s individual job title/role requirements. This is known as “Least Privilege” access.

d. Data Managers and associated areas of responsibility are defined by organizational structure.

4.6 Guidelines for reference:

a. The employee’s job title, role or function and department requirements will determine the level of access to system resources.

b. At a minimum, all accounts will require a username and password.

c. Sharing of end-user accounts between users is prohibited.

d. Upon account establishment, notification shall be sent to the employee and their supervisor.

e. Information Services staff will not process an iSupport ticket completed incorrectly or with vague phrases describing their requests for rights as “just like employee [x]”.

Requests for elevated access to any system will be strictly limited and must be approved in writing by the CIO or Designee. Employees with elevated access may be subject to monitoring by logging user activities in a separate log file accessible only by the CIO or Designee.

4.7 Temporary Employees and Student Workers

All temporary employees and student workers with access to the network should be aware of the following:

a. Accounts are created for temporary employees and student workers using the same process as regular employees.

b. Clearly defined roles of temporary workers and student workers are required and guided by “Least Privilege” access and principles. Student worker supervision guidelines are to be followed.

c. Temporary employees will be established with a temporary account marked for expiration at a later date.

d. Student workers will have accounts established until such responsibilities and roles expire.

4.8 Employee Account Modification

Current employees may request changes to their access by submitting an updated iSupport ticket with necessary employee and supervisor approvals. The Support Center will process the form and contact Data Managers for necessary approvals.

The Human Resources office will ensure that employees changing positions within the College adhere to the requirement of requesting a modification should their duties, and therefore access levels change. Submission of a request for user account modification does not automatically guarantee that the request will be granted.

4.9 Shared Account

As a general rule the TAS Division will not support or grant shared account access to college users or groups. Some vendors require the use of shared accounts to perform maintenance on NPC systems and in such cases, credentials are not given to NPC and are securely stored by the vendor. When required by the design of a system, shared account credentials used by the TAS Network and Systems teams will be stored in an encrypted password manager as outlined in Procedure 2203.

As an exception to this rule, TAS does maintain a limited number of location or role specific accounts that are necessary in a few instances. As with other shared accounts, the credentials for these rare location or role specific accounts will be stored in an encrypted password manager.

4.10 Managed Provider Account

Managed provider accounts (for example, potential 3^rd party services) will be granted on a limited basis and under the same process as an iSupport ticket request. Active accounts will be audited and reviewed on an annual minimal basis. Inactive and terminated accounts are moved to a disabled status.

4.11 Account Removal

The TAS Division will disable access to technology resources when notified of an employee’s separation from the College. The Human Resources department will initiate the process by submitting a disabled account request using the NPC HR Application to begin the disabling process and notify TAS and the Support Center.

Access to technology resources will begin to be restricted by the close-of-business on the employee’s last working day, unless otherwise instructed by Human Resources, CIO, or college President. All access will be restricted once the employee has received their final paycheck.

In the event of a need for urgent and immediate access suspension, a President’s staff member or the Associate Vice President of Human Resources or Director of Employee Relations will contact the CIO or Designee. The CIO or Designee will expedite the process of terminating access for the specified employee and will follow up with the Human Resource office for the End of Employment form for record keeping purposes.

Retirees with or without Emeritus status will not retain access to any accounts upon separation of the College yet may request email-forwarding services and retain the email address. Student e-mail access will be available to the student indefinitely; however, inactive e-mail accounts will be disabled and a request from the student will be required to reinstate.

Any situations outside the scope of the guidelines above must be submitted by a member of the College's Executive Team to the CIO for review.

4.12 Remote Access

Employees remote access to College resources may be requested by the employee’s supervisor by indicating this option on the iSupport ticket.

a. Remote access users shall not violate any college policies, perform any illegal activities, or be used for outside college interests as detailed in the Computer and Electronic Access and Usage Procedure 2201.

b. Remote access privileges will be strictly limited and evaluated on a case-by-case basis for approval by the employee’s supervisor, the CIO, or Designee. A request for remote access is not guaranteed and will be evaluated based on specific role, job description and/or requirement for such access.

c. A unique twenty-five plus character, password will be required for all such accounts.

All remote access accounts will have access suspended for inactivity cause after 90 days. Account auditing procedures are found in Procedure 2211.

5.0 Inquiries

Direct inquiries about this procedure to: CIO