Compliance with security procedures is required to ensure access to data is adequately safeguarded..
This policy explains the authentication/authorization of identified critical systems.
Key security is maintained for all areas affected. Key requests are to be supplied to Facilities by the immediate supervisor and must include a signature from the Chief Information Officer. Keys for areas other than Maxwell are maintained in a lock box in Maxwell 148.
Authentication/Authorization of Identified Critical Systems
Role Based Access Control is used. Member logins and degree of access are created at the request of specified representatives from the following areas: HR, Records, Admissions, and CAPS Student Services. Identified supervisors from CAPS are allowed to create specific limited profiles for AGS Faculty. Any additional permissions requests are to be supplied by the user's immediate supervisor using a form supplied by HR.
Individual requests from ITS Help Desk for entry in Active Directory must be verified by a complete DRUS record in Datatel created by Student Services, Registrar 's office or Human Resources before creation of entry can be completed by a member of the Systems Administration team.
Login requests must be received from firstname.lastname@example.org. Because Datatel allows the use of role-based access control the request must include the security type needed (in other words the request must supply a similar user to clone). If the active employee does not have an SOD record on the Datatel database then no new record will be created for the clone. The DRUS records are created by the HR department for new employees. Any financial access (CF application including access to budget information, purchase requests and approvals) must be approved by the Office of the Controller before restricted mnemonics will be made available. Any requests regarding changes in access to the Human Resources application mnemonics (HR) must include approval from the Director of Human Resources. Changes to the access users need for Advancement (application CA) must come from the Director of Advancement Services. The new employee SOD is the same as the Active Directory setup. After the SOD record is created a staff record is created to link the ID number to office codes and privacy access codes. Upon termination of an employee the login is no longer valid after AD entry is removed. SOD records are removed after one month.
Users are initially added to ImageNow when a department goes ‘live’. This list is provided during the planning phase as a part of the details spreadsheet. Once a department has completed their implementation, a Power User (member of the planning team) uses the Add/Change/Remove User form to indicate if a new user should be added, if an existing user’s permissions should be modified, or to remove a user altogether. The form is available through the Family Page under Document Management. A details spreadsheet is kept current for each department that utilizes ImageNow/WebNow with an updated copy posted to the department’s share folder. – (source A. Hufford)
Source 4 changes can only be made on one desktop unit in the IS department. Access to this PC is covered by password. Once compiled the file is placed on a folder using the c$ of a specific server. This server has restricted access to this folder.
SQL Server Farms:
SQL Server Management access is given by the Database team only. As remote desktop is not enabled for SQL Server Farm, VMWare tools are required to access the console. Permissions are granted by Jack Alexander (Systems Administration team) at the request of the DBA administrator. There are only three active users at the current time. Explicit permissions will be applied to any new user. Various ports have been opened on individual servers to allow SQL Server Management access which is controlled by the Database team.
Access to individual voicemail recording is controlled by password created by users.
Portal page (Employee Intranet):
The login page is publicly accessible. All other Web “pages” require authentication. Users authorized to login include IWU Faculty and Staff with permission in Active Directory and individual authorized directly by their respective VP.
Wildcat page (CAS Student Intranet):
The majority of Web “pages” contained in the Wildcat site are publicly accessible. The user profiles, community groups, directories, forums and select announcements require authentication. Users authorized to login include CAS Students, IWU Faculty and IWU Staff that are in Active Directory.
This policy will affect the Marion Campus.
06-May-2014 - Updated
04-Nov-2013 - Updated
09-Mar-2012 - Information entered into Mind Touch
13-Mar-2009 - Policy created
General Policy 400.01.01
University Information Technology
Chief Information Officer
Chief Financial Officer
There are no known exceptions to this policy at this time.
Note: This policy created by suggestions listed in NIST SP 800-122 (ES3 Using Access Enforcement)