Access Control Policy for Rockhurst University
Introduction:
Rockhurst University recognizes the importance of implementing robust access controls to protect systems and data containing nonpublic personal information (NPI) and student educational records in compliance with applicable regulations, including the Gramm-Leach-Bliley Act (GLBA), Federal Trade Commission (FTC) Safeguard requirements, and the Family Educational Rights and Privacy Act (FERPA). This Access Control Policy outlines the principles and procedures for granting, modifying, and revoking access privileges based on job roles and responsibilities.
Scope:
This policy applies to all individuals and entities associated with Rockhurst University who require access to systems and data containing NPI and student educational records, including faculty, staff, students, contractors, and any external parties granted access to university systems or sensitive data.
Policy Statement:
Rockhurst University is committed to maintaining the confidentiality, integrity, and availability of NPI and student educational records by implementing access controls based on the principle of least privilege. Access privileges will be granted, modified, and revoked in accordance with individuals' job roles, responsibilities, and the need-to-know principle.
Access Control Principles:
The following principles guide the implementation of access controls:
-
Least Privilege: Access privileges will be granted at the minimum level necessary to perform job functions effectively. Users will have access only to the resources required for their assigned duties.
-
Role-Based Access Control (RBAC): Access privileges will be based on defined job roles and responsibilities. Roles will be clearly defined, and access rights associated with each role will be documented.
-
Need-to-Know: Access to NPI and student educational records will be restricted to individuals who require access to fulfill their professional responsibilities.
-
Separation of Duties: Where feasible, tasks and access privileges will be segregated among different individuals to prevent unauthorized activities and reduce the risk of errors or fraud.
-
Account Provisioning and De-provisioning: Access privileges will be provisioned when individuals join the university or assume new roles and de-provisioned promptly upon termination of employment or change in job responsibilities.
Access Control Procedures:
The following procedures outline the process for granting, modifying, and revoking access privileges:
- Role Assignment:
- Job roles and responsibilities will be clearly defined, and access rights associated with each role will be documented.
- Access privileges will be granted based on an individual's assigned role and the need-to-know principle.
- Access Request and Approval:
- Individuals requiring access to systems and data containing NPI and student educational records will submit access requests to their supervisors or appropriate data custodians.
- Access requests will be reviewed and approved by authorized personnel based on the principle of least privilege and adherence to defined roles and responsibilities.
- Access Provisioning:
- Upon approval, access privileges will be provisioned by the designated administrators or IT personnel responsible for system and data management.
- Access privileges will be granted based on the defined roles and responsibilities of the individual.
- Access Modification:
- Access privileges may be modified based on changes in job roles, responsibilities, or the need-to-know principle.
- Access modification requests should follow the same request and approval process as access provisioning.
- Access Revocation:
- Access privileges will be promptly revoked upon termination of employment, change in job responsibilities, or as deemed necessary by authorized personnel.
- The revocation process will ensure the removal of access to systems and data containing NPI and student educational records.
- Access Review:
- Regular access reviews will be conducted to ensure that access privileges remain appropriate and necessary.
- Access reviews will be performed by authorized personnel to identify and address any excessive or outdated access privileges.
Monitoring and Enforcement:
Rockhurst University will implement monitoring mechanisms to detect unauthorized access attempts and violations of access control policies. Non-compliance with this policy may result in disciplinary action, up to and including termination of employment or legal consequences.
Training and Awareness:
Rockhurst University will provide training and awareness programs to educate employees and relevant individuals about access control policies, procedures, and their responsibilities regarding NPI and student educational records.
Policy Review and Updates:
This Access Control Policy will be reviewed periodically to ensure its effectiveness and compliance with changing regulatory requirements. Updates will be made as necessary to address emerging risks and technological advancements.
By adhering to this Access Control Policy, Rockhurst University aims to safeguard NPI, student educational records, and maintain compliance with GLBA, FTC Safeguard, and FERPA regulations.
Last Review Date
2024.06.12