Technology Standard
|
|
Technology Standard
|
Personnel Security - Access Determination and Control
Version: 1.0
Status: Approved 02/21/07
Contact: Director, Technology Services
PURPOSE
Personnel Security refers to those practices, technologies and/or services used to ensure that personnel security safeguards are applied. Personnel security safeguards take into account 1) granting or withdrawing physical and system access privileges upon: hiring an employee, transferring an employee to another VCCS Entity or state Agency, terminating an employee, or when an employee resigns or changes job duties within a VCCS Entity; 2) system access will be granted via a formal and auditable process, 3) security training will be conducted within 30 days of a new hire, 4) Non-Disclosure Agreements will be signed by all individuals who need access to "sensitive" information, prior to granting access to that information, 5) Background checks of personnel may be required consistent with VCCS Entity policy and depending on the sensitivity of information accessible to that position.
SCOPE
In accordance with the Commonwealth of Virginia (COV) Information Technology Resource Management Standard (ITRM), COV ITRM Standard SEC501-01, Information Technology Security, personnel security must be an integral part of a System Office and College information technology security plan. Personnel security reduces the risk that key information technology assets will be compromised by securing VCCS systems to authorized personnel only.
APPLICABILITY
This standard is applicable to all VCCS Entities (System Office and Colleges).
STANDARD
Personnel security begins during the staffing process. Early in the process of defining a position, the responsible supervisor determines the type of computer access that is needed for the position and the sensitivity of that position. Best practices suggest that two general principles should be followed in defining a position: separation of duties and least privilege. Separation of duties refers to dividing roles and responsibilities so that a single individual cannot subvert a critical process. For example, separate responsibility should be given for requesting a personal identification number and for authorizing a personal identification number. Least privilege refers to granting a user only those accesses that they need to perform their official duties. For example, a data entry clerk may not need to run analysis reports against the entire VCCS database. As part of the process to fill a position, best practices also suggest that testing and background screening should be used as appropriate to help validate and/or access a candidate’s qualifications, past performance and appropriateness for a particular position.
Once personnel have been staffed, personnel security safeguards are administered according to the VCCS information security standard via User account management. User account management involves 1) establishing the procedures for requesting, issuing, and closing user accounts over the life cycle events of personnel (e.g., initial hire, transfers, position promotion, retirement, resignation, etc.); 2) tracking users and their respective access authorizations; and 3) managing these functions on an on-going basis.
The System Office and all colleges should establish and document the process which directs the steps and the timing required to grant and withdraw physical and system access privileges to personnel for the following events: new hire, employee transfer to another VCCS Entity, employee termination, employee resignation, employee change of job duties within a VCCS Entity, and perceived disgruntled employee behavior. A similar process should be established for contractors (i.e., non-state personnel) working for or on behalf of a VCCS Entity.
Required: Access must be explicitly granted to personnel by the Data Owner or by the System Owner.
Recommended: System access should be granted via a formal, auditable, and documented process, and should be accompanied by security training that is commensurate to one’s duties and responsibilities. The documented process should also address a periodic check to verify that accesses which have been granted in the past are still appropriate. Such a check should take place at least annually.
Required: Access granted to personnel must be based on least privilege (i.e., only up to the level needed to perform one’s duties).
Recommended: This requirement should be explicitly stated in the process discussed in the previous point.
Required: Access must be terminated concurrent with when the requirement for access no longer exists (e.g., as result of transfer, termination, and change of duties).
Recommended: This process should be documented and should be auditable.
Required: Non-Disclosure Agreements should be signed by all individuals who need access to "sensitive" information, prior to granting access to that information.
Required: The System Office and colleges must identify all positions requiring a criminal background check.
Required: Restrict visitor access to facilities that house sensitive COV IT systems or data.
RELATED LINKS
Information Technology Employee Acceptable Use Agreement
Information Technology Student/Patron Acceptable Use Agreement
Information Technology Acceptable Use Standard
