Personnel Security Guideline


 

Personnel Security

Version: 1.0

Status: Approved; 04/20/05

Contact: Teresa Thomas 

 

PURPOSE

To ensure access is deleted in a timely manner for terminated employees, and modified appropriately for transferred or promoted employees. This guideline is intended to provide a framework by which a VCCS Entity can ensure security controls are implemented to protect the privacy, security and integrity of VCCS information technology resources against unauthorized or improper use, and to prevent and detect attempts to compromise information technology resources for any terminated, transferred, or promoted employees.

SCOPE

In accordance with the VCCS Technology Standard for Personnel Security all Entities must establish and document the process which directs the steps and the timing required to grant and withdraw physical and system access privileges to personnel for the following events: new hire, employee transfer to another VCCS Entity, employee termination, employee resignation, employee change of job duties within a VCCS Entity, and perceived disgruntled employee behavior. The following guideline provides the standard framework for creating this process.

APPLICABILITY

This standard is applicable to all VCCS Entities (System Office, Colleges, and ITS Enterprise Services).

DEFINITION

Personnel Security refers to those practices, technologies and/or services used to ensure that personnel security safeguards are applied. Personnel security safeguards take into account 1) granting or withdrawing physical and system access privileges upon: hiring an employee, transferring an employee to another VCCS Entity or state Agency, terminating an employee, or when an employee resigns or changes job duties within a VCCS Entity; 2) system access will be granted, modified and revoked via a formal and auditable process, 3) security training to reinforce this standard will be conducted within 30 days of a new hire, 4) Non-Disclosure Agreements will be signed by all individuals who need access to "sensitive" information, prior to granting access to that information, 5) Background checks of personnel may be required consistent with VCCS Entity policy and depending on the sensitivity of information accessible to that position.

Auditable Process refers to specific documentation which can be a manual or an automated process that provides sufficient evidence that will allow one to trace the events of an action that has taken place.

Sensitive Data/Information refers to critical information for which the unauthorized access, loss, misuse, modification, or improper disclosure could negatively impact the ability of the VCCS Entity to provide services and benefits to its students.

Confidential Data/Information refers to information that involves the privacy to which individuals are entitled by law. This information may only be disclosed to those individuals that are authorized and have a need to review the data or information.

GUIDELINE

Personnel security begins during the staffing process. Once personnel have been staffed, personnel security safeguards are administered according to the VCCS security policy and acceptable use agreements via a college defined User account management procedure. User account management involves 1) establishing the procedures for requesting, issuing, and closing user accounts over the life cycle events of personnel (e.g., initial hire, transfers, position promotion, retirement, resignation, etc.); 2) tracking users and their respective access authorizations; and 3) managing these functions on an on-going basis.

The following are the minimum steps recommended to be included in the procedure for administering personnel security access:

New Hires: (Teaching Faculty, Administrators, Classified, and Part-time Wage)

  1. The Human Resources Office and the immediate supervisor are responsible for notifying the Entity ITS Office of any new hires. This information should be formally communicated prior to employee’s assigned start date.

  2. All employees must sign the VCCS Computer Acceptable Use Agreement immediately upon employment with a VCCS entity.

  3. The immediate supervisor should determine the type of computer access that is needed for each employee and the sensitivity/confidentiality of the information/data required for that position. Access granted to personnel must be based on least privilege (i.e., only up to the level needed to perform one’s duties).

  4. Employees must complete security awareness training in accordance with the Entities security awareness program and VCCS standard.

  5. The Entity Information Technology Services Office is responsible for granting the access as authorized by the employee’s immediate supervisor. They are expected to maintain formal records for any approved action and provide the immediate supervisor access to those records as required. This step should be automated where feasible.

Employee Transfer:

  1. The responsible supervisor must determine the type of computer access that is needed for each employee and the sensitivity of the information/data required for that position.

  2. Entity Information Security Officer should work with both the present and former supervisors to modify the employee’s logical and physical access to meet the needs of the new position.

  3. The Entity Information Technology Services Office is responsible for granting the access as authorized by the employee’s immediate supervisor. They are expected to maintain formal records for any approved action and provide the immediate supervisor access to those records as required. This step should be automated where feasible.

Employee Promotion:

  1. The immediate supervisor must review current access and determine the type of computer access that is needed for the employee and the sensitivity of the information/data required for that position.

  2. Entity Information Security Officer will work with the supervisor to modify the employee’s logical and physical access to meet the needs of the new position.

  3. The Entity Information Technology Services Office is responsible for granting the access as authorized by the employee’s immediate supervisor. They are expected to maintain formal records for any approved action and provide the immediate supervisor access to those records as required. This step should be automated where feasible.

Employee Separation:

  1. The immediate supervisor and the Human Resource Office must formally notify the Entity Information Technology Services Office when employees are separated from service or end their employment. In cases of abnormal terminations (firing, death, etc.) the notification should be handled with urgency.

  2. The Entity process must also address and make considerations for employees who are not officially separated but may not be active for a specified period of time such as adjunct faculty.

  3. The Entity Information Technology Services Office is responsible for granting the access as authorized by the employee’s immediate supervisor. They are expected to maintain formal records for any approved action and provide the immediate supervisor access to those records as required. This step should be automated where feasible.

Review and Certification of Access:

Each Entity should consider the following steps in creating the internal procedure for reviewing and certifying the employee’s continuing need for access to VCCS ITS resources:

  1. The Information Technology Office will issue a formal notification to all supervisors regarding the date for submitting employee access certifications.

  2. All supervisors are solely responsible for auditing/recertifying, where applicable, the access of all of their direct reports including Professional Faculty, Teaching Faculty, Administrators, Classified, Wage, Work-Study, and consultants prior to June 30th each calendar year by notifying the Entity ITS Office. Failure to provide notification could result in the individual’s access being automatically being suspended or in some cases revoked.

  3. All supervisors are solely responsible for auditing/recertifying, where applicable, the access of all of their direct reports including Professional Faculty, Teaching Faculty, Administrators, Classified, and Wage, Work-Study and consultants prior to June 30th each calendar year by notifying the Entity ITS Office. Failure to provide notification could result in the individual’s access being automatically suspended and in some cases revoked.

  4. The Entity Information Technology Office will formally notify the VCCS Information Security Officer of any changes impacting enterprise applications/services or those supported by the Commonwealth of Virginia.

ar2rt_or.gif (238 bytes) Return to Information Technology Services