Status: Approved; 04/20/05
Contact: Teresa Thomas
This standard is intended to ensure security controls and related procedures are implemented to protect the privacy, security and integrity of VCCS information technology resources against unauthorized or improper use, and to prevent and detect attempts to compromise information technology resources for any employee who is separated, transferred, or promoted.
In accordance with the Commonwealth of Virginia (COV) Information Technology Resource Management Standard (ITRM), COV ITRM Standard SEC2001-01.1, Information Technology Security, personnel security must be an integral part of a VCCS Entity’s information technology security plan. Personnel security reduces the risk that key information technology assets will be compromised by securing all VCCS systems and related data to access by authorized personnel only.
This standard is applicable to all VCCS Entities (System Office, Colleges, and ITS Enterprise Services).
Personnel Securityrefers to those practices, technologies and/or services used to ensure that personnel security safeguards are applied. Personnel security safeguards take into account 1) granting or withdrawing physical and system access privileges upon: hiring an employee, transferring an employee to another VCCS Entity or state Agency, terminating an employee, or when an employee resigns or changes job duties within a VCCS Entity; 2) system access will be granted, modified and revoked via a formal and auditable process, 3) security training to reinforce this standard will be conducted within 30 days of a new hire, 4) Non-Disclosure Agreements will be signed by all individuals who need access to "sensitive/confidential" information, prior to granting access to that information, 5) Background checks of personnel may be required consistent with VCCS Entity policy and depending on the sensitivity/confidentiality of information accessible to that position.
Auditable Processrefers to specific documentation which can be a manual or an automated process that provides sufficient evidence that will allow one to trace the events of an action that has taken place.
Sensitive Data/Informationrefers to critical information for which the unauthorized access, loss, misuse, modification, or improper disclosure could negatively impact the ability of the VCCS Entity to provide services and benefits to its students.
Confidential Data/Informationrefers to information that involves the privacy to which individuals are entitled by law. This information may only be disclosed to those individuals that are authorized and have a need to review the data or information.
Personnel security begins during the staffing process. Best practices suggest that two general principles should be followed in defining a position: separation of duties and least privilege. Separation of duties refers to dividing roles and responsibilities so that a single individual cannot subvert a critical process. For example, separate responsibility should be given for requesting a personal identification number and for authorizing a personal identification number. Least privilege refers to granting a user only those accesses that they need to perform their official duties. For example, a data entry clerk may not need to run analysis reports against the entire VCCS shared database. As part of the process to fill a position, best practices also suggest that testing and background screening should be used as appropriate to help validate and/or access a candidate’s qualifications, past performance and appropriateness for a particular position.
Once personnel have been hired, the related security safeguards are administered according to the VCCS security standard and acceptable use agreements via a Entity defined User account management procedure. User account management involves 1) establishing the procedures for requesting, issuing, and closing user accounts over the life cycle events of personnel (e.g., initial hire, transfers, position promotion, retirement, resignation, etc.); 2) tracking users and their respective access authorizations; and 3) managing these functions on an on-going basis.
Each VCCS Entity must establish and document the process which directs the steps and the timing required to grant and withdraw physical and system access privileges to personnel for the following events: new hire, employee transfer to another VCCS Entity, employee separation, employee resignation, employee change of job duties within a VCCS Entity, and documented disgruntled employee behavior. A similar process must be established for consultants (i.e., non-state personnel) working for or on behalf of a VCCS Entity. The following are specific expectations addressed by this standard that will serve to provide protection that must be afforded to VCCS information technology resources:
The responsible supervisor must determine and document the type of computer access that is needed for each employee and the sensitivity/confidentiality of the information/data required for that position.
System and information access for all employees will be granted via a formal, auditable, and documented process, and must be accompanied by security training that is commensurate to one’s duties and responsibilities.
The process must also address a periodic check to verify that accesses which have been authorized and granted in the past are still appropriate. Such a check will take place as a minimum annually. The Entity information security officer will initiate and coordinate this annual activity that must be completed prior to June 30th during each calendar year. However, all supervisors are solely responsible for auditing/recertifying, where applicable, the access of all of their direct reports including full time staff, part time staff, and consultants.
Employee’s access to all systems and information must be removed concurrent with when the requirement for access no longer exists (e.g., as result of transfer, termination, and change of duties). In the case of employees who are separated under abnormal circumstances (i.e., firing or death) their access must be removed upon receipt of formal notice. Again, it is the responsibility of the supervisor to initiate the required actions based on the circumstances.
All information, regardless of the medium, that contains client specific or personal information is considered sensitive/confidential and must be restricted to personnel who are authorized to use the information. Sensitive/Confidential information must also be protected from unauthorized access at all times. VCCS requires that access to sensitive information is only granted to employees where it is necessary to perform required job duties. Unauthorized use of sensitive information by VCCS employees is a violation of the VCCS Personnel Security Standard. Any employee who violates this standard may be subject to disciplinary actions. Access to any confidential or sensitive information/data must be explicitly granted to the individual by authorization received from the Data Owner or by the System Owner (i.e., not allowed by default).
The Entity’s Human Resources, Information Technology Services Office and the immediate supervisor must coordinate and work together to facilitate the expectations outlined in this standard.