Effective Date: December 13, 2021
Last Reviewed/Approved Date: New Policy
Next Scheduled Review Date: December 13, 2022
Policy Type: Campus-Wide
The purpose of implementing access controls within a technology environment is to minimize the risk of unauthorized access to physical and logical systems, data and applications. Access control is a fundamental component of information security and compliance programs, and ensures security technology and related policies, processes and procedures are in place to protect confidential information, such as student records, customer data, sensitive financial data, electronic health information and personally identifiable information.
Elon University’s access control mechanisms are designed to minimize risk and potential exposure to the University resulting from unauthorized or malicious use of resources, and to preserve and protect the confidentiality, integrity and availability of Elon Facilities and Assets, Confidential Information, and Elon Data.
Elon University network accounts provide access and accountability for University information resource usage. The creation, control, and monitoring of all network accounts are crucial to providing accountability and secure access to Elon University technology and information resources.
This policy supersedes any other prior policies or requirements related to these topics and will be reviewed at least annually for potential updates.
This policy applies to any persons who access or use Elon Facilities or Assets, Confidential Information, Elon Data (the “Elon Community”), including faculty, staff, trustees, students, temporary employees, contractors, third-party service providers, business partners and alumni. This policy affects:
- All Elon University-owned or managed networks, network devices, computer systems, applications, or any other technology or computing assets (“Elon Assets”);
- All Elon University proprietary or confidential information, including intellectual property (“Confidential Information”)
- Any Elon owned or controlled individually identifiable personal data or other personal information for which the privacy, security, retention and confidentiality are regulated by applicable legal, regulatory and contractual requirements (“Elon Data”); and
- Elon Confidential Information and Elon Data stored at third-party locations.
Availability: characteristic of the information by which it can be accessed by authorized persons when it is needed.
Confidentiality: characteristic of the information by which it is available only to authorized persons or systems.
Confidential Information: includes data and information regulated by state, federal or international laws, any data and information regulated by the Payment Card Industry and any Elon data and information that is not considered public.
- any equipment that is used in the acquisition, storage, manipulation, management, movement, control, display, switching, interchange, transmission, or reception of data or information, including printers, storage devices, computers, computer equipment, network equipment and systems and phone equipment and systems.
- any software or technology system used to store, transmit, process, create or present information or data for University use
- any data or information used by Elon community members in the course of doing business for and on behalf of Elon University.
Elon Data: any information resource that is maintained in electronic or digital format. Data may be accessed, searched, or retrieved via electronic networks or other electronic data processing technologies.
Information Security: preservation of confidentiality, integrity and availability of information.
Information Security Program: a segment of management processes that addresses the planning, implementation, maintenance, monitoring and improving information security within the University.
Integrity: characteristic of the information by which it is changed only by authorized persons or systems in an allowed way.
- Elon Senior Leadership (University President and members of Senior Staff) is responsible for ensuring the availability of resources to adequately monitor and implement this policy.
- Associate Vice President of Information Technology and Chief Information Officer is responsible for ensuring Elon’s access controls are effective and support the requirements of the University.
- Director of Information Security is responsible for designing and implementing access controls, including technical, administrative and physical controls that align to the University’s goals and objectives, address the security needs of the organization and reduce potential risk to an acceptable level.
- Supervisors / Department Heads / Managers are responsible for ensuring their departments and direct reports adhere to the controls implemented by Information Security.
- The Elon Community members should read and understand this policy. In addition, Community members must:
- protect sensitive information and Elon Data within their control from unauthorized access, modification, destruction, and disclosure;
- recognize and report cyber threats against the University and Elon Assets;
- immediately report any security violation to their supervisor or department head or Campus Safety and Police; and
- attend appropriate University security training and awareness sessions on a regular basis or as assigned.
5.0 Policy Statements
User/Community Member Access
- All Elon Community member network accounts are created and access to technology and information resources are granted once the appropriate request and approval processes are completed.
- Elon computer and network access accounts will be created according to information security standards and business requirements, and will be managed according to the following rules:
- Passwords will conform to Microsoft’s Strong Password requirements and Elon University Password Standards.
- Accounts will be disabled after 365 days of inactivity.
- Accounts in disabled status for 180 days will be deleted.
- Access to vendor, service provider and partner accounts will be enabled only during the time period needed and disabled when not in use. All vendor accounts will be monitored when in use.
- Repeated access attempts will be limited by locking out the user-ID after six unsuccessful attempts.
- Lockout duration will be set to a minimum of 30 minutes or until an administrator enables the user-ID.
- If a computer/network session has been idle for more than 30 minutes, the user will be required to re-authenticate to re-activate the terminal or session.
- All staff and faculty network accounts will be disabled upon termination of the faculty or staff member, unless otherwise directed by a supervisor or HR to keep the account active.
- Any account identified as being compromised or in threat of being comprised will be disabled.
- Access to technology and information resources will be granted on a “need to know” basis.
- Elon Community members may only connect devices to the Elon network at appropriate connectivity points including voice/data jacks, through an approved wireless network access point, via a VPN or SSH tunnel, or through remote access mechanisms such as DSL, cable modems, and traditional modems over phone lines.
- All Elon University network accounts will be uniquely identifiable with an assigned user-ID and all initial default passwords for new accounts will be constructed in accordance with the Elon University Password Policy.
- Generic accounts are permitted if approved by the department head and Information Security. Generic accounts will not be approved for any devices or systems that access confidential data or information. However, if a generic account is assigned to an individual, a mechanism must be in place to ensure only that individual uses the generic account during their employment.
- Service providers with remote access to Elon’s campus resources (for example, for support of HVAC systems) must use a unique authentication credential (such as a password/phrase) for each customer.
- All Elon-owned mobile computers used by staff and faculty members (PCs and Macs) will be required to have full disk encryption installed and operational on the device.
- Two-factor Authentication (2FA) is required to access Elon University critical applications, Elon’s virtual private networks (VPNs) and all sensitive information and Elon Data.
All Elon Community members and system administrators accessing Elon systems, application and critical data from a remote location (off campus) must abide by the following rules:
- All remote access must be authenticated and encrypted through the University’s VPN.
- All remote access will be accomplished through the use of two-factor authentication; a user-ID and password or PIN combination, and a second method not based on user credentials, such as a certificate or token provisioned to the user.
Wireless Network Access
Elon University is subscribed to the Eduroam Network. Eduroam is an international roaming service for users in research, higher education and further education. It provides researchers, teachers, and students easy and secure network access when visiting an institution other than their own. Authentication of Eduroam users is performed by their home institution, using the same credentials as when they access the network locally, while authorization to access the Internet will be provided by Elon.
Elon University staff, students and faculty may not use the Eduroam network while on the Elon campus as this network is configured for use by visitors from a university that also participates in the Eduroam Network service.
Certain permanent Elon University employees may grant temporary wireless network access to university guests. These Elon employees are the official University sponsor of all associated guests and take full responsibility for the guest’s actions on Elon University’s network. Contact Elon’s Technology Service Desk for information on granting temporary guest access.
Elon’s public wireless network is available to the public in order to meet temporary demands for wireless internet connectivity while visiting Elon University’s campus. The service is available only in selected areas. It offers no security encryption, and is limited in speed, capacity, and features. The public Wireless network is not a part of Elon University’s campus network, and it is not protected by University security measures.
Elon University students, faculty, staff and official affiliates should use Elon University’s more secure and fully featured wireless services. No authentication is required to access the public network and services are limited to standard (WWW) and secure (HTTPS) web pages, SSH (Secure Shell), Virtual Private Network (VPN), DHCP and DNS connections.
Access Control for Mobile Devices
Mobile devices include ALL portable storage media including USB memory sticks, external hard disk drives, notebook/laptop computers, iPads, smartphones, tablets, e-readers, smart watches, digital cameras and audio recording devices. Some of these devices are multifunctional and may be used for voice calls, text messages, email, Internet access, and may allow access to computers and/or networks. Elon Community members must protect Elon technical and information resources while using mobile communication devices through the following requirements:
- Using a user defined, personal identification number (PIN) to access the device where permitted.
- Implementing a time out of inactivity that is 15 minutes or less.
- If technically possible, ensuring the ability to remotely erase the contents of the device, at the user’s request, management request via a service desk ticket, or by the user’s own action.
- Purging/wiping information from mobile devices based on 10 consecutive, unsuccessful device logon attempts (e.g., smartphones and tablets). Laptop computers are excluded from this requirement.
- All mobile device users shall comply with legal and regulatory requirements associated with information that is stored on or accessed from the device, such as requirements for confidentiality, security and record retention.
Segregation of Duties
Segregation of duties is an integral part of an effective information security program. Enforcing a segregation of duties model will help to reduce the risk of accidental or deliberate system misuse and reduce opportunities for unauthorized modification or misuse of information by segregating the management and execution of certain duties or areas of responsibility. Therefore:
- Access to Elon technical, data and information resources will only be provided to Elon Community members based on business requirements, job function, responsibilities, or need-to-know;
- All account additions, changes, and deletions to system access must be approved by the appropriate supervisor, manager or department head, with a valid business justification; and
- Access controls to technical, data and information resources will be implemented via an automated control system when possible. Account creation, deletion, and modification as well as access to data and network resources will be completed by the Security Operations Team.
Sanctions for inappropriate use of Elon Facilities, Assets or Data may include, but are not limited to, one or more of the following:
- Temporary or permanent revocation of access to some or all computing, networking and other technology resources;
- Disciplinary action according to applicable University policies;
- Legal action according to applicable laws and contractual agreements.
Individuals concerned about any violation of this policy are encouraged to contact the Associate Vice President for Information Technology/CIO or the Vice President for Finance and Administration. Individuals can also report suspected policy violations to firstname.lastname@example.org.