1. Policy Statement

Quincy College is committed to protecting its information systems and sensitive data by managing access rights effectively. This policy outlines the procedures for granting, managing, and revoking access to enterprise assets to ensure security and compliance with regulatory standards.

2. Objectives

  • Establish a formalized, defined, and circulated Access Management Policy.
  • Ensure the prompt revocation of access upon user termination, rights revocation, or role changes.
  • Prevent unauthorized access to sensitive information and systems.
  • Comply with legal and regulatory requirements for access management.

3. Scope

This policy applies to all users, including employees, contractors, and third-party vendors, who have access to Quincy College's information systems and data.

4. Roles and Responsibilities

  • Vice President of Mission Support: Leads the policy implementation team, coordinates efforts, and ensures compliance with policy requirements.
  • Vice President of Finance: Ensures that financial aspects of access management, including budget considerations and financial risks, are managed effectively.
  • IT Manager: Manages the technical aspects of access management, including system configurations, access controls, and security measures.
  • IT Analyst: Supports the IT Manager in conducting access reviews, monitoring system activities, and ensuring compliance with access management practices.

5. Access Control Procedures

  • Access Request and Approval: Implement a formal process for requesting and approving access to information systems and data. Ensure that access requests are reviewed and approved by the appropriate authority.
  • Role-Based Access Control (RBAC): Assign access rights based on user roles to ensure that individuals have the minimum necessary access to perform their job functions.
  • Multi-Factor Authentication (MFA): Utilize multi-factor authentication for accessing sensitive systems and data to enhance security.
  • 6. User Provisioning and De-Provisioning
  • User Provisioning: Ensure that new users are granted access based on their role and job requirements. Maintain documentation of access approvals.
  • User De-Provisioning: Immediately revoke access upon user termination, role change, or rights revocation. Conduct regular audits to ensure that access rights are up to date.

7. Access Reviews and Audits

  • Periodic Reviews: Conduct regular access reviews to ensure that access rights are appropriate and comply with the principle of least privilege.
  • Audit Logs: Maintain detailed logs of access requests, approvals, and revocations. Review audit logs periodically to identify any unauthorized access or anomalies.

8. Incident Response

  • Access Incidents: Establish procedures for responding to access-related incidents. See Incident Response (IR) Policy for detailed procedures.
  • Reporting: Ensure staff are aware of their responsibilities to report access-related incidents, including unauthorized access or security breaches, in a timely manner.

9. Training and Awareness

  • User Training: Provide training for all users on access management policies and procedures. Emphasize the importance of protecting access credentials and reporting suspicious activities.
  • Regular Updates: Regularly update training materials to reflect changes in the policy, technology, and regulatory requirements.

10. Review and Updates

  • Annual Review: Conduct an annual review of the Access Management Policy to ensure it remains current and effective.
  • Policy Updates: Update the policy as necessary to address emerging threats, changes in regulatory requirements, and lessons learned from incidents.

Original: July 2024