COLORADO COMMUNITY COLLEGE SYSTEM
Access and Authentication
APPROVED: January 28, 2021
EFFECTIVE: January 28, 2021
REFERENCES: Board Policy (BP) 6-10, Cyber Security Policy
/ Joe Garcia /
Joseph A. Garcia
This procedure documents Colorado Community College System and its Colleges’ (“CCCS”) requirements for authorization, authentication, passwords, and the management of user accounts on Mission Critical Systems and systems that contain CCCS Information.
This procedure applies to employees, personnel affiliated via third party contracts, and volunteers that have access to Information Systems and Assets that are owned or leased by CCCS.
Access control is defined as security techniques or activities to ensure access to CCCS Information Systems and Assets are authorized and restricted based on business and security requirements.
Authentication is defined as provision of assurance that a claimed characteristic of an entity is correct.
Mission Critical System
Mission critical system is a system that is essential to CCCS’s operations. Failure or disruption of the mission critical system would result in negative impact on CCCS.
The System Chancellor delegates to the System Vice Chancellor for Information Technology responsibility for oversight of compliance with and implementation of this procedure. Further, the System Chancellor delegates to the College Presidents the responsibility to implement and compliance with this procedure at their respective institution.
Adding, changing or disabling user accounts and managing passwords on Mission Critical Systems at CCCS must be done in a manner that ensures that only properly authorized individuals are given access to CCCS Information Systems and Assets at the appropriate level.
- Only personnel who have received authorization for access to CCCS’s Information Systems and Assets through the appropriate approval process shall be granted access.
- Access to CCCS Information Systems and Assets shall require authentication; failure to authenticate shall result in access denial.
- CCCS shall define which Information Systems or Assets will require Multi-Factor Authentication (MFA) prior to access.
- System Information Technology (“System IT”) shall define the method(s) and procedure(s) for MFA for applicable Information Systems and Assets.
- User accounts shall be set up with a unique username and password.
- Unique passwords shall be enforced using consistent rules and complexity.
- Passwords shall be treated as restricted information and shall not be shared with anyone at any time in any media (email, telephone, text message, questionnaires, hardcopy notes, etc.), unless shared through the System IT or the College IT Department (“College IT”) provided secure encrypted password management tool (i.e., Keeper, LastPass, Dashlane, Keypass, etc.).
- Initial passwords are assigned and communicated by System IT or College IT for new accounts and are required to be changed by the account owner on first login.
- Password configuration requirements shall be enforced through automated processes and must meet the following minimum requirements:
- Passwords shall be changed on a frequency commensurate with use and risk. Password changes will be forced at least every 180 days.
- Passwords shall be a minimum of 14 characters.
- Password history shall be set to 24. The previous 24 passwords may not be repeated by users.
- Minimum password age (how long a password must remain unchanged after being changed) shall be set to 24 hours.
- Password resets shall be performed only after the requester’s identity has been confirmed.
- An access request for a new user account, or a request to change or disable an existing account must be documented and tracked in the System IT, or the appropriate College IT’s, ticketing system. Request for access to highly sensitive Information Systems or Assets must be done using the appropriate security forms prior to access being granted.
- Temporary passwords are generated with a unique value for each user and changed immediately after the first use.
- Requests for new, changed or disabled accounts must be approved through the formal access request process.
- Notification of the need to disable an account due to a for-cause termination may be done via an email or a phone call to System IT or College IT but must be subsequently documented in the System IT or applicable College IT’s ticketing system.
- Terminated employee accounts must be disabled within one working day of the termination date.
- Screen lockout automatically occurs at a duration of 15 minutes and employees are required to lock their screens when leaving their computer.
- Accounts lock after five failed attempts to authenticate. Accounts will be auto unlocked after 15 minutes.
Access Management and Monitoring
- Non-employee (vendor/consultant/contractor/volunteers) accounts shall be created with a specific termination date based on duration of work or contract expiration date.
- Remote vendor accounts used for maintenance shall be active only during the time period needed.
- Employee and non-employee access to Information Systems and Assets will be granted based on job requirements and roles.
- Measures shall be implemented to monitor and log access activity.
- Reviews of user account access rights shall be performed and documented at least annually.
- Any user accounts that have not been used in the last 90 days shall be disabled.
Privileged Account Management
- Default administrator accounts for Information Systems shall have their passwords changed and stored in a secure location (System IT or College IT provided password management tool).
- Named administrator accounts shall be created for administrative users. Administrative users should not use the default administrator accounts for administrative activities.
- Creation of administrator accounts, or granting of administrative privileges, should follow a formal approval process, including the use of System IT or the College IT’s ticketing system.
- Privileged account activities shall be logged.
- Privileged account users shall not share account credentials with other users.
- Reviews of privileged account access rights shall be performed and documented at least annually.
Service Account Management
- Service accounts should be created based on unique service activities and unique roles.
- Creation of service accounts should follow a formal approval process, including the use of System IT or the College IT’s ticketing system.
- Service accounts should be used for automated service activities only.
- Users should use service accounts only for testing account access.
- Passwords for service accounts should be stored in the provided System IT or College IT password management tool.
Revising this Procedure
CCCS reserves the right to change any provision or requirement of this procedure at any time and the change shall become effective immediately.