Policy 2.501

Information Security - Access Control Policy

1. Purpose: To control access to information. Access to information systems and services should be controlled on the basis of business and information security requirements as well as to meet any requirements of state or federal law. This Policy does not prohibit or restrict public access to inspect data and information on publicly available District technology resources.

2. Definitions: The IT User Standards and Guidelines Manual provides definitions of terms used within this Policy. This Manual is incorporated herein by reference as part of this Policy and can be located on the District's IT Security web site.

3. Policy:

   1. User Access Management.

      1. All users, except third party users and as stated below, will be automatically assigned a unique User ID for their use only. As to third party users, they will be assigned a User ID, on request by their District contact/coordinator, when in the best interest of the District. Further, all users will have a password. Yet, as to students, see School Board Policy 8.123, sub-paragraphs (2) (d) & (e), relating to passwords and User ID's.

      2. Access to the network/servers and information systems will be by User ID and password and, in appropriate cases, a secondary authentication method may be necessary, such as a smartcard, PIN number or biometric data.

      3. IT shall utilize appropriate information system controls to enforce the password standards defined in the IT User Standards and Guidelines Manual.

      4. Users will only be given sufficient rights to all systems they have been specifically approved and authorized to use based on the District's business and information security requirements, as well as to meet any requirements of state or federal law. Access is also controlled by the District's web site filtering policy--School Board Policy 8.125.

      5. User rights will be kept to a minimum at all times. Employees shall be given, by default, basic access to e-mail and calendaring services and appropriate self-service HR services, such as eBenefits and ePay.

      6. Users requiring access, other than basic, to information systems must make the requests for access according to processes defined by each information system owner.

      7. The information system owner shall be identified and will determine user access rights for their systems. Information system owners shall consider separation of duties when determining user access rights.

      8. System administration rights to information systems, including network devices, shall be restricted to the appropriate users based on the District's business and information security requirements.

      9. The user’s User ID shall be immediately disabled when a resignation or termination change in his/her status occurs in PeopleSoft the District's Human Resource system.

      10. User's access rights shall be periodically reviewed to make sure the access is approved and authorized based on the District's business and information security requirements.

   2. Physical Access Management.

      1. Users must not leave their computer or other access unit unattended during normal work hours without first logging off or invoking a password protected screen saver.

      2. Users must turn off their computers or other access units at the end of normal work hours. If a computer or other access unit must stay on after normal work hours, precautions shall be taken to prevent unauthorized use.

      3. Physical access into facilities that contain information systems, such as computer rooms and data storage areas, shall be restricted to those people that are approved and authorized based on the District's business and information security requirements. Physical access shall be controlled using methods such as walls, locks, key card systems, and biometric readers.

      4. Physical access into controlled facilities shall be logged and monitored.