Access Management Policy | St. George's University

Access Management Policy

August 3, 2018

Purpose

The purpose of this policy is to mandate requirements for access management controls across the technological environment at St. George’s University, University Support Services, and any other operating units of Medforth Global Healthcare Education Group LP identified by management (collectively, the Enterprise). This policy will aid the Enterprise in managing access to its information systems.

Scope

This policy applies to all information systems used throughout the Enterprise, whether managed centrally or in a distributed fashion. This policy applies to all individuals and entities who intend to access the Enterprise’s information systems and data, including relevant third-party service providers and hosted/cloud-based systems.

Background

Access to the Enterprise’s electronic information resources must be managed in a manner that maintains the confidentiality, integrity, and availability of Enterprise resources, and in a manner that complies with any applicable legal and regulatory requirements.

Definitions

  • Authentication: The process of verifying the identity of a user, process, or device, often as a prerequisite to allowing access to resources in an information system.
  • Authorization: The granting or denying of access rights to a user, program, or process.
  • Multi-Factor Authentication (MFA): Authentication using two or more factors to achieve authentication. Factors include: (i) something you know (e.g. password/personal identification number (PIN)); (ii) something you have (e.g., token generation device); or (iii) something you are (e.g., biometric).
  • Principle of Least Privilege:  The security objective of granting users only those accesses they need to perform their official duties.
  • Privileged Access Management (PAM): The process of managing and protecting credentials to accounts that have some level of administrative access to devices or systems, including local administrator accounts and superusers.
  • Superuser: A user that is authorized (and, therefore, trusted) to perform security-relevant functions that ordinary users are not authorized to perform.

Policy Statement

Access Management is the process of identifying, tracking, controlling, and managing user access rights to information systems. Any user who requests access to systems, applications, or data must have their identity authenticated. Additionally, user access should be further restricted following the Principle of Least Privilege, and in alignment with any Enterprise defined segregation of duties guidelines.

The Enterprise’s access controls must take into account the risk level of the data being accessed, and the locations from which users may request access, differentiating between internal networks and public or external networks. The risk levels of all Enterprise data types are defined in the Enterprise’s Data Classification Policy.

User account provisioning must include creation of unique credentials for new users, modification of a user’s access privileges in the event of a change in that user’s role, and disablement and revocation of a terminated user’s access privileges upon termination. Provisioning of user accounts must also adhere to the Principle of Least Privilege.

Enhanced security is required for remote access to the Enterprise’s network. All remote access to the Enterprise’s network must utilize a secure solution, which employs multi-factor authentication, and a secure network encryption protocol.

Default user names and passwords must be changed on all systems and applications. Elevated access privileges must only be provided to users as needed for legitimate business purposes. The elevation of access privileges and provisioning of temporary privileged accounts should adhere to PAM best practices, such as enforcement of maximum lifetimes on temporary administrative accounts, and rotation of privileged account credentials. Users with privileged accounts must also have a standard user account, which follows the principle of least privilege, and must use this standard account for their day-to-day job functions that do not require elevated administrative access. Privileged accounts, such as superusers and administrative accounts, must only be used when elevated privileges are required by the system or application.

Related Documents