7540.08 - INFORMATION SYSTEMS ACCESS POLICY
PURPOSE
The purpose of this policy is to maintain an adequate level of security to protect Greensburg Community School Corporation data and information systems from unauthorized access. This policy defines the rules necessary to achieve this protection and to ensure a secure and reliable operation of Greensburg Community School Corporation information systems.
POLICY
Only authorized users are granted access to information systems, and users are limited to specific defined, documented and approved applications and levels of access rights. Computer and communication system access control is to be achieved via user IDs that are unique to each individual user to provide individual accountability.
Who is Affected: This policy affects all employees of Greensburg Community School Corporation and all contractors, consultants, temporary employees and business partners. Employees who deliberately violate this policy will be subject to disciplinary action up to and including termination.
Affected Systems: This policy applies to all computer and communication systems owned or operated by Greensburg Community School Corporation. Similarly, this policy applies to all platforms (operating systems) and all application systems.
Entity Authentication: Any User (remote or internal), accessing Greensburg Community School Corporation networks and systems, must be authenticated. The level of authentication must be appropriate to the data classification and transport medium. Entity authentication includes but is not limited to:
Automatic logoff
And Unique user identification
At least one (1) of the following:
Biometric identification
Password
Personal identification number
A telephone callback procedure
Workstation Access Control System: All workstations used for this Greensburg Community School Corporation business activity, no matter where they are located, must use an access control system approved by the Greensburg Community School Corporation. In most cases this will involve password-enabled screen-savers with a time-out-after-no-activity feature. Active workstations are not to be left unattended for prolonged periods of time, where appropriate. When a user leaves a workstation, that user is expected to properly log out of all applications and networks. Users will be held responsible for all actions taken under their sign-on. Where appropriate, inactive workstations will be reset after a period of inactivity (typically forty (40) minutes). Users will then be required to re-log on to continue usage. This minimizes the opportunity for unauthorized users to assume the privileges of the intended user during the authorized user’s absence.
System Access Controls: Access controls will be applied to all computer-resident information based on its’ Data Classification to ensure that it is not improperly disclosed, modified, deleted, or rendered unavailable.
Access Approval: System access will not be granted to any user without appropriate approval. Management is to immediately notify the Security Administrator and report all significant changes in end-user duties or employment status. User access is to be immediately revoked if the individual has been terminated. In addition, user privileges are to be appropriately changed if the user is transferred to a different job.
Limiting User Access: Greensburg Community School Corporation approved access controls, such as user logon scripts, menus, session managers and other access controls will be used to limit user access to only those network applications and functions for which they have been authorized.
Need-to-Know: Users will be granted access to information on a "need-to-know" basis. That is, users will only receive access to the minimum applications and privileges required performing their jobs.
Compliance Statements: Users who access Greensburg Community School Corporation’s information systems must sign a compliance statement prior to issuance of a user-ID. A signature on this compliance statement indicates the user understands and agrees to abide by Greensburg Community School Corporation policies and procedures related to computers and information systems. Annual confirmation will be required of all system users.
Access for Non-Employees: Individuals who are not employees, contractors, consultants, or business partners must not be granted a user-ID or otherwise be given privileges to use the Greensburg Community School Corporation computers or information systems unless the approval of the Director of Technology and/or Superintendent has first been obtained.
Unauthorized Access: Employees are prohibited from gaining unauthorized access to any other information systems or in any way damaging, altering, or disrupting the operations of these systems. System privileges allowing the modification of ‘production data’ must be restricted to ‘production’ applications.
Remote Access: Remote access must conform at least minimally to all statutory requirements including but not limited to FERPA and HIPAA.