For over 100 years, Massachusetts Maritime Academy has been preparing women and men for exciting and rewarding careers on land and sea. As the nation's finest co-ed maritime college, MMA challenges students to succeed by balancing a unique regimented lifestyle with a typical four-year college environment. As a member of the cadet corps you will live, study, sail, work and play in an atmosphere that encourages you to be your best.
Computing Access Control and Management Policy
The purpose of this policy is to establish standards for the administration of computing accounts that provide access to Massachusetts Maritime Academy’s (MMA) information technology resources and data. This policy establishes standards for issuing and managing computing accounts in order to protect MMA’s information technology resources and data from unauthorized access and use.
This policy applies to all MMA staff members, faculty and contractors who access MMA’s information technology resources.
Computing accounts that access information technology resources and data at MMA require prudent oversight. The following security precautions should be part of account management:
Issuing Accounts and Access
- All access to MMA applications, systems and technology infrastructure must be authorized and approved. Any access not explicitly authorized and approved will not be granted and is forbidden.
- System access control is to be achieved via user accounts that are unique to each individual user to ensure user accountability.
- Access to specific applications, systems, and technology infrastructure shall only be granted to staff members with a legitimate business need. The level of access granted and privileges assigned to a user shall be limited to the minimum access required to perform their assigned job duties. This ensures that the standard security principle of “least required access” is utilized when granting access.
- A user account for new staff members, temporary staff members and guests will only be setup based on the Helpdesk’s receipt of written authorization from either the new user’s manager or a representative from Human Resources.
- For temporary staff members and guests, an expiration date must be entered on each user account they utilize, whenever possible. This will ensure that these accounts are disabled as soon as the temporary staff member or guest has completed their assignment.
- The use of generic user accounts are allowed on rare occasion where it makes business sense. The associated access of these accounts must be highly restricted.
- When users create passwords for their accounts, the passwords must be a minimum of 8 characters, be complex and should not be shared or written down. Passwords must adhere to the standards set forth in MMA’s Password Policy.
- Access for all computing accounts must be configured through a centralized point of authentication, such as Active Directory or LDAP.
Managing Accounts and Access
- Changes to existing user access will require the Helpdesk’s receipt of written authorization from the user’s manager or a representative from Human Resources requesting the change.
- Managers must notify the Helpdesk when staff members are transferred or reassigned. This will prompt a review of access and adjustments will be made to remove unneeded access.
- Managers must notify the Helpdesk when staff members will be on a temporary leave. The staff member’s computing access will be disabled until they return to work.
- Managers must notify the Helpdesk when staff members have left the Academy. User access will be revoked immediately upon termination of any staff member’s employment.
- User accounts should be locked after 5 failed login attempts, whenever possible. Once locked out, the user account will remain locked for a period of 30 minutes, unless manually unlocked.
- When leaving a workstation, a staff member is expected to properly log out of all applications and networks. Inactive workstations will be logged off automatically after 20 minutes. Resumption of access will require the user’s password.
- The sharing of user accounts by staff members is strictly prohibited. Staff members must take precautions to keep their user accounts secure and refrain from writing them down.
Monitoring Accounts and Access
- For critical systems, an audit of system accounts must be completed twice per calendar year. This will be done to ensure that disabled accounts are removed, accounts inactive for more than 90 days are removed and accounts for staff members no longer employed are removed. Any exceptions made during this process must be documented.
Administrative Level Access
- The allocation of privileged system access must be restricted and controlled. The granting of privileged access should be limited to the smallest number of personnel possible to prevent the loss of confidentiality.
- Personnel who have administrative system access must use other less powerful accounts for performing non-administrative tasks.
- Activities performed as an administrator or super-user must be logged, whenever it is feasible to do so.
Any employee found to have violated this policy, intentionally or unintentionally, may be subject to disciplinary action, up to and including termination of employment.
Under the direction of the Vice President of Technology and Library Services, TLS Directors are responsible for coordinating and establishing procedures and practices which are necessary for compliance with this policy.
This policy is owned by the Vice President of Technology and Library Services, who will coordinate any and all revisions.
|Framework||Regulations and Requirements||Supporting Standards and Procedures|
|SANS Top 20 Controls||PCI DSS - MA 201 - HIPPA|
|CSC 12-8, 16-1 - 16-7, 16-9 - 16-12||Staff Onboarding Procedure|
This section contains comments on any revisions that were made to this document and the date they were made.
|Version Number||Issue Date||Changes Made By||Description of Changes|
|1.0||1/12/2016||Compass ITC||Initial Draft|
|2.0||2/5/2016||Anne Marie Fallon||Additions made to policy|