Chapter 7: User Access Security Policies

7.1 System access control System access control is one of the most important components in any data or information security plan. It is imperative that a school computer system or network be assessed only by authorized persons, and only to the extent that it is necessary and authorized.

7.1.1 A system is needed for users to identify themselves and prove they are who they claim to be. This system may be as simple as using a password, to the use of a multi-level login or retinal scans. The risk assessment will determine the level of access control needed.

7.1.2 A log of all network activity, from logon to logoff, needs to be made and retained for auditing and intervention purposes.

7.1.3 It is the responsibility of top level administrators and information technology directors to establish a system and accompanying policies to ensure that the school computer system or network is used properly. Lines of authority and control need to be clearly defined.

7.1.4 System access and use security policies and procedures protect:

a) the system or network itself from intrusion and damage

b) confidential, sensitive or personal information on the system

c) each user who might inadvertently or unintentionally gain access to or damage system files

7.2 Login Process-- The beginning of the process of access control is at the login stage. It is imperative at this stage to inform all authorized and unauthorized users that the system is being monitored and that unauthorized access or use has consequences. In addition, a welcome screen to the system could also imply to whomever is reading the screen that the user is invited to access the system. Consequently, it is important to convey the proper message to all persons logging onto the computer system or network.

7.2.1 Warning screens --There are a many kinds of warning screens used by systems administrators. The major objectives of most are to provide accurate warnings about 1) the need for appropriate authorization to enter and use the system, 2) the continuous monitoring of the system, and 3) potential sanctions for prohibited behaviors or actions. By placing these messages on a introductory screen, readers are presumed to explicitly or implicitly agree to the conditions of authorization, monitoring, and sanctions before continuing on to the next screen. This is presumed whether they read the screen or not. It is there for them to read.

7.2.2 User agreement -- Depending on their initial risk assessment, some systems require the reader to agree to the above terms every time they log onto the system, or at least the first time that they access the system and periodically thereafter. If this kind of screen message is used initially or periodically, it's important to have the message readily accessible to any user at any time.

Safeguarding Your Technology at http://nces.ed.gov/pubs98/safetech/ (p. 86) provides an example of a logon screen warning for a secure computer system or network, which is adapted below:

WARNING! This is a restricted network. Use of this network, its equipment, and resources is monitored at all times and requires explicit permission from the network administrator. If you do not have this permission in writing, you are violating the regulations of this network and can and will be prosecuted to the full extent of the law. By continuing into this system, you are acknowledging that you are aware of and agree to these terms.

7.3 Password and User ID process. Every school should devise a system for identifying specific users and for password acceptance. This will help to ensure greater control of access to system resources and will ensure an appropriate record of system usage. The use of passwords is a very individual issue, but specific rules for their use ensure consistency and greater security.

Sample Password Policy Elements Components

Suggested policy elements for the creation and use of passwords are:

Include non-alpha characters in the password, such as numbers and punctuation marks

Use hard to guess password

Use passwords that are not personal to the user and unique -- no alternating passwords.

Passwords must be kept in a safe place and not shared with anyone -- no shared accounts

Individual passwords should be kept private -- no password sharing allowed, no coding them into programs, and no writing them down in obvious places.

Minimum password lengths should be established (i.e., minimum of 6 alphanumeric characters). If they are too short they will be easier to crack, but if they are too long they'll be hard to remember.

Passwords should in no way identify or reflect on the user (pet names, birth dates, favorite themes, etc.). Ideally, passwords should be non-words or random character and number combinations.

Passwords should to be changed periodically (every 1-3 months). The system should automatically require changes at given intervals.

Use encrypted passwords so only the user will know them. Passwords must be kept safe because if they are lost, information will also be lost.

Use across-the-network password encryption to prevent passwords from being read by protocol analyzers or others ways.

Logon IDs and passwords should be suspended if not used for a specified period of time (e.g., 30 days).

Sessions should be suspended after a specified period of time if system is not in use -- then should require password to be reentered. A password should always be required.

System administrators should change any pre-set passwords that are built into any software.

Passwords should never be sent via e-mail to anyone, unless the e-mail is encrypted.

Passwords need to be masked or obscured on the screen when anyone logs in.

If users suspect that their password has been compromised, they should change the password immediately.

Passwords are not available to administrators or IT department.

7.4 Privileges-- This term refers to the permission that a person receives, by virtue of his or her work position, to enter a specific computer system or network. This is not an absolute right, but rather an earned right that accompanies an employee's job requirements, if s/he meets specific criteria.

7.4.1 Levels-- Based on its risk assessment, every organization should have designated access privilege levels for every employee. These levels are based on the extent of the computer system or network the employee needs to access to do their job. These levels should be determined when a person is hired by the school system and should be periodically assessed on a regular schedule and checked against audit logs. If employees change jobs within the system, their privileges should be reassessed for the appropriate level of access needed to do their new job. If employees work on an academic year schedule, their privileges should be valid for only that period of time, unless they have permission to use the system during a period when school is not in session.

7.4.2 Special privileges-- From time to time persons from outside the system or regular employees on special projects may need to access certain portions of a computer system or network. Decisions related to the appropriate level of access assigned to these people, if any, need to be made by top level administrators of the school and the network administrator. This decision making process needs to be documented and clear so employees know the procedure for obtaining special privileges.

7.4.2.1 Remote users -- Remote use by authorized users should be pre-approved separately from the initial approval process. Remote users should be made aware that remote access will be monitored very carefully and that any transmission of confidential, sensitive, or private information over public phone lines must be encrypted.

7.4.3 Privileges restrictions-- All persons who have access to a system at any level should be given notice initially and periodically that privileges can and will be restricted or eliminated at any time if they abuse the privilege given to them by their employer. In addition, employees who are not working during the summer or who go on sabbatical should understand that, unless they have special permission, their privileges to the school computer system or network will be restricted.

7.4.3.1 Log-in times -- Limit users to log-ins during those times when they are actually working. This should be designated initially when they are given access. Special privileges for remote users may need to be established.

7.4.3.2 Log-in locations -- Limit users to only those computers on which they will be working. This also should be designated when they are initially given access to the system or network.

7.4.3.3 Log-in attempts -- Set a reasonable number (e.g., three) of attempts to log in before the system suspends the account. Suspending the account will prevent an unauthorized user from retrying to log in later. Legitimate users can always request that their access be reestablished.

7.4.3.4 Log off requirements -- Require all authorized users to log off when they leave their work station and to log off and turn off the computer after use. This prevents any unauthorized use when the work station is unattended.

7.4.3.5 Appropriate Use Agreements -- All authorized users should be required to sign an appropriate use agreement before they receive access to the system or network.

7.5 Login system-- Every computer system or network must have a secure login system. Its purpose is to restrict access to only those individuals who have permission to enter the system or network and only at the level of access that each employee has been assigned by administrators, based on their need to accomplish their job. The login system set up by network administrators needs to be flexible enough to accommodate changes in privilege levels of employees.