Skip to Main Content
Menu
Roane State Community CollegeRoane State Community College

Roane State Community College

RSCC Policies & Guidelines
  1. RSCC HomeRSCC Home
  2. About Roane State
  3. RSCC Policies & Guidelines
Move Forward. Don't delay your future! Apply now! Register for online or traditional classes.Move Forward. Don't delay your future! Apply now!. Register for online or traditional classes.
Tennessee Reconnect and Promise. Graduating high school seniors can attend tuition-free. Free tuition for adults.Tennessee Reconnect and Promise. Graduating high school seniors can attend tuition-free. Free tuition for adults.
Online degrees available. Online education gives you flexibility to take classes that fit your schedule.Online degrees available. Online education gives you flexibility to take classes that fit your schedule.

RSCC Policy GA-18-09; Access Control (formerly Strong Password)

Roane State Community College
Policy Number: GA-18-09
Subject: Access Control (formerly Strong Password)
  1. Purpose
    The purpose of this policy is to establish a minimum expectation with respect to access controls in order to protect data stored on computer systems throughout Roane State Community College (RSCC). This policy applies to all academic, administrative, networking and microcomputer resources leased or installed at all RSCC locations.
    In addition to the policy listed below, all users are subject to existing state and federal laws along with RSCC and Tennessee Board of Regents (TBR) regulations concerning the use of computers, email, and the internet.
  2. Definitions
    Authentication – A process that allows a device or system to verify the unique identity of a person, device or other system that is requesting access to a resource.
    Digital Identity – Information on an entity used by computer systems to represent an external agent. That agent may be a person, organization, application, or device. Also referred to as a user account or user profile.
    Password - A password is a string of characters used for authenticating a user on a computer system.
    System Account – A special account used for automated processes without user interaction or device management. These accounts are not assigned to an individual user for login purposes.
    Privileged Account – An account with elevated access or privileges to a secure system or resource. This type of account is authorized and trusted to perform security relevant functions that an ordinary user account is not authorized to perform. Privileged accounts are assigned to individual users. Example: Oracle database administration, Banner, etc.
  3. Policy
    1. Roane State shall control user access to information assets based on requirements of individual accountability, need to know, and least privilege.
    2. Access to Roane State information assets must be authorized and managed securely in compliance with appropriate college practice and with numerous applicable legal and regulatory requirements (e.g., the Health Insurance Portability and Accountability Act, Family Education Rights and Privacy Act, the Open Records Act of Tennessee, Gramm Leach Bliley Act, and identity theft laws).
    3. Roane State information assets include data, hardware and software technologies, and the infrastructure used to process, transmit, and store information.
      1. Any computer, laptop, printer or device that an authorized user connects to the campus network is subject to this policy.
      2. Guest, unauthenticated access may be provisioned commensurate with usage and risk.
      3. Authorized users accessing RSCC computing resources and network with their own personal equipment are responsible for ensuring the security and integrity of the systems they are using to establish access.
      4. For systems that contain critical or confidential classified data, RSCC will use secure methods that uniquely identify and authenticate users. Such methods can include multi-factor authentication, passwords, data loss prevention, device management, biometric and public/private key pairs.
  4. Access Controls
    1. Access to information assets must be restricted to authorized users and must be protected by appropriate physical, administrative, and logical authentication and authorization controls.
    2. Protection for information assets must be commensurate with the classification level assigned to the information.
    3. Each computer system shall have an automated access control process that identifies and authenticates users and then permits access based on defined requirements or permissions for the user or user type.
    4. All users of secure systems must be accurately identified, a positive identification must be maintained throughout the login session and actions must be linked to specific users.
    5. Access control mechanisms may include user IDs, access control lists, constrained user interfaces, encryption, port protection devices, secure gateways/firewalls, and host-based authentication.
  5. User Identification, Authentication, and Accountability
    1. User IDs
      1. The access control process must identify each user through a unique user identifier (user ID) account.
      2. User IDs for employees are created and initiated from the Banner system upon employment.
      3. User IDs for students are created and initiated from the Banner system upon acceptance or the existence of financial aid.
      4. Users must provide their user ID at logon to a computer system, application or network.
    2. Individual Accountability
      1. Individual accountability must be maintained.
      2. Each user ID must be associated with an individual person who is responsible for its use.
      3. Individuals with authenticated access cannot share their login credentials with anyone with the penalty of having their access rescinded immediately.
    3. Authentication
      1. Authentication is the means of ensuring the validity of the user identification.
      2. All user access must be authenticated.
        1. The minimum means of authentication is a personal secret password that the user must provide with each system and/or application logon.
        2. All passwords used to access information assets must conform to certain requirements relating to password composition, length, expiration, and confidentiality.
  6. Access Privileges
    1. Each user’s access privileges shall be authorized on a need to know basis as dictated by the user’s specific and authorized role.
    2. Authorized access shall be based on least privilege.
      1. This means that only the minimum privileges required to fulfill the user’s role shall be permitted. Administrative access on computers is limited to appropriate IT staff. Exceptions must be approved by the Chief Information Officer (CIO).
      2. Access privileges shall be defined to maintain appropriate segregation of duties to reduce the risk of misuse of information assets.
      3. Any access that is granted to data must be authorized by the appropriate data trustee.
    3. Access privileges shall be controlled based on the following criteria, as appropriate
      1. Identity (user ID)
      2. Role or function
      3. Physical or logical locations
      4. Time of day/week/month
      5. Transaction based access
      6. Access modes such as read, write, execute, delete, create, and/or search.
    4. Privileged access (e.g., administrative accounts, root accounts) must be granted based strictly on role requirements. The number of personnel with special privileges should be carefully limited.

  7. Access Account Management

    1. User ID accounts must be established, managed, and terminated to maintain the necessary level of data protection.

    2. The following requirements apply to network logons as well as individual application and system logons and should be implemented where technically and procedurally feasible.

      1. Account creation requests must specify access either explicitly or request a role that has been mapped to the required access.
      2. New accounts created by mirroring existing user accounts must be audited against the explicitly request or roles for appropriate access rights.
      3. Accounts will be locked after five (5) consecutive invalid logon attempts. When a user account is locked out it should remain locked out for a minimum of 30 minutes or until authorized personnel unlocks the account. All workstations will automatically lock after 15 minutes of inactivity requiring reauthentication using the user’s password. This time may be adjusted on labs and teaching workstations when necessary up to a maximum of 30 minutes. In addition, after 2 hours of inactivity, lab and teaching workstations will log off requiring users to log back in and restart their applications. If the computer logs off due to inactivity all unsaved work will be lost.

      4. Systems housing or using restricted information must be configured in such a way that access to the restricted information is denied unless specific access is granted. Access to restricted information is never to be allowed by default.

        1. For Banner, the supervisor requests an employee’s access via Workflow. Data custodians will approve or reject the request. Upon completion of approvals, IT will grant the access in Banner.
        2. Any Banner modification(s) of security is initiated by the data custodians.
        3. In the case of an employee transfer, supervisors are required to submit a new Banner Workflow request. If no Banner access is required, IT must be notified.

      5. IT personnel will revoke access upon notification that access is no longer required in accordance with the following procedures.

        1. Access privileges of terminated or transferred employees must be revoked or changed as soon as notification of termination or transfer occurs. Supervisors are responsible for notifying HR of employee departures that occur prior to the contract end date.
        2. Employees voluntarily leaving employment are responsible for initiating the Employee Checkout form.
        3. In cases where an employee is not leaving on good terms, the user ID must be disabled simultaneously with departure. Human Resources is responsible for initiating the Terminated Employee form to notify IT and other appropriate staff.
        4. Access for users who are on leave of absence or extended disability must be suspended until the user returns.
        5. Adjunct faculty member account access shall be controlled by college procedure using contract status, defined dates of employment and information from other stakeholders with contract control for adjunct faculty.
        6. Adjunct faculty members are never granted access to Banner Admin pages.
        7. Adjunct faculty accounts are reviewed in September and February each year. Any adjuncts that have no current or future classes assigned will be locked and Banner SSB faculty access removed through an automatic process.
        8. Student accounts will be subject to deletion after one year of non-registration or student has no enrollment eligibility.
        9. All vendor access will be authorized and monitored by IT. An appropriate expiration date will be used based on the vendor needs up to a maximum of one (1) year. The vendor account is subject to deletion once expired.
        10. Guests accounts may be requested by employees for use by outside guests of the college for a defined length of time. Guest accounts will be the responsibility of the RSCC employee who requests them. Guest accounts will be set up to expire on the last date of requested usage, up to a maximum of one (1) year. The guest account is subject to deletion once expired.
        11. Any account may be disabled after 60 days of inactivity. Any account is subject to deletion after one (1) year of inactivity.
      6. A periodic audit of secured systems to confirm that access privileges are appropriate will be conducted. The audit will consist of reviewing and validating that user access rights are still needed and are appropriate.

      7. Applications (such as Argos and BDMS) requiring an account not tied to a single user may employ service-based accounts.

        1. Departments oversee these accounts and maintain their passwords.
        2. Applications requiring these accounts shall be monitored and audited by the appropriate user/department for which they are provisioned.
        3. Service-based accounts, due to their application centric use, are not subject to standard user account management and password rules.

  8. Procedures

    1. Digital Identity and Authentication Management

      1. Password (and Passphrase) Construction

        1. The effectiveness of passwords to protect access to college information directly depends on strong password construction and handling practices. All users must construct strong passwords for access to all college networks and systems using the following criteria.
        2. For all directions concerning password lengths, password change schedules and the use of passphrases rather than passwords, RSCC will follow the National Institute of Standards and Technology (NIST).

      2. For employee, student, and guest accounts, passphrases will be required. Passphrases must be composed of a minimum of fourteen (14) characters. Employee passwords must be composed of a combination of at least three (3) of the following four (4):

        1. Upper case alphabetic character
        2. Lower case alphabetic character
        3. Numeric character; OR
        4. Non-alphanumeric character (if the application permits)

    2. Password Management
      The following requirements apply to end-user password management.

      1. Storage and Visibility

        1. Passwords must not be stored in a manner which allows unauthorized access.
        2. Passwords will not be stored in a clear text file.
        3. Passwords will not be sent via unencrypted email.

      2. Changing Passwords

        1. Employees with non-privileged accounts must change their passwords every 365 days. Student accounts are exempt from this requirement.
        2. Users with privileged accounts (such as those with DBA, root or administrator level access) must change their passwords at least every 120 days.

        3. Passwords must be changed within one (1) business day if any of the following events occur:

          1. Unauthorized password discovery or usage by another person.
          2. System compromise (unauthorized access to a system or account).
          3. Insecure transmission of a password.
          4. Accidental disclosure of a password to an unauthorized person.
          5. Status changes for personnel with access to privileged and/or system accounts.
        4. Password files or hashes should not be shared with any entity without formal written consent.

        5. The following requirements apply to system accounts.

          1. System accounts are not required to expire but must meet the password construction requirements above (where supported by the underlying technologies).
          2. Vendor-provided passwords must be changed upon installation using the password construction requirements above (where supported by the underlying technologies).

    3. Multi-Factor Authentication
      For systems that contain critical or confidential classified data, RSCC may require secure methods that uniquely identify and authenticate users. Such methods may include multi-factor authentication, passwords, data loss prevention, device management, biometrics and public/private key pairs.

    4. Compliance and Enforcement

      1. This policy applies to all users of information resources including faculty, staff, students, visitors, contractors and any other authorized users.
      2. Persons in violation of this policy are subject to a range of sanctions including the loss of computer network access privileges, disciplinary action, dismissal from the college, and legal action. Some violations may constitute criminal offenses, per Tennessee and other local, and federal laws.
      3. Justifications for exceptions to this policy must be documented and must be approved by the college president or CIO.
  9. Responsible Party
    The CIO shall be responsible for development and maintenance of this policy for issuance by the VP for Business and Finance.

To the extent a discrepancy exists between this policy and related TBR or state policy or law, TBR and state policy shall take precedence.

Revision History: 10/26/2021
TBR Policy Reference: 1.08.03.00
Revision Date Effective: 04/29/2024
Revision Approval By: Christopher L. Whaley, President
Original Date Effective: 03/03/2014
Original Approval By: Christopher L. Whaley, President
Office Responsible: Vice President for Business & Finance
Reviewed: 02/19/2024

Connect with us

Twitter / XFacebookInstagramThreadsYoutube
© Roane State Community College

Roane State Community College does not discriminate on the basis of race, color, religion, creed, ethnicity or national origin, sex, disability, age, status as protected veteran or any other class protected by Federal or State laws and regulation and by Tennessee board of Regents policies with respect to employment, programs, and activities.​​​​​​​ View full non-discrimination policy.

Tennessee's Community Colleges

Report Fraud, Waste and Abuse

Digital Millennium Copyright Act of 1998