Access Control Policy

I. Scope

This policy shall apply to all IWU employees.

II. Policy Statement

Indiana Wesleyan University has established appropriate procedures to ensure that data access is safeguarded.

III. Reason for the Policy

IWU has a legal and ethical responsibility to safeguard data that the institution maintains.

IV. Procedures

Physical Security:

Key security is maintained for all areas affected. Key requests are to be supplied to Facilities by the immediate supervisor and must include a signature from the Chief Information Officer. Keys for areas other than Maxwell are maintained in a lock box in Maxwell 148.

Authentication/Authorization of Identified Critical Systems

Active Directory:

Role Based Access Control is used. Member logins and degree of access are created at the request of specified representatives from the following areas: HR, Records, Admissions, and CAPS Student Services. Identified supervisors from CAPS are allowed to create specific limited profiles for AGS Faculty. Any additional permissions requests are to be supplied by the user's immediate supervisor using a form supplied by HR.

Individual requests from ITS Help Desk for entry in Active Directory must be verified by a complete DRUS record in Datatel created by Student Services, Registrar 's office or Human Resources before creation of entry can be completed by a member of the Systems Administration team.

Colleague:

Requests for Colleague access are included in the login request for new employees loginrequest@indwes.edu, usually in the name of someone whose security can be cloned. The list of security classes is evaluated and presented to the security officers of the areas represented. For example, if the request states that the employee needs to see Financial Aid information, the security officer from Financial Aid is consulted. Security officers have the right to approve or deny access to their information. Once approvals are given, the final recommendation is sent to the person who assigns security.

Requests for employees who are transferring to new positions usually come to IT through email. The same process is followed: evaluate the request; consult with security officers; make a final decision; assign security.

The person making the initial request is notified when the process is complete. All efforts are made to have the login and security in place before the employee’s start date.

Document Imaging:

Users are initially added to Perceptive Content or Etrieve when a department goes ‘live’. Names and permissions are determined as part of the Discovery phase of the project. After implementation, a Power User communicates with the Document Imaging Analyst when permission changes are needed.  For new employees, the Login Request form available on the portal is the usual method of requesting access to Perceptive Content or Etrieve.  The Document Imaging Analyst works with the Power User in the area to make sure security is properly set.  The Document Imaging Analyst removes users when HR sends notification of termination or resignation. 

Source 4:

Source 4 changes can only be made on one desktop unit in the IS department. Access to this PC is covered by password. Once compiled the file is placed on a folder using the c$ of a specific server. This server has restricted access to this folder.

SQL Server Farms:

SQL Server Management access is given by the Database team only. Permissions are granted by Jack Alexander (Systems Administration team) at the request of the DBA administrator. There are only three active users at the current time. Explicit permissions will be applied to any new user. Various ports have been opened on individual servers to allow SQL Server Management access which is controlled by the Database team.

Voicemail:

Access to individual voicemail recording is controlled by password created by users.

Web:

Portal page (Employee Intranet):

The login page is publicly accessible. All other Web “pages” require authentication. Users authorized to login include IWU Faculty and Staff with permission in Active Directory and individual authorized directly by their respective VP.