Access Controls Security Policy
Issued August 31, 2009
Table of Contents
.030 Effective Date
Access controls are the rules that an organization applies in order to control access to its information assets. The risks of using inadequate access controls range from inconvenience to critical loss or corruption of data. This policy defines access control standards for system use notices, remote access, and definition and documentation of trust relationships for K-State information systems.
This policy applies to all university colleges, departments, administrative units, and affiliated organizations that use university information technology resources to create, access, store or manage University Data to perform their business functions.
.030 Effective Date
This policy became effective on August 26, 2009.
Access control standards for K-State information systems are to be established in a manner that carefully balances restrictions that prevent unauthorized access to information and services against the need for unhindered access for authorized users.
System use notice - Before a user gains access to a K-State computer, a general system use notice must be displayed that welcomes users and identifies it as a K-State system, warns against unauthorized use of the computer, and indicates that use of the system implies consent to all relevant K-State policies. The general system use notice should also be displayed before a user gains access to a K-State information system, where practical. The system use notice must state the following:
Welcome to Kansas State University's information technology resources. Access to this system and all other electronic resources at K-State is restricted to employees, students, or individuals authorized by the University or its affiliates. Use of this system constitutes agreement to abide by all relevant K-State policies. Unauthorized or inappropriate use may result in limitation or revocation of use privileges and/or administrative, civil, or criminal penalties.
Remote access - Remote access control procedures must provide appropriate safeguards through appropriate identification, authentication, and encryption techniques. Direct log-on to campus computers from off-campus locations is not allowed. A remote user must first authenticate to an authorized campus remote access service with strong encryption, such as K-State's VPN service or a departmental Windows Terminal Services (i.e. Remote Desktop Services) or Secure Shell (ssh) server, before logging into a campus computer. This restriction does not apply to authenticated user access to web applications like KSIS, K-State Online, Webmail, or to systems designed for public access.
For additional security controls for remote access, see Data Security Standards in K-State's Data Classification and Security Policy.
- Trust relationships - Trust relationships for centrally-managed University information systems or any system with confidential data must be defined and documented, approved by an appropriate authority, and periodically reviewed and revised as needed. Security controls, such as firewall rulesets, must be configured to enforce the trust relationships.
- Process of verifying one's digital identity. For example, when someone logs into a workstation or server with their eID, the password verifies that the person logging in is the owner of the eID. The verification process is called authentication.
- Confidential Data
- Highly sensitive University Data intended for limited, specific use by a workgroup, department, or group of individuals with a legitimate need-to-know. See K-State's Data Classification and Security Policy for an expanded definition and examples.
- K-State Computer
- Any computer considered to be the property of Kansas State University.
- Local Network
- Any segment of K-State's data network physically located on the Manhattan or Salina campus. This includes devices on the network assigned any routable and non-routable IP addresses, typically 129.130.X.X or 10.X.X.X, respectively, and applies to the wireless network and the network serving K-State's student residence halls and Jardine Apartments.
- Remote Access
- Accessing a K-State local network from any physical location outside the Manhattan or Salina campus. This includes access from off campus using K-State's Virtual Private Network (VPN) service.
- Trust relationships
- A specification of the level of access granted to computer systems and/or applications that are trusted to access resources on a server and its associated data and applications. This applies to access controls between systems, not access rights for individual users or roles.
- University Data
- Any data related to Kansas State University ("University") functions that are:
- Stored on University information technology systems.
- Maintained by K-State faculty staff, or students.
- Related to institutional processes on or off campus.
This applies to any format or media (in other words, it is not limited to electronic data).
- Virtual Private Network (VPN)
- Povides a secure communication channel over the Internet that requires authentication to set up the channel and encrypts all traffic flowing through the channel.
.070 Roles and Responsibilities
Chief Information Security Officer (CISO) - Responsible for developing guidance on documentation and approval of trust relationships.
.080 Implementation Procedures
The System Use Notice should be passively displayed such that no user action is required to view it before logging into the K-State computer or information system.
.090 Related Laws, Regulations, or Policies
- Additional K-State access control policies
- Data access controls - Access controls based on data classifications are specified in K-State's Data Classification and Security Policy.
- Password security - Passwords are commonly used in conjunction with an identifying username to control access to information and information systems. K-State's password requirements are listed in K-State's Security for Information, Computing and Network Resources Policy.
- Unattended computers - Security controls for preventing unauthorized access to unattended computers are defined in K-State's Security for Information, Computing and Network Resources Policy.
- Vendor access - Access controls for vendors or other third parties who need to access K-State information systems for business reasons are defined in K-State's Data Classification and Security Policy.
- Other related laws, regulations, or policies
- K-State's Data Classification and Security Policy.
- State of Kansas Information Technology Policy 7230 - General Information Technology Enterprise Security Policy.
- State of Kansas Default Information Technology Security Requirements (pdf), March 2006.
- ISO/IEC 27002:2013, Information technology - Security techniques - Code of practice for information security management, published by the International Standards Organization. This is an international security standard that specifies security requirements for controlling access (see chapter 11, Access control) to ensure that access to information and information systems is limited to authorized users.
The Chief Information Officer (CIO) is responsible for this policy. The CIO or designee must approve any exception to this policy or related procedures. Questions should be directed to the Chief Information Security Officer.