Body
1. Policy Statement
Access to Massachusetts College of Art and Design (“MassArt”) Technology resources* shall be restricted to authorized individuals who have been properly authenticated. Access rights will be issued, re-issued, maintained, modified, or terminated based on the user’s verified identity, employment status, appropriate management approvals, job duties and responsibilities, and business justification.
The rules, practices, and procedures in this policy for the provisioning, management, and de-provisioning of access to MassArt information systems shall be based on generally-accepted information security best practices within Higher Education.
2. Assigned Roles
| Role |
Assigned Responsibilities |
| Information Security Officer (ISO)** |
- Monitor this policy for compliance.
- Document, and communicate, any patterns, or significant instances, of non-compliance to the Chief Information Officer.
|
| Director of Enterprise Applications and Integration; Deputy Chief Information Officer (Deputy CIO) |
- Ensure that user accounts provisioned within the Director’s or Deputy CIO’s scope of responsibility (e.g., Colleague) are provisioned, authenticated, and maintained in a manner consistent with this policy.
- Notify the ISO of any known or suspected instances of policy non-compliance.
|
| All Technology Staff |
- Notify the Information Security Officer of any known or suspected instances of non-compliance with this policy which become apparent from incident reporting or the planning or delivery of end user services.
|
| Chief Human Resources Officer |
- Ensure that HR staff notify the Technology Department of employee terminations in a timely manner.
|
3. Rules, Responsibilities, and Prohibitions
3.1 Provisioning: Individuals are automatically assigned a persistent, unique identifier that cannot be re-assigned, in MassArt’s case the seven-digit Colleague I.D. #, only after information about them has been entered into the College’s administrative and student information system (a.k.a. Colleague). Colleague is the authoritative source of information used to verify employment status, academic standing and/or relationship with the College for identity management / identity access (IDM/IAM) purposes. The association between the username and person is maintained in the College’s enterprise directory.
Individuals are additionally assigned a Network Identifier (“NetID”) which will be used as a username for accessing Technology resources, and as the prefix of the massart.edu email address provisioned to the individual. This NetID and its associated password, and in some cases additional authentication methods (e.g., Multi-Factor Authentication), are used to access MassArt Technology resources, including but not limited to, endpoints, services, services, and applications. The NetID is not a unique identifier as it is comprised of a combination of the user’s initials and/or full name. If the user’s name changes for any reason***, the NetID is updated to reflect those changes.
Applicants and/or students who have been accepted and paid a deposit or submitted a FAFSA, declared their intent to attend, or matriculated or registered for a course, may be provisioned for authentication to additional systems.
Students may be provisioned with authorization to additional systems.
Anyone employed by the College is provisioned for authentication to Technology resources only after the Office of Human Resources or the Office of Professional and Continuing Education (PCE) enters information about them into Colleague.
Supervisors of independent contractors, consultants, third-party service providers and vendors, or other individuals who are not on the College’s payroll must submit a formal request for access to theTechnology Department for a predetermined amount of time. Colleague and the enterprise directory are the authoritative source of information used to verify the individual’s relationship with the College. The association between the username and person is maintained in the College’s enterprise directory.
3.2 Credentialing: Individuals are issued one set of login credentials (username and password) to access the campus computing network, e-mail, academic information systems (including learning management systems, course registration and management systems). New users are issued a temporary one-time-use password to an automated self-service application they use to verify their own identity in order to activate their login credentials to these systems. During this process they are also required to indicate that they have read and agree to the College’s Acceptable Use Policy. The user is then prompted to change the temporary password after completing this process and create a new one. The new password (known only by them) is then used in combination with the username as the login credential to access information systems for authorized use.
Login credentials will not be activated until this process is complete. Login credentials for access to Colleague are not activated as part of this process until additional criteria are met according to the College’s policy on Granting Access Privileges to Administrative and Student Information Systems.
3.3 Password Management: Login credentials**** are never distributed and are known only by the individual authorized to use them. Use of strong passwords and periodic changes are enforced. The College’s policy on passwords to information systems and network services specifies the required composition of strong passwords, what must be done to protect passwords, and the minimum time interval for changing passwords. Individuals must reset passwords themselves using a similar process as described above by first answering a challenge question that they provided an answer to when originally activating their login credentials, or equivalent methods. Login credentials stored or transmitted by any digital or electronic method or medium must always be encrypted with authorized and accepted standards. Password never transmitted over the network in the clear text.
3.4 Application Level Security: Additional access controls (beyond login credentials) that are used to restrict and grant permissions to perform certain functions pertaining to the administration of protected information and systems must be maintained in accordance with the following policies:
- Granting Access to the Campus Computing Network
- Granting Access to E-mail and Provision of Related Services
- Granting Access to the Learning Management System
- Granting Access Privileges to Administrative and Student Information Systems
3.5 De-provisioning: The Office of Human Resources must provide the Technology department timely notification of any change of employment status for all personnel on the payroll along with a formal request to modify or remove electronic access privileges (including deactivating their username and password) for an individual no longer needing or authorized to have access to secured College information systems. The Office of Professional and Continuing Education (PCE), academic departments and administrative offices must also provide the Technology department with the same notification and request to modify or remove access for all non-payroll contractors, consultants and all other third party users of information systems to whom they provided authorization to grant access. All contractor accounts will be disabled at the end of each fiscal year unless formal requests with appropriate authorizations are provided.
4. Related Documents
| Document Name |
Publisher |
| Systems and Network Security Policy |
MassArt (Technology Department)
|
5. Enforcement of Policy Violations
Failure to comply with this policy, intentionally or unintentionally, may result in one or more of the following:
- Termination, without notice, of access privileges to data and technology resources.
- Disciplinary action, up to and including termination of employment.
- Civil or criminal penalties as provided by law.
6. Review and Revision History
Policies must be reviewed annually by the policy owner. If a policy has been revised, then it must have all necessary approvals before being published. In the last column, indicate whether the activity was a review or a revision; if a revision, summarize the changes.
|
Date
|
Name and Title
|
Annual Review or Revision Summary
|
| 02-08-2021 |
Bryce Cunningham, Information Security Officer |
Second Draft |
| 08-1-2023 |
Patrick O'Connor, Chief Information Officer |
Final |
| 01-29-2025 |
Patrick O'Connor, Chief Information Officer / Assistant Vice President, Technology |
Updated Branding, Reviewed |
*The access controls outlined in this policy pertain to protected Technology resources that require login credentials that are centrally managed by the College’s Technology department, and/or the designated third party service providers under this office’s supervision. This policy applies to any user of these resources, including business partners, contractors and consultants.
**As of 01-29-2025, ISO duties and responsibilities are currently being performed by the Deputy CIO.
***A user’s name can change for a variety of reasons - including marriage, divorce, legal name change, for gender identification purposes, or for preference.
****Login credentials may include usernames, passwords, multi-factor authentication codes, or any other type of form or method of enterprise, digital, or electronic authentication.
Policy Number:
Policy Owner:
Information Security Officer (ISO)
Applicability:
- All Technology Department Employees
- CIS Critical Security Controls:
- CSC 16: Account Monitoring and Control
- Approved by:
Chief Information Officer
Approved on:
08/01/2023