IT Security Policy 102 – User Authentication

Status: Final Draft
Last Revision Date: April 29, 2025

Statement of Purpose

The first step in securing data is ensuring that access is granted only to authorized individuals based on their assigned duties and responsibilities. This policy establishes controls for user authentication and access assignment that align with applicable federal and state regulations, institutional policies, and industry best practices. It supports the security principle of “least privilege,” ensuring users of Clackamas Community College Electronic Information Resources (EIR) access only the data necessary to perform their roles.

Policy Summary

This policy defines the requirements for user identity verification, access provisioning, and control mechanisms to protect College resources and data. It applies to all users—including staff, faculty, students, and third-party service providers—with access to College-owned or managed EIR.

This policy ensures compliance with:

• Family Educational Rights and Privacy Act (FERPA)

• Gramm-Leach-Bliley Act (GLBA)

• Federal Information Security Modernization Act (FISMA)

• NIST SP 800-53, ISO/IEC 27001, and CIS Controls

In cases of conflict with regulatory requirements, those regulations shall supersede this policy.

Policy

1. New User Onboarding

• New users must agree to comply with all Clackamas Community College policies and procedures prior to being provisioned with access credentials.

• Hiring managers and Human Resources (HR) must perform pre-employment screenings appropriate to the position.

• Unsatisfactory results from background checks must be documented, including compensating access controls.

• Third-party service providers must complete applicable screenings, background checks, and contractual agreements before being granted access to EIR.

2. Least Privilege Access

• Access rights shall be role-based and granted according to the principle of least privilege.

• When access requirements for a role are undefined, they may be modeled on similar roles, pending data owner review.

• All requests for additional access must be documented and formally approved by the data owner or designated authority.

• Data owners must notify the data steward when access revocation is required.

• Third-party access must be limited to resources necessary to fulfill contractual obligations.

• Local accounts for third parties must expire within 90 days, with renewals requiring documented approval not to exceed an additional 90 days.

• Shared or service accounts used by third parties must be continuously monitored.

3. Authentication and Passwords

• Each user must be assigned a unique user ID; the use of unauthenticated (e.g., passwordless) accounts is prohibited.

• Authentication must comply with Policy 102a (Password Policy) and Policy 102b (Shared Account and Device Policy).

• All applicable systems must employ procedural or automated access control for user authentication.

• Authentication must be centralized through Microsoft Active Directory or Azure AD. Intermediary services (e.g., SSO, RADIUS, ADFS) are acceptable only when they query Active Directory.

• Systems outside Microsoft AD must undergo routine auditing and stale account removal.

• Use of College-assigned credentials for private account registration is prohibited.

• Credentials must not be used by anyone other than the assigned user.

4. Multi-Factor Authentication (MFA)

• Multi-Factor Authentication (MFA) requirements and controls are defined in Policy 102c – Multi-Factor Authentication (MFA). All users must comply with the conditions outlined in that policy when accessing CCC Electronic Information Resources that require MFA.

5. Periodic Access Review

• Access rights for all users must be reviewed at least annually by the data owner or their designee.

• Results of access reviews must be documented and retained by the data steward for audit purposes.

6. Logging and Monitoring

• All user access events must be logged where technically feasible.

• Authentication logs must be reviewed regularly to detect unauthorized access attempts.

• Logs must be retained in accordance with the College’s retention policy and applicable regulations.

7. Definitions

• See ITS Security Policy 005 - Security Policy Definitions for Controlled Sensitive Data and Electronic Information Resources (EIR) definitions.

Exemptions

None.

Exceptions

Exceptions to this policy must be requested in writing and pre-approved by the Chief Information Officer (CIO). All approved exceptions must be documented and periodically reviewed.