PURPOSE:
This Access Control Policy outlines the standards and procedures for granting, managing, and revoking access to Idaho College of Osteopathic Medicine (ICOM) information assets and systems. The purpose of this policy is to ensure that only authorized individuals and systems can access institutional data and resources, maintaining confidentiality, integrity, and availability, in compliance with applicable laws, regulations, and ethical standards, including but not limited to HIPAA, FERPA, GLBA, and relevant accreditation requirements. This policy supports the institution's commitment to protecting sensitive information through robust security practices.
SCOPE:
This policy applies to all individuals who access, use, or manage ICOM information assets and systems, including but not limited to:
- Faculty
- Staff
- Administrators
- Students
- Affiliates
- Contractors
- Vendors (including SaaS application vendors)
- Guest users
This policy encompasses all information assets and systems, including but not limited to:
- SaaS applications and related data
- Institutional data regardless of location (including data residing within SaaS vendor
environments) - Network infrastructure
- Endpoints (computers, laptops, mobile devices) used to access institutional resources
- Physical facilities housing information systems
- Sensitive institutional data, including student records, research data, and financial information
DEFINITIONS:
- Access Control: The process of managing who is allowed to see, use, or change information and systems. It's like having locks on doors and deciding who gets a key. This policy outlines how ICOM manages these "keys" to protect our digital resources.
- Authorization Authorities: Individuals or roles within ICOM who have the designated responsibility and authority to approve requests for access to systems and data. These are typically department heads, data owners, or system administrators.
- Endpoints: Devices that users interact with directly to access systems, such as computers, laptops, tablets, and mobile phones.
- HIPAA (Health Insurance Portability and Accountability Act): A U.S. federal law that protects the privacy and security of individuals' health information.
- FERPA (Family Educational Rights and Privacy Act): A U.S. federal law that protects the privacy of student education records.
- GLBA (Gramm-Leach-Bliley Act): A U.S. federal law that requires financial institutions (and educational institutions receiving Title IV funding, in some respects) to protect the privacy and security of consumers' nonpublic personal information.
POLICY:
Principle of Least Privilege: Access to information assets and systems will be granted based on the principle of least privilege. Users will be granted only the minimum level of access necessary to perform their assigned job functions or roles, minimizing risk and promoting data security.
Need-to-Know: Access will be granted based on a demonstrated "need-to-know." Authorization will be required to access specific data or systems, even if the user has general access privileges, ensuring that access is limited to what is strictly necessary for legitimate purposes.
Access Authorization Process:
- Formal Request: Access requests must be initiated by the user's supervisor or department head, clearly outlining the roles and responsibilities requiring access. The request can be made by submitting an email to ICOM’s helpdesk at help@icom.edu.
- Approval Workflow: Requests must be approved by designated authorization authorities (e.g., department head, data steward, system administrator, Chief Information Officer). The approval workflow will be documented and consistently applied, with heightened scrutiny for access to sensitive data.
- Justification: For access requests involving systems or data containing sensitive information, the justification must explicitly detail the user's role and responsibilities requiring access to this data, demonstrating adherence to the principle of least privilege and relevant security policies.
- Periodic Review: Access rights will be reviewed at least annually, or upon significant changes in job function or role, to ensure they remain appropriate and necessary and continue to align with security best practices.
Account Management:
- Unique User IDs: Each user will be assigned a unique user ID for system access. Shared accounts are strictly discouraged to ensure individual accountability and auditability.
- Strong Passwords: Users are required to create and maintain strong passwords that meet established complexity and expiry requirements in accordance with the Password Policy. Password policies must be rigorously enforced, especially for accounts with access to sensitive information.
- Multi-Factor Authentication (MFA): MFA will be implemented for critical systems and applications, especially those containing sensitive data. MFA provides a crucial extra layer of security against unauthorized access.
- Account Suspension/Termination: Access will be promptly suspended or terminated upon employee termination, role change, or when access is no longer required. Formal off-boarding procedures will be followed, ensuring timely revocation of access to institutional resources.
- Account Monitoring: User accounts and access activities may be monitored for security purposes, policy compliance, and to maintain audit trails for security and regulatory requirements.
Role-Based Access Control (RBAC): Access will be primarily managed through a Role-Based Access Control model where possible. Roles will be defined based on job functions and responsibilities within the institution. Access rights will be assigned to roles, and users will be assigned to appropriate roles. RBAC promotes efficiency and consistency in access management.
Emergency Access: Procedures for granting temporary emergency access to systems and data will be documented and implemented. Emergency access will be logged and rigorously audited to maintain accountability and security.
Vendor Access (SaaS Vendors & Others):
- Vendor access to institutional systems and data must be governed by formal agreements that clearly define access scope, purpose, duration, and security requirements, and ensure adherence to the institution's security policies and relevant regulations.
- Vendor access will be regularly reviewed and audited to ensure compliance with agreements, security best practices, and regulatory requirements.
- Strict limitations will be placed on vendor access to production environments, especially those containing sensitive information, unless absolutely necessary and appropriately controlled, with security considerations paramount.
Physical Access (If Applicable): Physical access to facilities housing information systems (e.g., server rooms, data centers, if applicable) will be restricted to authorized personnel only, utilizing access control mechanisms such as key cards, biometric scanners, and campus security officers, aligning with physical security best practices.
Data Access Agreements & Confidentiality: All individuals with access to sensitive data will be required to sign data access agreements or confidentiality agreements, acknowledging their responsibilities regarding data protection and privacy.
ENFORCEMENT:
Enforcement of this Access Control Policy is the responsibility of all managers, supervisors, and system administrators, under the overall direction of the Chief Information Officer. Violations of this policy may result in disciplinary actions, up to and including termination of employment or access privileges, and potential legal consequences as per applicable laws and regulations.
POLICY REVIEW AND UPDATES:
This Access Control Policy will be reviewed and updated at least annually, or as needed to reflect changes in technology, regulations, institutional risk assessments, business needs, or changes in relevant legal and regulatory requirements. The annual review will include an assessment of the policy's effectiveness in maintaining strong access controls and compliance. The Chief Information Officer is responsible for coordinating policy reviews and updates.
PRIMARY POLICY OWNER:
Chief Information Officer
APPROVAL:
Effective: 7/8/25
Last Reviewed: 7/8/25
Review Requirement: Annual