Information Security Standard
I. Purpose and Scope
The objective of this Information Security Standard is to provide internal controls for access to Long Beach Community College District (LBCCD) sites, information, and applications. This Information Security Standard is part of a series of security standards governing the secure use and access of Information Technology Systems and Services.
Access controls may be physical (such as locks and badges), administrative (such as the regulation to safeguard passwords), or technical (protections enforced by software settings or privileges). These controls are designed to either allow or restrict the ability to view, update, or delete the information within LBCCD networks and systems, or paper documents.
1. Applicability of Assets
The scope of this Information Security Standard includes all electronic assets that are owned or leased by LBCCD. Assets may include but are not limited to:
- Desktop and Laptop Computers
- Mobile Devices
- Network Infrastructure
- Electronic Media
This Information Security Standard applies to District personnel (anyone operating on behalf of LBCCD), including but not limited to full-time, part-time, temporary, and student employees as well as consultants, contractors, and volunteers.
3. Applicability to External Parties
This Information Security Standard applies to all external parties, including but not limited to LBCCD business partners, vendors, suppliers, outsource service providers, and other third-party entities with access to the LBCCD network, system, and electronic resources.
II. Access Control
1. Access Control Principles
There are three basic access control principles at the LBCCD:
- All information will be made available only to those with a legitimate “need-to-know”. Access will be provided on this basis, guided by job requirements and data classification.
- Access controls for LBCCD systems will be provided in a manner that promotes individual accountability. Audit trails and monitoring of access establishes accountability and allows for follow-up of access violations and security breaches.
- Users with the highest levels of privilege on a computer system will be restricted to the least privileges necessary to perform the job.
2. Authentication to LBCCD Systems
Authentication is the verification of a user’s claimed identity. Identification is required by all individuals before gaining access to secured LBCCD facilities or systems such as server rooms, network closets, cash handling rooms, and other areas where security is in the interest of the District.
Internal (LBCCD personnel) and external (non-personnel) users must provide a valid and unique user ID to authenticate to the network. In addition to a unique ID, the authentication method must include at least one of the following:
- A password or passphrase
- Token device or smart card
If the new user is a contractor or non-employee, the user ID will be identifiable as such by its naming convention.
Group, shared, or generic accounts do not provide accountability, and will not be used for network or application authentication. Typical exceptions may apply to this requirement, such as a system account that is required for server or network processing.
Physical access to secured facilities requires that LBCCD users possess appropriate access badges or credentials to enter all sites. Some areas, such as computer rooms, may require additional levels of access, cards, or keys.
In accordance with NIST SP 800-63, multi-factor authentication (MFA) shall be used whenever possible, especially with those systems that process, store, or transmit sensitive data (e.g., email, student management and financial systems, etc.). Refer to ISBP: Multi-Factor Authentication for more information.
3. Authorization to Applications
The addition, modification, and deletion of user IDs and other credentials must be controlled. Data Owners (or their designate) have responsibility for making security decisions about applications that process data for which they are responsible. Assuming the role of Owner may require:
- Approving and re-certifying access by users to systems or data they control.
- Classifying data belonging to the application system they manage (determining the level of confidentiality or classification that should be assigned to an application’s data, which will dictate its level of protection).
Access to certain functions may be provisioned automatically based on the job position. Otherwise, the appropriate IT department, as authorized by Data Owners, must approve all new accounts except for those provisioned automatically. Each access request must contain written and/or electronic evidence of approval by the Data Owner or District IT. Extension authorizations for contractor accounts must be applied by District IT to provide an audit trail.
Access requests must specify access either explicitly or via a “role” that has been mapped to the required access. Outside of initial standard network access provided based on the job position of the users, access to additional applications or capabilities is discretionary and must be both requested and approved by the Data Owner. For additional access, users should submit an access request.
Departmental Security Administrators may set up access for some applications. District IT will pass the request on to the relevant team to set up access.
4. Security Administrators
The District IT department is responsible for administering overall system access within LBCCD, and so may request information from appropriate managers or administrators, such as who has access to their applications, and the procedures that they have put in place to provision them.
Some users (within specific Business Units or District IT) may have a higher level of access privilege to administer systems or applications. They may have the ability to add, modify, or delete other users for the applications they control.
Systems administrators, under management supervision, have a responsibility to maintain appropriate access controls for the applications they maintain to protect information from unauthorized access. The number of administrators should be tightly controlled and limited to as few as necessary.
Security administrators will only use their privileged accounts to carry out administrative tasks that require privileged access. A non-privileged account will be used to perform routine tasks.
Users of LBCCD computer systems will be provided with one or more unique accounts and associated passwords.
Users will be held accountable for work performed with the account(s) issued to them, and are responsible for the confidentiality of their passwords. Passwords must be difficult to guess and kept private. Users must not disclose their password to anyone. Refer to Administrative Regulation 6006 for more information.
The following rules apply to password composition:
- Must not be left blank when a new account is created. New passwords must not be the same for all users.
- New passwords must be changed immediately upon first use
- New passwords must not be the same as the three (3) previously used passwords
- Must have a minimum length of 16 characters
- Must contain both numeric and alphabetic characters
Accounts that are not protected by MFA must have their passwords changed every 90 days (some passwords within IT are exempt from this requirement).
If a user requests a password reset via phone, email, web, or other non-face-to-face method, Administrators who can reset passwords must verify the user’s identity, such as by providing an element of personal information, before changing the password.
Refer to ISBP: Passwords and Passphrases for further information.
6. Account Lockout
Accounts will be locked after five (5) invalid login attempts. Once an account is locked, a System Administrator or authorized student services representative is required to reset the account after the user’s identity has been verified. The lockout duration will be set to a minimum of 30 minutes or until an administrator enables the account.
Except for some system accounts, user accounts have a session idle time of 15 minutes after which the session will be locked. Refer to ISS: Screen Server Timeout for more information.
7. Compromised Accounts
User accounts that exhibit indicators of compromise will be disabled until District IT can review and reset the account. If multi-factor-authentication (MFA) was not previously enabled for that account, MFA will be enabled.
8. Emergency Accounts
An Emergency Account / User ID will be established when access is needed to diagnose or correct a problem. The request to create the Emergency ID must be made through the appropriate District IT Manager or Administrator. The ID will be enabled only for a 24-hour period unless a specific time period is requested.
The Requestor must inform the appropriate District IT manager upon completion of the work so that the ID can be disabled.
9. Termination of Access Privileges
Department supervisors must notify Human Resources if personnel will be leaving LBCCD. HR will contact District IT and other Security Administrators as required so that access may be removed. Access must be disabled immediately upon notification.
10. Review of Access
A bi-annual audit of computer resource authorizations to confirm that access privileges remain appropriate will be conducted by appropriate District IT staff. After an additional sixty (60) days, inactive accounts will be purged. These requirements may not apply to certain specialized accounts (e.g., Windows Administrator, root).
District IT, working with HR, may periodically validate employment and may immediately suspend users who are on leave-of-absence or extended disability. At least annually, District IT will request that Data Owners verify continued access by users who have access to their applications.
District IT and/or external auditors will periodically review security administration procedures for specific applications, and may employ monitoring tools to audit and verify access controls.
11. Payment Card Industry Requirements
LBCCD information technology resources will not be used to process, store, or transmit payment card data. To process online payment card transactions, Business Units will only contract with vendors that are PCI DSS compliant and provide the District with the vendor’s official attestation of compliance.