top of page

Access Control Policy

Read Access Control Policy Carefully


Updated April 01, 2024


The following Terms and Conditions outline the rules and regulations for the use of our Journal/Website, Asiatic Society for Social Science Research (ASSSR) journal, products and services offered by us, as it applies to all writers, publishers, students, teachers and others who access or use this website. Please read them carefully.


SCOPE
This policy applies to Asiatic Society for Social Science Research (ASSSR) faculty, staff, students and other stakeholders that connect to servers, applications of network devices that contain or transmit ASSSR Protected Data, per the Data Classification Policy. All servers, applications or network devices that contain, transmit or process ASSSR Protected Data are considered “High Security Systems''.

PURPOSE
Access controls are designed to minimize potential exposure to the organization resulting from unauthorized use of resources and to preserve and protect the confidentiality, integrity and availability of the Organization networks, systems and applications.

POLICY
Segregation of Duties
Access to High Security Systems will only be provided to users based on business requirements, job function, responsibilities, or need-to-know. All additions, changes, and deletions to individual system access must be approved by the appropriate supervisor and the ASSSR, with a valid business justification. Access controls to High Security Systems are implemented via an automated control system. Account creation, deletion, and modification as well as access to protected data and network resources is completed by the Server Operations group.

On an annual basis, the Organization Information Security Office will audit all user and administrative access to High Security Systems. Discrepancies in access will be reported to the appropriate supervisor in the responsible unit, and remediated accordingly.

User Account Access

USER ACCESS
All users of High Security Systems will abide by the following set of rules:

  • Users with access to High Security Systems will utilize a separate unique account, different from their normal Organization account. This account will conform to the following standards:

    • The password will conform, at a minimum, to the published ITS Password Standards.

    • Inactive accounts will be disabled after 90 days of inactivity.

    • Access will be enabled only during the time period needed and disabled when not in use.

    • Access will be monitored when account is in use.

    • Repeated access attempts will be limited by locking out the user ID after not more than six attempts.

      • Lockout duration must be set to a minimum of 30 minutes or until an administrator enables the user ID.

    • If a session has been idle for more than 15 minutes, the user is required to re-authenticate to re-activate the terminal or session.

  • Users will not login using generic, shared or service accounts.

  • Service providers with remote access to customer premises (for example, for support of POS systems or servers) must use a unique authentication credential (such as a password/phrase) for each customer.


REMOTEAPP ACCESS
Users may only gain access to the RemoteApp environment if:

  • A user’s manager must submit the request.

  • The President, Secretary, Cash Management or  Treasurer, eCommerce must approve all requests.

  • Users will abide by the above user access guidelines.

  • Users must complete annual PCI training through the Treasurer’s Office.

  • Password reset requests must be submitted to the Treasurer’s Office and verified with the user’s manager.


ADMINISTRATIVE ACCESS
Administrators will abide by the Privileged Access Policy.

  • Users will abide by the above user access guidelines.

  • Administrators will immediately revoke all of a user’s access to High Security Systems when a change in employment status, job function, or responsibilities dictate the user no longer requires such access.

  • All service accounts must be used by no more than one service, application, or system.

  • Administrators must not extend a user group’s permissions in such a way that it provides inappropriate access to any user in that group.

  • All servers, applications and network devices shall contain a login banner that displays the following content:

“This computer and network are provided for use by authorized members of the ASSSR community. Use of this computer and network are subject to all applicable ASSSR policies, including Information Technology Services policies (http://www.asssr.org/aboutus), and any applicable ASSSR MoA. Any use of this computer or network constitutes acknowledgment that the user is subject to all applicable policies. Any other use is prohibited. Users of any networked system, including this computer, should be aware that due to the nature of electronic communications, any information conveyed via a computer or a network may not be private. Sensitive communications should be encrypted or communicated via an alternative method.”

REMOTE ACCESS

All users and administrators accessing High Security Systems must abide by the following rules:

  • No modems or wireless access points are allowed on high security networks, or other unapproved remote access technology.

  • All remote access must be authenticated and encrypted through the Organization's VPN, ASSSR Secure Access (ASS).

  • All remote access will be accomplished through the use of two factor authentication; a username and password or PIN combination, and a second method not based on user credentials, such as a certificate or token, provisioned to the user.

  • Any machine used for remote access must have antivirus and host-based firewall software installed, running, and enabled. This requirement is enforced by a host checker component of the Organization’s VPN software, and remote access to the High Security Network is only possible after a machine has passed these configured checks.

  • Any third party, non-ASSSR affiliate that requires remote access to High Security Systems for support, maintenance or administrative reasons must designate a person to be the Point of Contact (POC) for their organization. In the event the POC changes, the third party must designate a new POC.

  • All third party access to High Security Systems must be approved by the Information Security Officer or their designee.

  • Third parties may access only the systems that they support or maintain.

  • All third party accounts on High Security Systems will be disabled and inactive unless needed for support or maintenance. Requests for enabling access must follow the procedure outlined in The ASSSR Vendor Access to Internal Systems Policy. Requests for access outside of this policy are expressly denied.  The server System Administrator will be responsible for enabling/disabling accounts and monitoring vendor access to said systems. All third parties with access to any High Security Systems must adhere to all regulations and governance standards associated with that data (e.g. PCI security requirements for cardholder data, FERPA requirements for student records, HIPAA requirements for Protected Health Information). Third party accounts must be immediately disabled after support or maintenance is complete.

  • Data must not be copied from high security systems to a user’s remote machine.

  • Access will be disconnected automatically after 24 hours.

  • Users will abide by the above user access guidelines.

PHYSICAL ACCESS

All ITS data centres will abide by the following physical security requirements:

  • Video surveillance will be installed to monitor access into and out of ITS data centres.

  • Access to ITS data centres will be accomplished the use of electronic badge systems.

    • Only the Facilities Department, ITS Infrastructure Services Director, and the Network Services Team will have physical key access.

  • Physical access to ITS data centres is limited to ITS personnel, designated approved ASSSR employees or contractors whose job function or responsibilities require such physical access.

    • These individuals will be classified appropriately in the ITS Roles and Responsibilities Matrix.

  • ASSSR badges will be prominently displayed.

  • Visitors accessing ITS data centres will be accompanied by authorized ITS personnel, and all access will be logged via the ITS Data Center Visitor Access Log.

    • This log will be stored at each ITS Data Center.

    • Each visitor, and accompanying authorized ITS personnel, must sign in and out of the data center.

    • The log will be kept for at least a period of three months.

  • Modification, additions or deletions of physical access to ITS data centres will be accomplished by utilizing the ITS High Security Authorization Form.

  • All terminated onsite personnel and expired visitor identification (such as ID badges)" will have their access revoked immediately.

  • Physical access requires the approval of the ITS Infrastructure Services Director.

  • The Information Security Team and the ITS Infrastructure Services Director will audit physical access to ITS data centres on an annual basis.

POLICY ADHERENCE

Failure to follow this policy can result in disciplinary action as provided in the Employee Staff Handbook, Student Worker Employment Guide, and Faculty Handbook. Disciplinary action for not following this policy may include termination, as provided in the applicable handbook or employment guide.

QUESTION ABOUT THIS POLICY

If you have questions about this policy, please contact the Information Security team at email@asssr.org.

bottom of page