9:140-AP1 Access Control & Permissions Review
9:140-AP1 Access Control & Permissions Review
Purpose
This procedure establishes District expectations for controlling, reviewing, and maintaining access to information systems and data. It supports the District’s information security program by ensuring access is appropriate, limited to legitimate business needs, and periodically reviewed.
Scope
This procedure applies to:
- District employees
- Contractors and third-party service providers
- Volunteers and other individuals granted system access
- District information systems, applications, and data resources
Procedure
I. General Access Control Expectations
The District shall implement access controls that:
- Limit access based on job responsibilities
- Protect sensitive and confidential information
- Reduce the risk of unauthorized access, misuse, or data exposure
- Support accountability and auditability
Multi-factor authentication is required for access to District information systems for privileged, remote, and system access.
Access to District systems shall be granted only as required to perform assigned duties.
II. Access Authorization
- Approval Requirements
- Access must be authorized by appropriate supervisory or administrative personnel before it is granted, except where temporary emergency access is approved and documented in accordance with internal operating procedures.
- Authorization is based on role, responsibilities, and operational need.
- Appropriate Use
- Users must comply with District policies related to acceptable use, data protection, and security.
- Access may not be shared or transferred without authorization.
III. Periodic Access Review
- The District conducts access reviews on a schedule established in internal operating procedures to ensure permissions remain appropriate.
- Reviews may occur on a scheduled basis or in response to changes in employment status, role, or system risk.
- Identified access discrepancies are addressed in a timely manner.
IV. Access Changes and Removal
- Role or Assignment Changes
- Access is adjusted when an individual’s role or responsibilities change.
- Separation
- Access to District systems is removed or disabled when an individual separates from the District.
- Temporary Access
- Temporary or elevated access is granted only when necessary and removed when no longer required.
V. Oversight and Accountability
- The Superintendent or designee provides oversight of access control practices.
- The Technology Department supports implementation and coordination.
- Administrative approval is required for any deviation from this procedure.
VI. Compliance and Review
Failure to comply with this procedure may result in disciplinary action and/or legal consequences.
This procedure shall be reviewed at least annually and updated as necessary to reflect changes in law, Board policy, technology, cybersecurity risk, or District operations.
Purpose
This procedure establishes District expectations for controlling, reviewing, and maintaining access to information systems and data. It supports the District’s information security program by ensuring access is appropriate, limited to legitimate business needs, and periodically reviewed.
Scope
This procedure applies to:
- District employees
- Contractors and third-party service providers
- Volunteers and other individuals granted system access
- District information systems, applications, and data resources
Procedure
I. General Access Control Expectations
The District shall implement access controls that:
- Limit access based on job responsibilities
- Protect sensitive and confidential information
- Reduce the risk of unauthorized access, misuse, or data exposure
- Support accountability and auditability
Multi-factor authentication is required for access to District information systems for privileged, remote, and system access.
Access to District systems shall be granted only as required to perform assigned duties.
II. Access Authorization
- Approval Requirements
- Access must be authorized by appropriate supervisory or administrative personnel before it is granted, except where temporary emergency access is approved and documented in accordance with internal operating procedures.
- Authorization is based on role, responsibilities, and operational need.
- Appropriate Use
- Users must comply with District policies related to acceptable use, data protection, and security.
- Access may not be shared or transferred without authorization.
III. Periodic Access Review
- The District conducts access reviews on a schedule established in internal operating procedures to ensure permissions remain appropriate.
- Reviews may occur on a scheduled basis or in response to changes in employment status, role, or system risk.
- Identified access discrepancies are addressed in a timely manner.
IV. Access Changes and Removal
- Role or Assignment Changes
- Access is adjusted when an individual’s role or responsibilities change.
- Separation
- Access to District systems is removed or disabled when an individual separates from the District.
- Temporary Access
- Temporary or elevated access is granted only when necessary and removed when no longer required.
V. Oversight and Accountability
- The Superintendent or designee provides oversight of access control practices.
- The Technology Department supports implementation and coordination.
- Administrative approval is required for any deviation from this procedure.
VI. Compliance and Review
Failure to comply with this procedure may result in disciplinary action and/or legal consequences.
This procedure shall be reviewed at least annually and updated as necessary to reflect changes in law, Board policy, technology, cybersecurity risk, or District operations.