Back to Top

Purpose

There are many vectors by which an individual might gain unauthorized access to the campus network and information system. The Division of Information and Instructional Technology (IIT) has improved user identity authentication to protect against unauthorized access by using multi-factor authentication (MFA).

MFA is a security process whereby users must provide at least two different authentication factors to verify their identities and access their accounts. This process ensures better protection of both a user’s personal information, credentials and other assets, while also improving the security around the resources the user can access. MFA is required for all privileged or administrator accounts.

The purpose of this Information Technology Requirement (ITR) is to provide guidelines for additional authentication using MFA for connection to the AACC network and information systems on and off campus. Implementation of MFA is designed to minimize the potential security exposure to AACC from damages which may result from unauthorized use of college resources. MFA adds a layer of security which helps limit any use of compromised credentials.

Scope

Multi-factor authentication is required to access AACC IT systems and data. MFA will be implemented as software lifecycles permit. The ITR applies to all members of the AACC community, including affiliates, students, faculty, staff, retired employees and volunteers that use their AACC account to connect to the College’s network or technology resources. This ITR applies to any user interfacing system accessing College data where MFA can be utilized.

User Responsibilities

System Administration

MFA is required for all system administration and tasks/functions requiring elevated administrator privileges. MFA is required for administration of Colleague, the student information system and ERP.

Faculty and Staff

MFA is required to access the AACC IT computing environment remotely.  When on premise, MFA is required except where it hinders instruction and student learning. MFA is not required if the user cannot perform the steps required to complete MFA.

Colleague is only available from the local network and has separate credentials from our network credentials. Therefore, to access Colleague, a user must successfully access the network and then successfully access Colleague – two levels of separate and distinct credentials are required. All VPN access to AACC IT resources (remote access) requires a college-issued computer and MFA. Ellucian applications that access information from Colleague require faculty and staff to provide MFA through Azure single sign-on. 

User Requirements:

  • Individuals are required to complete the MFA process, as required by automated access controls.
  • Individuals are required to register an appropriate device for completing MFA.
  • MFA is required for all externally exposed enterprise or third-party applications, under the management and control of AACC, where supported. Enforcement of MFA is through a directory service or SSO protocols.
  • MFA is required for remote network access.
  • MFA is required for all administrative access accounts, where supported, on all enterprise assets, whether managed on-site or through a third-party provider.

User Notification Responsibilities:

  • It is the user’s responsibility to request exceptions when issues are identified that do not allow completion of MFA.
  • It is the user’s responsibility to promptly report compromised credentials to the Information Security team.
  • It is the user’s responsibility to promptly report a lost or stolen MFA device to the Information Security team.

Students

MFA opt-in option for students has been tested and will begin in January 2024. Students do not have access to customer information on the AACC's system. They do not have access to banking information. And they do they have access to Colleague or any other students PII.

AACC's decision to permit opt-in MFA for students is based on a careful assessment of security risks, privacy considerations, student success factors, as well as AACC's specific needs and resources. AACC will still promote good security practices and provide guidance on using MFA as a tool to enhance the protection of their accounts and data.

Other factors in this decision include:

  • Our Focus on Student Success: The primary mission of an educational institution is to provide education. MFA can be a barrier to student success.
  • Risk Assessment: AACC has determined that student accounts have a lower risk profile compared to faculty or administrative accounts.
  • Usability and Accessibility: MFA is cumbersome for students and is an especially inequitable requirement for those students who can't afford a cell phone. In addition, some students might have accessibility challenges that make it difficult for them to use certain MFA methods.
  • Expressed Privacy Concerns: Some AACC students may have expressed privacy concerns about sharing multiple forms of verification, particularly if the data collected during the MFA process is sensitive. To counterbalance this legitimate request, AACC has agreed to allow students to opt out of MFA for privacy reasons, while still encouraging it for enhanced security.

Enforcement

  • This ITR regulates the use of all MFA access to the College network, and users must comply with the Code of Computing Practices.
  • Services will be disabled immediately if any suspicious activity is observed. Service will remain disabled until the issue has been identified and resolved.
  • Any AACC employee found to have intentionally violated this requirement or the Authorized Use of Information Technology Resources Information Technology Requirements and Guidelines will be subject to loss of privileges.
  • By choosing to use the College service, the user agrees to all terms and conditions listed above.

Any individual who violates this ITR may lose computer and/or network access privileges and may be subject to remediation and/or disciplinary action in accordance with and subject to appropriate AACC policy and procedures.

Exemptions

MFA is not required where completion of the process hinders student learning and/or where MFA cannot be performed due to the computing environment.

There may be situations in which a member of the College community has a legitimate need to utilize College technology resources outside the scope of this ITR. The Information Security team may approve, in advance, exception requests based on balancing the benefit versus the risk to the College. Exceptions require DIS (director of Information Security) review, and VP-IIT approval to be permanent.

Contingencies

None

Review Process

Information Technology Requirements will be reviewed every 12 months or sooner, if required. Guidelines and Processes will be reviewed every 24 months or sooner, if required.

 

Guideline Title: Information Technology Asset Management Information Technology Requirement

Guideline Owner: Vice President for Information and Instructional Technology

Guideline Administrator: Director, Information Security

Contact Information: John Williams, [email protected]  

Approval Date: Jan. 8, 2024

Effective Date: Jan. 8, 2024

History: Adopted Oct. 13, 2023

Applies to: Faculty, staff and students

Related Policies: N/A

Related Procedures: N/A

Related Guidelines: N/A

Forms: N/A

Relevant Laws: N/A