Purpose
There are many vectors by which an individual might gain unauthorized access to the campus network and information system. The Division of Information and Instructional Technology (IIT) has improved user identity authentication to protect against unauthorized access by using multi-factor authentication (MFA).
MFA is a security process whereby users must provide at least two different authentication factors to verify their identities and access their accounts. This process ensures better protection of both a user’s personal information, credentials and other assets, while also improving the security around the resources the user can access. MFA is required for all privileged or administrator accounts.
The purpose of this Information Technology Requirement (ITR) is to provide guidelines for additional authentication using MFA for connection to the AACC network and information systems on and off campus. Implementation of MFA is designed to minimize the potential security exposure to AACC from damages which may result from unauthorized use of college resources. MFA adds a layer of security which helps limit any use of compromised credentials.
Scope
Multi-factor authentication is required to access AACC IT systems and data. MFA will be implemented as software lifecycles permit. The ITR applies to all members of the AACC community, including affiliates, students, faculty, staff, retired employees and volunteers that use their AACC account to connect to the College’s network or technology resources. This ITR applies to any user interfacing system accessing College data where MFA can be utilized.
User Responsibilities
System Administration
MFA is required for all system administration and tasks/functions requiring elevated administrator privileges. MFA is required for administration of Colleague, the student information system and ERP.
Faculty and Staff
MFA is required to access the AACC IT computing environment remotely. When on premise, MFA is required except where it hinders instruction and student learning. MFA is not required if the user cannot perform the steps required to complete MFA.
Colleague is only available from the local network and has separate credentials from our network credentials. Therefore, to access Colleague, a user must successfully access the network and then successfully access Colleague – two levels of separate and distinct credentials are required. All VPN access to AACC IT resources (remote access) requires a college-issued computer and MFA. Ellucian applications that access information from Colleague require faculty and staff to provide MFA through Azure single sign-on.
User Requirements:
User Notification Responsibilities:
Students
MFA opt-in option for students has been tested and will begin in January 2024. Students do not have access to customer information on the AACC's system. They do not have access to banking information. And they do they have access to Colleague or any other students PII.
AACC's decision to permit opt-in MFA for students is based on a careful assessment of security risks, privacy considerations, student success factors, as well as AACC's specific needs and resources. AACC will still promote good security practices and provide guidance on using MFA as a tool to enhance the protection of their accounts and data.
Other factors in this decision include:
Enforcement
Any individual who violates this ITR may lose computer and/or network access privileges and may be subject to remediation and/or disciplinary action in accordance with and subject to appropriate AACC policy and procedures.
Exemptions
MFA is not required where completion of the process hinders student learning and/or where MFA cannot be performed due to the computing environment.
There may be situations in which a member of the College community has a legitimate need to utilize College technology resources outside the scope of this ITR. The Information Security team may approve, in advance, exception requests based on balancing the benefit versus the risk to the College. Exceptions require DIS (director of Information Security) review, and VP-IIT approval to be permanent.
Contingencies
None
Review Process
Information Technology Requirements will be reviewed every 12 months or sooner, if required. Guidelines and Processes will be reviewed every 24 months or sooner, if required.
Guideline Title: Information Technology Asset Management Information Technology Requirement
Guideline Owner: Vice President for Information and Instructional Technology
Guideline Administrator: Director, Information Security
Contact Information: John Williams, [email protected]
Approval Date: Jan. 8, 2024
Effective Date: Jan. 8, 2024
History: Adopted Oct. 13, 2023
Applies to: Faculty, staff and students
Related Policies: N/A
Related Procedures: N/A
Related Guidelines: N/A
Forms: N/A
Relevant Laws: N/A