Effective date: 06/1/2022

Last update: 03/04/2024

Purpose

This Service Requirement describes the University's requirements for access controls of Information Technology (IT) systems and services. Access controls are designed to minimize the potential exposure to the University resulting from unauthorized use of computing resources and to preserve and protect the confidentiality, integrity and availability of University networks, systems and applications.

Never share your credentials, password or other sensitive information and do not respond to emails that request access to your MultiPass ID, password, secret questions, or other personal information. Â鶹ֱ²¥'s Computing and Technology Services (CTS) team will NEVER ask for your MultiPass password or other personally identifiable information.

Scope

This Service Requirement applies to all students, employees, affiliates or other members of the community who connect to servers, applications or network devices that transmit Â鶹ֱ²¥ Restricted Data per the CTS Data Governance Service Requirement. All servers, applications or network devices that contain, transmit, or process Duquesne University Restricted Data are considered "High Security Systems".

Service Requirement

Segregation of Duties

Access to High Security Systems will only be provided to users based on business requirements, job function, responsibilities, or need-to-know. All additions, changes, and deletions to individual system access must be approved by the appropriate supervisor and the CTS Service Owner or Banner Module Owner, with a valid business justification. Account creation, deletion, and modification as well as access to protected data and network resources are implemented as defined in the CTS Account Administration Guide.

On an annual basis, CTS will audit all user and administrative access to High Security Systems. Discrepancies in access will be reported to the appropriate supervisor in the responsible unit, and remediated accordingly.

User Account Access

User Access

All users of High Security Systems will abide by the following set of rules:

  • Users with access to the configuration and permissions of systems and services should utilize a separate unique account (when possible), different from their normal University account. This account will conform to the following standards:
    • The password will conform, at a minimum, to the published CTS Credential and Passwords Service Requirement.
    • Inactive accounts should be disabled after 90 days of inactivity.
    • Access should be enabled only during the time period needed and disabled when not in use.
    • Access will be monitored when account is in use.
  • Users will not login using generic, shared or service accounts.
  • Third Parties with remote access to University premises (for example, for support of POS systems or servers) must use a unique authentication credential (such as a password/phrase) for each user.

Administrative Access

  • Administrators will abide by the CTS Privileged Access Service Requirements.
  • Users will abide by the above user access guidelines
  • Administrators will immediately upon notice revoke all of a user's access to systems or services when a change in employment status, job function or responsibilities dictate the user no longer requires such access.
  • All service accounts should be used by no more than one service, application or system.
  • Administrators should not extend a user group's permissions in such a way that it provides inappropriate access to any user in that group.
  • All servers, applications and network devices are recommended to utilize a login banner that displays the following content:

Duquesne's computer networks and systems are solely for authorized uses supporting the University's Mission of education, research, and service. Uses that contradict the University's mission are strictly prohibited and may result in monitoring of use, denial of access, and/or disciplinary measures adding up to and including dismissal or termination. By connecting to Duquesne's computer networks and systems, you agree to use these resources strictly for their intended purpose.

Remote Access

All users and administrators accessing High Security Systems must abide by the CTS Information Security Requirements for Remote Access.

Third Party Access

  • Any third-party, non-Duquesne affiliate that requires remote access to High Security Systems for support, maintenance or administrative reasons must designate a person to be the Point of Contact (POC) for their organization. In the event the POC changes, the third party must designate a new POC.
  • All third-party access to High Security Systems must be approved by the privileged access process.
  • Third parties may access only the systems that they support or maintain.
  • All third-party accounts on High Security Systems will be disabled and inactive unless needed for support or maintenance. Requests for enabling access must be requested in writing. Requests for access outside of this policy must be approved by the CIO or CISO. CTS will be responsible for enabling/disabling accounts and monitoring vendor access to said systems. All third parties with access to any High Security Systems must adhere to all regulations and governance standards associated with that data (e.g., PCI security requirements for cardholder data, FERPA requirements for student records, HIPAA requirements for Protected Health Information). Third party accounts must be immediately disabled after support or maintenance is complete.
  • Data should not be copied from high security systems to a user's remote machine.
  • Users will abide by the above user access guidelines.

Physical Access

All CTS data centers will abide by the following physical security requirements:

  • Video surveillance will be installed to monitor access into and out of CTS data centers.
  • Access to CTS data centers will be accomplished through the use of electronic badge systems and/or biometric systems.
    • Only the Facilities Department, Public Safety, CTS Storage Systems, and Networks Services will have physical key access.
     
  • Physical access to CTS data centers is limited to CTS personnel, designated approved departmental employees or contractors whose job function or responsibilities require such physical access.
  • Visitors accessing CTS data centers will be accompanied by authorized CTS personnel, and all access will be logged via the CTS Data Center Visitor Access Log.
    • This log will be stored at each CTS Data Center.
    • Each visitor, and accompanying authorized CTS personnel, must sign in and out of the data center
    • The log will be kept for a minimum of 3 months.
     
  • Modification, additions or deletions of physical access to CTS Data Centers will be accomplished by utilizing a ticket to the CTS Accounts Workspace in FootPrints.
  • All terminated onsite personnel and expired visitor identification (such as ID badges) will have their access revoked immediately.
  • Physical access requires the approval of the CTS Storage Services Team.
  • The CTS Infrastructure Services Director will audit physical access to CTS data centers on an annual basis.

Enforcement

The unauthorized or improper use of Â鶹ֱ²¥'s technology environment, including the failure to comply with these service requirements, constitutes a violation which may result in the loss of access, University disciplinary actions and/or legal prosecution under federal, state and local laws, where applicable. Users are expected to adhere to TAP 26 - Computing and Ethics Guidelines

The University reserves the right to amend these service requirements at any time without prior notice and to take such further actions as may be necessary or appropriate to comply with other published policies and with applicable federal, state, and local laws.

Definitions

CTS Service Owner:

Banner Module Data Owner: The individual responsible for the administrative oversight of a given DU-IT Banner System or specific modules within the DU-IT Banner System - - Finance, Advancement, Human Resources, Financial Aid, Student Admissions and Recruiting, Student Registration and Student Accounts - - and ultimately responsible for the data within said module/system.