Kansas State University

  1. K-State home
  2. »Policies
  3. »PPM
  4. »3400 Computing and Information Technology
  5. »PPM Chapter 3430: Access Management

Policies

Questions relating to the information in each chapter of the Policies and Procedures Manual should be directed to the office issuing the chapter.

That information is usually located at the end of each chapter.

For policy update questions, please contact policy@ksu.edu.

Access Management

Chapter 3430
Created February 14, 2025

Table of Contents

.010 Purpose
.020 Scope
.030 Definitions
.040 Policy
.050 Roles and Responsibilities
.060 Exception Process
.070 Policy Violations
.080 Periodic Review and Policy Updates
.090 Related Regulations and Laws

This Digital Access Control Policy is intended to control access to its Information Technology Resources and data assets. The University is committed to protecting itself and its students, faculty, and staff from unethical, illegal, or damaging actions resulting from unauthorized data and system access.

.010 Purpose

The purpose of this Policy is to provide protections aimed at preserving the confidentiality, integrity, and availability of university data assets and Information Technology resources. By promoting sound access control requirements outlined in this Policy, the University can help prevent security breaches that could potentially lead to data loss, theft, or exposure.

.020 Scope

This Policy applies to faculty, staff, students, administrators, visitors, and all other users utilizing University Information Technology Resources to access and share information for educational, research, and public service purposes while upholding ethical standards and legal compliance.

Users are required to abide by this policy, and violations may lead to access restrictions, content removal, or other disciplinary or risk mitigation measures.

.030 Definitions

For clarity and to ensure a common understanding of terms used in this policy, please refer to the Glossary of Defined Terms which provides detailed definitions for all key concepts and terminology.

.040 Policy

Access to the University’s information systems is restricted to individuals who have received formal authorization granted through an official process established by the University.

  1. Access Adjustment

    As individuals' relationships with the University evolve or come to an end, their authorized access to systems, services, and data will be modified in strict accordance with the guidelines established by relevant University policies. This ensures the security and integrity of our Information Systems while upholding the principles of accountability and data protection within our academic community.
  2. Identification and Authentication
    1. Single-Sign On: All user access must integrate with the University’s centralized authentication system (SSO) with unique credentials for each user. Systems that are enabled to integrate with the University's centralized authentication system must be identified and approved in accordance with the requirements described in the Exception Management Policy. Legacy systems that cannot interface with SSO should work with the vendor to drive toward a solution that would allow SSO integrations.

    2. Multi-Factor Authentication: The use of multi-factor authentication (MFA) is always recommended. The University requires that all systems containing Sensitive and Restricted data use MFA to prevent unauthorized access to the data. MFA must use a combination of two of the following criteria:

      1. Knowledge – Such as a password
      2. Possession – Such as a token, smartcard, smartphone authenticator application, or other physical authentication mechanism
      3. Inherence – Such as biometric data or fingerprints

    3. Complex Passwords: All user access to internal only, sensitive, and restricted data is required to use strong, complex passwords in compliance with the requirements described in the University's Acceptable Use Policy.

      Any other protocols or authentication methods for accessing sensitive and restricted data must be requested and approved in accordance with the requirements described in the Exception Management Policy.
  3. Access Control
    University systems are required to maintain procedures for providing access to unit managed systems in accordance with University Access Control Standard.
    1. Principle of Least Privilege: All University organizational units are expected to implement the principle of least privilege within their college, division office, department, office, or other unit. The principle of least privilege mandates that users must not receive more access than is minimally required for each individual user to fulfill their duties and responsibilities for their position or role within the University.

    2. User Access Request and Approval: User requests to access internal only, sensitive, and restricted data are required to follow standard workflows described in the Access Management Standard. The University requires that all user access requests be documented and approved by the appropriate Data Steward or designee prior to access being provisioned for the user. The University prohibits the same user from both creating an access request and then approving the same access request.

      When possible, access to university systems may be automatically provisioned. Automated provisioning of access provisioning must be triggered by another University Information Technology Resource process, such as updates to a user’s job title in the University's HR system.
    3. Access Removal: All user access must be terminated in a timely fashion upon a role change, transfer, change in enrollment status, or termination of employment to prevent unauthorized access to University Information Systems. Current guidelines and information about separating from the University can be found at Leaving K-State.

    4. Role-Based Access Control: All University Information Technology Resources containing internal only, sensitive, and restricted data must have clearly defined access roles based on job functions and responsibilities within the University. Each role will have specific access permissions that are strictly associated with the duties of that role only.

      New roles or modifications to existing roles must be approved by the relevant Data Steward to ensure they align with organizational needs and security requirements.
    5. Separation of Duties: Roles must be designed to prevent conflicts of interest. High-risk tasks must be divided across multiple roles (separation of duties) to ensure that no singular role has complete control over a high-risk process. For example, this would restrict a single user from both creating an access request and approving the access request.
  4. Access Monitoring and Review

    Regular Audits: Data Stewards must ensure that regular audits of access role definitions, access controls, and access permissions provided to users are performed periodically in order to verify compliance with this policy, assess the validity of exceptions granted, and identify any access that is not provided in accordance with this policy.

    Roles and their associated access rights must be reviewed and recertified at least annually, or more frequently when Sensitive or Restricted data is involved, to ensure that unauthorized access to university data does not occur.

  5. System Use Notice

    Before a user gains access to a University endpoint, a general system notice must be displayed that welcomes user and identifies it as a University Information Technology Resource, warns against unauthorized use of the computer, and indicates that the use of the system implies consent to all relevant University policies. The general system use notice should also be displayed before a user gains access to a university information system, where possible. Please refer to the Authorization and Access Control Standard for the System Use Notice verbiage.

  6. Privileged Access

    Users with job responsibilities that require a higher level of access to sensitive and restricted data pose a risk to the university if these accounts are misused or misappropriated. All requirements outlined in this policy are applicable to privileged use accounts.

    In accordance with the Principle of Least Privilege, privileged use accounts must only be used for tasks that require the use of a privileged use accounts. As a result, users may use a privileged use account for only specific tasks requiring this elevated level of access. Additionally, once a user no longer requires elevated privileges within any given Information Technology Resource, their privileged access must be terminated promptly upon completion of the specific, privileged tasks to prevent misuse.

    Privileged accounts, like any University user account, must never be shared between multiple University users. Any exception must be requested and approved in accordance with the requirements described in the Exception Management Policy. If an exception is granted in accordance with the terms of the Exception Management Policy, protocols must be established to trace each action performed by a privileged user back to an individual person. 

    When utilizing privileged accounts to access University Information Technology Resources, users are required to maintain an active connection to the Univerity’s network. If privileged account access is required when a user is not physically located on campus, the user must connect to the University virtual private network (VPN).

    Users should not have administrative privileges on their university-owned device(s) unless the configuration of the system is directly within the scope of their job duties.

.050 Roles and Responsibilities

The Chief Information Officer (CIO) is responsible for the implementation, oversight, and maintenance of this policy. The Vice President for Administration and Finance is responsible for the final approval of this policy.

Any questions about the contents of this policy or the applicability of this policy to a particular situation should be referred to the Chief Information Officer.

.060 Exception Process

Exceptions from this policy must be approved as described in the K-State Exceptions Management Process.

.070 Policy Violations

To report any alleged violation of this policy or overall questions regarding this policy should be sent to the Chief Information Officer.

Failure to comply may result in sanctions as defined in the K-State Sanctions Procedure. Violations may lead to disciplinary actions, up to and including discharge, dismissal, suspension or expulsion, legal actions, and criminal investigation or prosecution.

.080 Periodic Review and Policy Updates

To ensure relevance and compliance with evolving regulatory, technological, and operational standards, this policy should undergo a comprehensive review at least annually in accordance with the requirements described in the Policy on Policies. During this review, necessary updates will be made to reflect any new legal requirements, organizational changes, or external factors impacting policy efficacy.

.090 Related Regulations and Laws

  • State of Kansas, ITEC Information Technology Policy 7230 Enterprise Security Policy
  • State of Kansas, ITEC Information Technology Standards & Guidelines 7230A IT Security Standards