Information Technology Access Control - Technical Services Policy - 50150

The College is responsible for assuring the integrity of its computer systems, applications, and utilities. This Policy and Procedure covers all stages in the life cycle of user account credentials, from the initial registration of new users to the final de-registration of users who no longer require access to information systems and services. In addition, the procedures, where appropriate, will address the need to control the allocation of privileged access rights, which will allow users to override system controls.

The College will grant access using the principles of separation of duties and least privilege as required by VCCS IT Security Standard 9.2.3. Separation of duties refers to dividing roles and responsibilities such that a single person cannot subvert a critical process. Least privilege refers to granting a user only those accesses that they need to perform their official duties.

The College prohibits the sharing of individual user account credentials; therefore, each person is assigned a unique user account which is prohibited from being shared with or "recycled" for use by another person at any point in time. Individual user account credentials must never be provided to another person for any reason. Additionally, it is prohibited to session share - the act of allowing another person to use your active user account session after completing a secure login to a device or system.

All new College employees and affiliates being provisioned an individual user account must complete security awareness training within 30 days of their initial onboarding date as well as ongoing security awareness training at least annually. All user account holders must complete the required security awareness training to keep their user accounts active.

An annual audit of user account access will be conducted with supervisors and data owners to verify user account provisioning remains accurate and applicable to the user account holder’s position and duties.

In addition, user accounts found to be dormant for at least 60 days will have their user accounts disabled and their status within the access management system marked as suspended.

3.1 College Network and Systems Access

The College provides access to the College network and systems to College Employees. As required, College affiliates, such as contractors, third-party users, or volunteers, are provided limited access to the College network and systems. The access provisioned to College affiliates shall be based on their required duties pursuant to the associated agreement and contingent upon the completion of appropriate documentation such as a Non-Disclosure Agreement or Acceptable Use Agreement.

3.1.1 College Employee User Account Types

Staff and full-time faculty user accounts are provided Microsoft Office 365 applications including email as well as access to the shared drives, SharePoint, and a personal drive. If an employee is designated as staff or full-time faculty, this status overrides any other status at the college and the user account shall be configured accordingly for this user account type.

Part-time faculty are only granted access to email and SharePoint. These employees are not issued an individual computer; desktops are available in the adjunct offices instead and other shared spaces.

Work study students and interns do not get an Office 365 email account, nor should they have access to any of the systems with confidential information. Work study students use their existing VCCS user accounts to login into the College network and systems as provisioned. In the event special privileges are needed, a work-study account for that work study will be created.

Emeritus accounts may not be created or used per VCCS IT Security Standard 9.2.6.

3.1.1.1 LAN Account Creation and Disabling

The general steps for managing access to systems are performed by using an access management system to include the following steps:

HR (Human Resources) enters all College employees and affiliates into the access management system.

Responsible supervisors must use the access management system to submit access requests.

When the supervisor selects Network Account/Email the system administrator is notified by email to create the user account. The user account will not be enabled until the start date entered by HR.

The supervisor also starts the checkout process in the access management system when employment is terminated or requests temporary suspension (such as an adjunct not working during a semester). HR will be the backup for this process and initiate the checkout request if the supervisor does not.

3.2 VCCS Enterprise and State Systems Access

GCC allows access to VCCS Enterprise and State Systems to College Employees and affiliates that require access to enterprise applications based on the user account holder’s position and duties.

The responsible supervisor must submit any user account access requests using the access management system.

The assigned data owner receives a notification email from the access management system and must approve access.

Access to any State of Virginia system is initiated by the Vice President of Administrative -Services or Human Resources Manager.

The responsible supervisor is notified when access to each system is complete and is expected to coordinate training for the user account holder in the specific applications requested.

3.3 Employee with change in duties

Per VCCS IT Security Standard 9.2.6, access must be removed within 5 business days upon an employee leaving employment or changing roles. When an employee has a change in duties, the employee’s supervisor is required to coordinate with Human Resources to remove the access provided from their former position via the access management system within 3 business days.

For the start of the employee’s new role, HR will enter a new supervisor when required and the new supervisor will be required to use the access management system to request new access.

3.4 Terminated Employees

Per VCCS IT Security Standard 9.2.6, upon notification of voluntary termination from Human Resources, Technical Services will complete the check out process no longer  than two business days from notification via the access management system. In order to meet the above deadline, the employee’s supervisor must notify HR of employee termination within 3 business days. In the event of involuntary termination, the Associated VP of Human Resources (or their designee) shall communicate with and receive acknowledgement from the Manager of Technical Support Services and Manager of Application & Infrastructure for the employee’s immediate removal from systems.

3.5 Temporary Leave of Absence of an Employee

Per VCCS IT Security Standard 9.2.6, if an employee is expected to be absent from work for a prolonged period of more than 30 days, HR , shall communicate with and receive acknowledgement from the Manager of Technical Support Services and Manager of Application & Infrastructure. HR will provide the name of the employee and the last day worked. HR is expected to update the Onboarding/Offboard system providing the return-to-work date at least three business days before the employee returns to work. Technical Services Managers will ensure system access is disabled throughout the prolonged period of leave.

3.6 Employee Disciplinary Action

The Associate VP of HR (or their designee) will immediately notify the Manager of Technical Support Services and the Manager of Applications & Infrastructure if an employee has received a disciplinary suspension that is greater than one day. All user account access, including College Network and VCCS Enterprise, will be disabled until the Manager of Technical Support Services and the Manager of Applications & Infrastructure are informed by the Associate VP of HR (or their designee) that access can be enabled.

3.7 College Network Administrator User Access

College Network Administrator user account access is restricted to the Manager of Technical Support Services, Lead Techs, and VCCS Shared Engineer(s). Short-term user account access will be documented for Technical Service vendors/contractors for specific projects upon approval by the CTO. The College Network Administrator user account is unique and separate from a standard user account and may only be used to perform functions needing privileged access. Day-to-day operations should always be performed using a standard, non-privileged user account.

3.9 Service and Hardware Account Access

Service and Hardware accounts are created by domain administrators when needed by network applications. These accounts are documented. Default passwords may not be used. Service accounts will be vaulted in a password manager solution. Service accounts not automatically rotated by the password manager solution must be manually changed at least annually.

3.10 Workstation Administrator Account Access

Local Administrator accounts for workstations will be vaulted in a password manager solution. Workstation Administrator Account Service accounts not automatically rotated by the password manager solution must be manually changed at least annually. Access to these accounts must be restricted to Technical Services’ employees whose position and duties require them.

3.12 User Account Audits

3.12.1 Annual Audit of All User Accounts

An annual audit of user account access will be conducted with supervisors and data owners to verify user accounts provisioning remains accurate and applicable to the user account holder’s employee’s position and duties. This annual audit will apply to all College, VCCS Enterprise, and State systems. Certification of a complete audit is required to be completed within the current fiscal year.

3.12.2 Audit of Dormant User Accounts

To comply with cybersecurity requirements, Technical Services will run a report each month listing any user account that has not logged into their Germanna email within the last 30 days to identify Dormant User Accounts.

Any user accounts identified as dormant will result in notifications to the HR office, the College employee or affiliate, and the responsible supervisor informing them of their user account status. Per GCC Employee Email Policy 50100, supervisors are responsible for ensuring College employees and affiliates use their Germanna email for work related communications in a timely manner and continued inactivity will result in further action.

Any user account identified as dormant for another 30 days beyond the initial 30 day notification (for a total of 60 days of no activity) will result in the suspension of access to College Network / Email and Google / Canvas. The responsible supervisor will be notified at least five business days before the suspension occurs.

Once a user account is disabled due to being dormant, the user account holder’s status within the access management system will be changed to Suspended by the ISO. If user accounts disabled due to being dormant are not restored through corrective action within an additional 30 days (90 days in total of being dormant), the college account and resources will be deallocated.

A user account holder can have their access restored via a Technical Services Help Desk request submitted by the responsible supervisor. The user account holder may need to complete additional training as identified by the ISO once access is restored.

3.12.3 Audit of Security Awareness Training Compliance

To comply with VCCS IT Security Standard 7.2.2 that requires the completion of security awareness training, Technical Services will audit the completion of security awareness training for all College employees and affiliates being provisioned an individual user account. All user account holders are required to complete training within 30 days of hire. Additionally, annual training will be provided to all user account holders which must be completed within 30 days of assignment. Notifications of security awareness training completion due dates are provided to user account holders periodically with additional notifications to the responsible supervisor indicating when the employee is overdue and noncompliant with the training requirement. Recurring reminders of training requirements will be sent to the user account holder and responsible supervisor while non-compliant. After 15 days of non-compliance with the security awareness training requirement (a total of 45 days after training is assigned), Technical Services will provide Cabinet with a list of user account holders that have still not completed the required training. 15 days after providing this list to cabinet members (a total of 60 days after training is assigned and 30 days out of compliance), Technical Services will suspend the user account holder’s access to College Network / Email and Google / Canvas. The responsible supervisor will need to contact Technical Services to restore the user account holder’s access for the purpose of completing security awareness training. If training is not completed within 3 business days of restoring access, the previous step of user access suspension will be applied again with communications going to HR and the responsible supervisor.

-

CIS Safeguard 5.3

VCCS IT Security Standard 7.2.2 Information Security Awareness and Training

VCCS IT Security Standard 9.1 Business Requirement for Access Control

VCCS IT Security Standard 9.2 User Access Management

VCCS IT Security Standard 9.3 User Responsibilities

VCCS IT Security Standard 9.4 System and Application Access Control

SOP 9.2-1 Access Control

SOP 18.2 Security Audit and Control Process

GCC Employee Email Policy 50100

Vice President of Administrative Services

Cabinet:

Leadership Council:
First Reading – 10/30/2025; Approval - Date 11/21/25