IT access controls prescribe who or what computer process may have access to a specific IT resource, such as a particular software program or database. For example, access controls can be implemented to limit who can view electronic files containing employee names and Social Security numbers. The first step in implementing adequate access controls is determining what level and type of protection is appropriate for various resources (e.g., data) and who needs access to those resources. The objectives of limiting access are to help ensure:

• Outsiders (e.g., attackers) cannot gain unauthorized access to your systems or data;
• Access to sensitive resources (e.g., operating systems, security software programs) is limited to very few individuals who have a valid business need for such access; and
• IT users are restricted from performing incompatible functions or functions beyond their responsibilities.

There should be written procedures in place for granting, changing and revoking access to the network, individual computer systems and specific software applications. These procedures should establish who has the authority to grant or change access (e.g., department manager approval) and allow users to access only what is necessary to complete their job duties and responsibilities. Furthermore, you should establish and follow a process for revoking access by immediately disabling unneeded user accounts and removing unneeded user permissions. For example, former employees’ accounts should be disabled on the day they leave local government or school employment and transferred employees’ permissions should be adjusted on the day the transfer is effective.

You should periodically compare the list of current active employees (i.e., employee master list) to the list of network user accounts to determine if user accounts belong to current employees. Any user account not belonging to a current employee should be evaluated and any account that cannot be associated with an authorized user or process should be disabled. After an account is disabled, any files associated with that account should be moved to a secure file server for analysis by IT or management personnel. Where possible, system administrators should monitor attempts to access disabled accounts through audit logging.

Access should be assigned within the network based upon what resources users need to complete their job duties and responsibilities. For example, if there are shared folders on the network, users within the highway department should only have access to the folders they need, which would most likely not include the personnel department’s folders. Likewise, individuals with accounting duties should only have access to the portion of your financial accounting system they need to perform their job.

To help ensure individual accountability within the network, every user should have and use their own network user accounts (usernames and passwords). Likewise, to help ensure individual accountability within software applications, every user should have and use their own application user accounts (usernames and passwords). If users share accounts, accountability could be diminished and activity in the system may not be able to be traced back to a single user.

Also, users should be able to set their own passwords. If passwords are set for users, there is limited accountability because someone else knows the password.

Holding passwords to certain requirements makes them more difficult to crack or guess. Current industry standards for password security highlight the need for long and unique passwords that:

• Are different from passwords used for other systems; 
• Do not match lists of common, expected, previously used or compromised passwords; 
• Are complex and difficult to guess.

Schools should be aware that State Education Law and Regulations14 require student PII be password protected when transmitted electronically to parents or eligible students.

¹⁴ Education Law Section 2-d(3)(b)(3); 8 NYCRR 121.12(f)

The Information Technology Governance LGMG can be downloaded at https://www.osc.ny.gov/files/local-government/publications/pdf/information-technology-governance.pdf