Internal Resources | News | Announcements | Banner | CARES ACT | Thee Portal | Reset NET ID Password
Give
Internal Resources | News | Announcements | Banner | CARES ACT | Thee Portal | Reset NET ID Password
Give

JSU CYBER AWARENESS

JSU CYBER AWARENESS | Jackson State University > System Access

SYSTEM ACCESS POLICY

 

Abstract: 
JSU must protect and control access to the sensitive Data it creates, collects, stores and process in paper, and electronic  formats in accordance with all applicable federal and state laws and university policies.

Policy Number: 50000.025/ CMMC AC.1.001
Effective Date: 4/22/2023
Review/Revised Date: 4/14/2023
Category: Information Technology
Policy Owner: CIO/Information Technology
Policy Contact: CISO/Information Technology
 

Policy Statement

Jackson State University’s (“JSU” or “University”) Division of Information Technology’s (“DIT”) intention for publishing a System Access Policy for CUI data is to identify how the University will protect access to systems collecting creating , storing and process CUI data.

 

Purpose

NIST SP 800-171 focuses on protecting the confidentiality of Controlled Unclassified Information (CUI) in nonfederal systems and organizations and recommends specific security requirements to achieve that objective. The requirements recommended for use in SP 800-171 are derived from FIPS Publication 200 and the moderate security control baseline in NIST Special Publication 800-53 and are based on the CUI regulation (32 CFR Part 2002, Controlled Unclassified Information).

 

Scope

This policy applies to all organization workforce members and all systems, network, and applications that process, store or transmit CUI. This policy also applies to all vendors, partners, researchers and contractors.

 

Responsibilities

The Chief Information Security Officer is responsible for ensuring the implementation of this policy.

Definitions

    • Information system – a discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information.
    • Information resources – JSU laptops, desktops, printers, scanners, servers, network devices, paper documents, and mobile devices such as smartphones

Policy

All environments involved with CUI must comply fully with the NIST 800-171 standards (either directly or through compensating controls. Jackson State University and its employees, vendors, and contractors will implement the following CUI access control requirements for systems with CUI data:

  • CUI System Access Control
  • 1.1 Limit system access to authorized users, processes acting on behalf of authorized users, and devices (including other systems).
  • 1.2 Limit system access to the types of transactions and functions that authorized users are permitted to execute.
  • 1.3 Control the flow of CUI in accordance with approved authorizations.
  • 1.4 Separate the duties of individuals to reduce the risk of malevolent activity without collusion.
  • 1.5 Employ the principle of least privilege, including for specific security functions and privileged accounts.
  • 1.6 Use non-privileged accounts or roles when accessing non-security functions
  • 1.7 Prevent non-privileged users from executing privileged functions and capture the execution of such functions in audit logs.
  • 1.8 Limit unsuccessful logon attempts.
  • 1.9 Provide privacy and security notices consistent with applicable CUI rules.
  • 1.10 Use session lock with pattern-hiding displays to prevent access and viewing of data after a period of inactivity
  • 1.11 Terminate (automatically) a user session after a defined condition.
  • 1.12 Monitor and control remote access sessions.
  • 1.13 Employ cryptographic mechanisms to protect the confidentiality of remote access sessions.
  • 1.14 Route remote access via managed access control points.
  • 1.15 Authorize remote execution of privileged commands and remote access to security-
  • 1.16 relevant information
  • 1.17 Authorize wireless access prior to allowing such connections
  • 1.18 Protect wireless access using authentication and encryption
  • 1.19 Control connection of mobile devices
  • 1.20 Encrypt CUI on mobile devices and mobile computing platforms
  • 1.21 Verify and control/limit connections to and use of external systems
  • 1.22 Limit use of portable storage devices on external systems
  • 1.23 Control CUI posted or processed on publicly accessible systems

 

Sanctions/Compliance

Failure to comply with this or any other security policy will result in disciplinary actions as per the Sanction Policy.  Legal actions also may be taken for violations of applicable regulations and laws.

 

Related Standards, Policies, and Processes

Account Management

  • User registration and de-registration
  • User access provisioning
  • Management of privileged access rights
  • Review of user access rights
  • Removal or adjustment of access rights

Access Enforcement

  • Teleworking
  • Access to networks and network services
  • Information access restriction
  • Use of privileged utility programs
JSU CYBER AWARENESS

Location

1400 John R. Lynch Street
Student Center
Jackson, MS 39217-0280

Phone: 601.979.2241