1. Introduction and Principles  
   1. To protect the integrity and confidentiality of institutional data, Chattanooga State shall control access to information technology resources based on the following three security principles: 
      1. Individual Accountability: Every user must be uniquely identified so that actions can be traced to a specific individual. 
      2. Least Privilege: Access rights shall be limited to the minimum permissions necessary for a user to perform their job duties. 
      3. Need to Know: Access is granted only for the information required to fulfill authorized institutional functions. 
2. Scope  
   1. This policy applies to all students, faculty, staff, contractors, and guests who are permitted access to College systems or data, including access through personal equipment. 
3. Identification and Authentication 
   1. Unique Identification: Every authorized user will be assigned a unique identification. Generic or shared accounts should be avoided when possible.  When shared credentials are unavoidable, users must share credentials through a password manager with auditable logs of the usage of the shared credentials.   
   2. Multi-Factor Authentication (MFA): MFA is required for all users accessing public-facing critical systems, including email, VPN, and the institutional ERP. 
   3. Credential Protection: Users are responsible for all activity performed under their account and shall not share passwords or MFA methods with others. 
4. Password Standards
   1. The Technology Division publishes and maintains a procedure specifying complexity requirements for passwords or alternative approved user authentication methods.  This procedure will be updated to reflect guidance from the National Institute of Standards and Technology and the Tennessee Board of Regents.   
5. Account Lifecycle Management 
   1. Provisioning: Access is granted based on automated triggers from data initially entered into the ERP during the hiring process (for employees) or the admissions process (for students). 
      1. Changes in Roles: As individuals change roles within the College, their access will be adjusted accordingly.  Examples include (but are not limited to) employees with interim assignments, employees changing jobs entirely, employees serving as adjunct instructors, employees enrolling in classes as students, students accepting employment on temporary contracts, etc.  An individual’s access profile at any given time should reflect only their active roles. 
      2. The specific access to be granted as roles are assigned (and revoked as those roles are unassigned) is specified by relevant data owners / data custodians across the College and implemented by the Technology Division. 
   2. Revocation: Individuals with no remaining active roles will have all access revoked.   
   3. Periodic Cleanup: In addition to adjusting access in real time as roles change, the Technology Division will conduct periodic cleanup efforts to confirm that users’ current access matches their approved roles.   

——————————————————————————–  

References: 

1. TBR Policy 1.08.03.00 (Digital Identity, Authentication Management, and Access Control) 

2. TBR Policy 1.08.01.00 (Enterprise Information Systems Updates) 

Submitted to Policy Review Committee on March 2, 2026

Submitted to Policy Review Board on April 13, 2026

Approved by Policy Review Board on April 29, 2026