ITR003 – Account Access and Password Rule
Purpose
This Information Technology Rule defines the parameters for information technology services account access and credential use at Lincoln Public Schools.
Account Access
Staff is provided account access based on employment status and job function. Access should be granted by automated procedures based upon data from the system of record for the user role. For staff, the source system is the district Enterprise Resource Planning environment (CORE). For students, the source system is the district SIS, (Synergy).
Systems/Applications requiring access to be granted outside of district automated procedures require a waiver as specified in ITR002. In cases where a waiver is granted, the access must be monitored and reviewed annually, at a minimum, by the identified system/application sponsor.
Access is provided using the principle of least privilege. Access privileges for applications and systems must be used only where required to perform necessary job functions.
Administrative access changes must be submitted to and approved by the Information Security Office.
Access to an account is exclusively granted to the assigned user. Users may not sign in to any system and allow another person to use their account. Users also may not extract/export sensitive or confidential data from a district enterprise system and provide it in any form to unauthorized persons or systems.
Password Rules
Users may not share their password and/or other access credentials with any other person, nor use another user’s access credentials. Users are required to keep their password and/or other access credentials secret. To this end, users must not store their password in an insecure fashion. Secure password managers that store passwords with strong encryption are permissible.
If a user suspects that their password or other access credentials are known by another person, or their account is otherwise compromised, the compromise must be reported to Computing Services, and the credentials must be changed immediately.
What does this mean to me?
Staff are provided an account based on their role in the district. No one else should access an employee’s account. No staff member should sign in to any system for another person. No one should share sensitive or confidential information from a district system to anyone else, unless that person also has access to the system and has a role that would grant them access to the same data.
For example:
- Staff should never use their password to allow students to access filtered web pages.
- Staff should not use data from Synergy to benefit their own children, or share the information with other parents.
- Staff should never export data from a source system like Synergy and share it via an alternative method/system with individuals that don’t already have access to the same data on the source system. In some instances, for approved research purposes, for example, anonymized data may be shared via alternative methods/systems.