INDEX PURPOSE REASON FOR POLICY ENTITIES AFFECTED DEFINITIONS POLICY STATEMENT ROLES AND RESPONSIBILITIES COMPLIANCE AND TRAINING REQUIREMENTS EXCEPTIONS APPROVALS RELATED DOCUMENTS REVIEW AND REVISION HISTORY To establish a robust framework for the identification and authentication of users accessing KCTCS systems, ensuring the protection of digital assets, the confidentiality of KCTCS institutional data, and compliance with federal and state law, and accreditation requirements, including but not limited to: - NIST SP 800-63, Digital Identity Guidelines
- NIST SP 800-171, Protecting Controlled Unclassified Information (CUI) in Nonfederal Systems
- NIST SP 800-53, Security and Privacy Controls for Federal Information Systems
- Gramm-Leach-Bliley Act (GLBA) Safeguards Rule
- FERPA and Payment Card Industry Data Security Standard (PCI DSS) requirements
The KCTCS Identification and Authentication policy mandates proper user verification, requires the use of Multi Factor Authentication for all KCTCS active users, and outlines all acceptable authentication methods for users. This policy applies to all individuals and entities who interact with organizational systems, data, or resources requiring identity verification and authentication. This includes all KCTCS employees, students and third-party affiliates. - Third Party Affiliate: Any individual who is authorized to access KCTCS system resources that is not an employee/student
- Multi-Factor Authentication (MFA): An authentication method that requires a KCTCS user to present two or more verification factors from distinct categories — something they know (e.g., a password), something they have (e.g., a hardware token or mobile authenticator), or something they are (e.g., a biometric) — before access to a system or resource is granted.
- Single Sign-On: An authentication mechanism that allows a KCTCS user to authenticate once with a central identity provider and gain access to KCTCS system resources and/or applications without re-entering credentials for each.
- Security Information and Event Management (SIEM): A security platform that aggregates and correlates log and event data from across an organization's IT environment — including endpoints, network devices, applications, and identity systems — to support real-time threat detection, security monitoring, alerting, and forensic investigation.
All users must authenticate their identity using secure, approved methods before accessing KCTCS systems, data, or resources. The following core provisions establish mandatory requirements for identity and authentication: - Unique User Identification: Every individual shall be assigned a unique user ID that cannot be shared, reused, or reassigned without approval from IT Security. Generic or shared accounts are prohibited.
- Multi-Factor Authentication (MFA): MFA must be enabled for all KCTCS employees, students, and third-party affiliates and enforced for all access to sensitive systems, applications, or data classified as moderate or high risk.
- Password Requirements: All users will comply with KCTCS' password requirements.
- Access Management:. Users shall only be granted the minimum level of access necessary to perform their assigned job duties.
- Temporary access for third party affiliates shall require sponsor approval, be granted for a defined period, and be subject to recurring review, with access expiring unless affirmatively extended by the sponsor.
- Secure Authentication Methods: Only organization-approved tools (e.g., single sign-on (SSO) systems, hardware tokens, or biometric scanners) may be used. Self-service password resets must include identity verification steps.
Vice President of Technology Solutions The Vice President of Technology Solutions serves as the executive authority responsible for the strategic governance and institutional oversight of the identity and authentication framework. KCTCS Senior Information Security Officer or Designee - Oversee the overall strategy and governance of the policy, ensuring alignment with enterprise risk management.
- Initiate policy updates based on emerging threats or regulatory changes.
- Approve exceptions to the policy based on a clear business need and acceptable residual risk.
- Coordinate cross-functional audits and incident response related to identity and authentication breaches.
KCTCS System Office Security Team / KCTCS Enterprise Admin Team - Design, deploy, and maintain authentication technologies (e.g., multi-factor authentication [MFA], single sign-on [SSO], and identity access management [IAM] systems).
- Conduct regular vulnerability assessments and penetration testing on authentication mechanisms.
- Monitor for suspicious authentication activities using tools like SIEM (Security Information and Event Management) and enforce automated lockouts or alerts.
- Provide training and awareness programs on secure authentication practices for all users.
KCTCS IT STAFF (All Colleges) Integrate authentication protocols (e.g., OAuth, SAML) across applications, networks, and cloud services. KCTCS Human Resources - Ensure all new hires complete mandatory identity verification and initial authentication setup during onboarding.
- Notify designated IT/Security teams within 24 hours of employee termination, role changes, or transfers to trigger access revocations.
- HR or the employee's direct manager is responsible for notifying designated IT/Security teams on the effective date of any employee termination, role change, or transfer. Upon receipt of notification, IT/Security teams must promptly revoke or modify all system access, accounts, and permissions associated with the affected employee, including but not limited to network access, applications, email, and privileged accounts. All access changes must be documented and retained for audit purposes.
KCTCS End Users/Employees - Adhere to authentication requirements, such as using strong, unique passwords and enabling MFA for all KCTCS employees, students, and third-party affiliates.
- Shall not share credentials for any reason.
Information Security Department – Target Audience – All employees and students - Annually: Interactive online modules (1-2 hours) including simulations for phishing and MFA scenarios.
- Monthly: Security newsletters promoting security tips and guidance for securely managing data at KCTCS
Non-compliance may result in access suspension, and/or disciplinary action, up to and including, or termination. Exceptions may be considered in the following scenarios. A written request must be submitted in writing to the Vice President of Technology Solutions and/or their designee. The request shall be reviewed and a decision to grant or deny the request will be made. The request must demonstrate a clear business need and acceptable residual risk. Examples include: - Technical Constraints: Incompatibility with legacy systems or third-party applications essential to KCTCS operations where immediate upgrades are infeasible without disrupting workflows.
- Operational Necessity: Short-term exemptions during high-impact events, such as system migrations, natural disasters, or time-sensitive grant deadlines, where alternative authentication delays critical access.
- Regulatory or Legal Overrides: Mandates from external authorities (e.g., federal funding requirements or international data transfer laws) that supersede standard policy controls.
- Accessibility Accommodations: Individual accommodation requirements under applicable law, including the Americans with Disabilities Act (ADA), such as alternative authentication methods for users with disabilities (e.g., voice-based authentication).
Exceptions shall not be granted for convenience, cost savings alone, or repeated non-compliance. Approved by President Quarles and PLT on June 24th, 2026. Nothing currently applicable in this section. Initial Approval of the Policy: June 24th, 2026. Next Scheduled Revision, on or before June 24th, 2029. | |
|