Identity Management Acceptable Use Policy

Purpose

The Colorado Department of Education (CDE) Identity Management System maintains user IDs to protect sensitive information which is proprietary and as such requires protection under the provisions of the Privacy Act of 1974 and the Family Educational Rights and Privacy Act (FERPA). The purpose of this policy is to establish a standard to protect information received; collected, and developed or used by CDE information systems in order to protect this information from unauthorized access, use, or disclosure of information stored therein.

The CDE user ID is your private key to a variety of online services provided to you by CDE. It is intended to ultimately become a single sign-on for all CDE information services, eliminating multiple different logins and passwords necessary to interact with CDE systems.

It is the responsibility of each person to use these information systems appropriately and in compliance with all CDE policies, as well as federal, state, and local laws. Access is a privilege which can be revoked due to misuse. By using your CDE User ID to access services, the user agrees to the terms and conditions of this Acceptable Use Policy, related CDE computer use policies and other applicable, legal and regulatory compliance requirements.

Scope

This policy applies to all users (e.g., teachers, staff, and administrators) who access and/or use the CDE Identity Management System. All users must agree to and comply with this policy. [Reference Colorado Information Security Act (C.R.S. 24-37.5, Part 4) and State of Colorado Cyber Security Program P-CCSP 001, dated December 20, 2006]

This policy applies to all users who have access to Confidential Free and Reduced-Price Information as allowed by Section 9(b)(2)(C)(iv) of Public Law 103-448 for the Child Nutrition Program. Children's names and eligibility status for free or reduced-price meals may be disclosed, without consent, to persons directly connected with the administration or enforcement of only federal and state educational programs administered by CDE. A child's name, grade, and free and reduced-price eligibility information may also be released to authorized school officials for purpose required by the No Child Left Behind Act (NCLB) as authorized by the National School Lunch Act (NSLA). Further disclosure or unauthorized use is prohibited. A person, who publishes, divulges, discloses, or makes known in any manner, or to any extent not authorized by federal law any information obtained under this provision may result in a fine of not more than $1,000 or imprisonment of not more than one year, or both, as stipulated in the NSLA.

Individual Responsibilities

CDE has adopted the following policies with respect to user IDs:

• Enabled services may not be altered nor extended beyond their intended use by unauthorized individuals.
• The user ID may not be used to provide access to CDE information systems for purposes other than those which are in direct support of the mission of CDE.
• The user ID may not be used to obtain/provide access to students' personally identifiable information unless the user has a legitimate educatio nal interest in the information.
• The user ID may not be used to provide access to CDE services by anyone other than the authorized registered user.
• Users may not forge, alter, use, act on behalf of, or otherwise represent another's identity through any form of communication.
• Users may not share passwords, use another person's user ID, even with permission, or allow use of an established connection by someone other than the registered user.
• Users may not use user IDs or enabled services in an attempt to circumvent protection schemes or exercise security loopholes in any computer or network component.
• CDE recognizes that proper management and use of user IDs are basic requirements for protecting CDE information systems and Personally Identifiable Information (PII) stored therein. All entities shall adopt processes to ensure that access is administered properly. All delegated administrators that create user IDs are required to manage the accounts in accordance with the access management processes and the requirements of this CDE Identity Management System. Delegated administrators are required to review, remove and/or disable accounts at least twice annually, or more often if warranted by risk, to reflect current user needs or changes on user role or employment status.
• Users who are delegated administrators of the user IDs must comply with the principle of least privilege, which means users are only granted access to perform their required job duties.
• Users who are delegated administrators of the user IDs and the enabled services have the additional responsibility to respond to any use of their services which is in violation of this Acceptable Use Policy. Delegated administrators must take steps to prevent recurrence of such violations and report these violations to CDE immediately.
• Any receipt, retransmission or destruction of software or data accessed via a CDE enabled service must observe copyright laws, license restrictions and CDE policies.
• Viewing, copying, altering or destroying any data, or connecting to a host via an enabled service without explicit permission of the owner is a violation of this policy.
• CDE enabled services may not be used for commercial or profit-making enterprise. Use of these resources for commercial gain is in violation of the non-profit status of CDE and Federal grant guidelines.
• Access, use or disclosure of sensitive information must be necessary to the performance of the responsible individual’s job duties and function and must be expressly authorized. Unauthorized access to, use of, or disclosure of sensitive information is strictly prohibited.
• Sensitive information shall not be displayed or otherwise made available or accessible to unauthorized persons. This rule applies, without limitation, to Social Security Numbers (SSN) contained in document images on workstations, and to other personal and or confidential information, such as Date of Birth (DOB), Driver License Number etc.
• All users (e.g. teachers, staff, administrators, and sponsored guests) are required to abide by all regulations mentioned herein when using these resources.

Violations of this Acceptable Use Policy will be adjudicated, as appropriate, by CDE and their legal representation. Sanctions as a result of violations of these regulations may result in the loss of access privileges; and/or prosecution under applicable civil or criminal laws.

If you would like further information on this Acceptable Use Policy, you may contact CDE Identity Management at cdeIdM@cde.state.co.us.

Reports of abuse or violations may be sent to CDE Identity Management at cdeIdM@cde.state.co.us.

Definitions

Delegated Administration:

Delegated administration refers to a decentralized model of role or group management. In this model, the application or process owner creates, manages and delegates the management of roles. CDE Identity Management operates the centralized directory, metadirectory, web interface for administration, and related components.

Owner:

Entity that can authorize or deny access to certain data, and is responsible for its accuracy, integrity, and timeliness.

Personally Identifiable Information (PII):

According to the National Institute of Standards and Technology (NIST) Guide to Protecting the Confidentiality of Personally Identifiable Information. PII is defined as- "Information which can be used to distinguish or trace an individual's identity, such as their name, social security number, biometric records, etc. alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual, such as date and place of birth, mother's maiden name, etc."

Principle of Least Privilege:

The principle of least privilege requires that a user be given no more privilege than necessary to perform a job. Ensuring least privilege requires identifying what the user's job is, determining the minimum set of privileges required to perform that job, and restricting the user to a domain with those privileges and nothing more. By denying to subjects transactions that are not necessary for the performance of their duties, those denied privileges cannot be used to circumvent the organizational security policy.