OAR 291-005-0025
Access Authorization
(1)
Only authorized users shall be allowed access to DOC information systems.(2)
Authorized users shall be granted access to DOC information systems on a need-to-use basis. Such access will be controlled by use of a password.(3)
Requests for user access and termination of user access shall be accepted by the DOC network security officer or designee from functional unit managers or their designees only. These personnel shall handle all requests for access and termination for their functional unit. Letters of agreement with external organizations for access to DOC information systems shall clearly indicate the process and authority for user access authorization. Users from external organizations must comply with this rule.(4)
No person presently or previously under the custody, control, or supervision of the Department of Corrections or its agents shall be granted access to any computers or systems which contain data or are connected to any DOC information system unless the request for access has been reviewed, approved and recommended by the functional unit manager. Final approval for such access will be determined by the Assistant Director for ISSD.(5)
Functional unit managers or their designees shall identify their staff who have a need to use DOC information systems and shall be responsible for the following process for authorization:(a)
Functional unit managers or their designees are responsible to ensure that criminal history checks have been done on all persons for whom they request authorization to access DOC information systems. This includes contractors, volunteers, temporary staff, regular employees, and OCE employees.(b)
Security Agreement:(A)
All persons requesting access to DOC information systems must sign a security agreement which indicates that they understand they are responsible to protect agency assets, including computers and information in accordance with the provisions of the Department of Corrections rules on Release of Public Information; Files, Records, and Detainers; and Network and Information System Access and Security.(B)
The DOC network security officer or designee shall maintain a file of security agreements.(c)
Authorization Form:(A)
The user’s functional unit manager or designee shall complete an authorization form requesting access to the DOC network and the DOC applications.(B)
A separate request form shall be completed if the user is requesting dial-up access to DOC information systems.(C)
Authorization forms shall be signed by the functional unit manager or designee for the functional unit or external organization and shall be forwarded to the DOC network security officer who shall generate a user identification and a user account allowing the access requested.(d)
Training: The user shall be required to complete a training module on password management before access to the system is authorized. Notification of completion of training shall be forwarded to the DOC network security officer or designee, who shall then activate the user’s profile. The DOC network security officer shall notify the user when the profile is activated and access is authorized.
Source:
Rule 291-005-0025 — Access Authorization, https://secure.sos.state.or.us/oard/view.action?ruleNumber=291-005-0025.