High-Risk Pool Procedure

Technology Services Procedure for High-Risk Pool
updated January 29, 2018

Concord University is committed to safeguarding personal information for faculty, staff, students, alumni, donors, and visitors who utilize the CU network.  To maintain that commitment requires each user of CU information technology to adhere to best practices as identified in the policy on Acceptable Use.  As we increase cybersecurity awareness through training and information-sharing [or on-going communication], we are increasing enforcement of the Acceptable Use policy and introducing actions to help enhance compliance.

Technology Services has been tasked with cybersecurity management which includes identifying high-risk users.  When an individual is identified as high-risk, the individual and supervisor will be notified.  In addition, High-Risk Pool members will:

  • Be required to change their CU password immediately and every 14 days.  Our password management self-service system is located at https://www.concord.edu/mypass
  • Be required to complete remedial cybersecurity training
  • Temporarily lose VPN access to Banner and other resources from off-campus (Blackboard will still be available)
  • Temporarily lose administrative privileges, if applicable, on assigned computers
  • Temporarily be required to use two-factor authentication EVERY login on BANNER 

Examples of behavior that causes a user to enter or remain in the High-Risk Pool include the following:

  • Password sharing (this may cause 2 or more users to enter the High-Risk Pool)
  • Leaving a system unattended in a way that allows access to unauthorized users
  • Non-compliance with policy, such as the Acceptable Use Policy
  • Negligence with information security such as writing your password on a piece of paper and taping it to the monitor, etc.
  • Unauthorized sharing of sensitive or confidential data
  • Any acts of commission or omission that jeopardize Concord’s information security

The Vice President/Provost; the Vice President of Information Technology & Chief Information Officer; and the Vice President of Human Resources, Policy, and Planning will collectively review and approve the placement of users into the High-Risk Pool and may direct initiation of the progressive disciplinary process.

Removal from the High-Risk Pool occurs after 30 calendar days of acceptable use and compliance with policies and procedures. The High-Risk Pool procedure is intended to maximize Concord’s information security, limit the possibility of security breaches, and attain 100% compliance with the CU Acceptable Use Policy.