(Drafted March 2026. Pending Governing Board Approval)
Identity, Account, and Access Management Policy
1. Purpose
This policy defines how Colearn Academy manages user identities, accounts, and access rights to help ensure that only authorized individuals have appropriate access to school systems and data.
2. Scope
This policy applies to all user accounts (including staff, contractors, volunteers, and students where applicable) that access Colearn Academy systems and data.
3. Account Provisioning and Deprovisioning
3.1
New accounts will be created only upon documented authorization (for example, HR onboarding, enrollment, or written request from a manager).
3.2
When a user’s role changes or their relationship with the School ends, their access will be updated or disabled in a timely manner based on available processes and tools.
4. Access Rights and Least Privilege
4.1
Access to systems and data will be based on role and job responsibilities, following the principle of least privilege.
4.2
Administrative or high‑privilege accounts will be limited to staff who require such access to perform their duties.
4.3
Colearn Academy will phase in separate non‑privileged and administrative accounts for staff with elevated access. Initial focus will be on highest‑impact systems (e.g., identity provider, SIS, LMS). Target: design in FY 2025–26; staged rollout in FY 2026–27.
5. Authentication Practices
5.1
User accounts must be protected by passwords or other authentication mechanisms that comply with minimum complexity or length requirements defined by the School and/or underlying platforms. Role-based differences for default passwords and multi‑factor authentication are set forth in section 6.
5.2
Where feasible, multi‑factor authentication (MFA) will be used for administrative or high‑risk accounts and may be expanded to other accounts over time based on risk. Staff are required to use MFA as specified in section 6.
6. Default Passwords and Requirements by Role
6.1 Staff
Staff accounts may access sensitive or confidential data beyond the staff member’s own information. Default or initial passwords for staff must meet strong password requirements defined by the School or the underlying platform. Staff are required to use multi‑factor authentication (2FA). Strong passwords and 2FA apply even to initial or default credentials; staff must complete any required password change or 2FA enrollment before using systems that handle sensitive data.
6.2 Students
Student accounts do not have access to sensitive data other than the student’s own information. Students may be assigned memorable default passwords that do not meet strict complexity requirements, to support usability and age-appropriate access. Students are encouraged to change their password when able. Staff are held to a higher standard than students because of the sensitivity of data staff may access.
7. Application and Vendor Support
Colearn Academy will track whether the applications and services used for school purposes receive regular vendor support and security updates. This requirement applies to web-based and cloud applications that the School uses to deliver instruction or conduct operations. It is not based on software installed on school-owned devices; the School has no school-owned hardware, and the applications in scope are primarily web applications accessed via the internet. The Information Security Lead or designee will maintain awareness of vendor support status for applications in the School’s inventory and will document or tag applications that are no longer receiving regular support so that they may be addressed in accordance with the School’s risk management and procurement practices.
8. Periodic Review
8.1
At least annually, the Information Security Lead or designee will coordinate a review of access to selected critical systems to confirm that access remains appropriate.
9. Review
This policy will be reviewed at least annually and updated as needed to reflect changes in systems, roles, or risk.