MCC Daily Tribune

Important Update: SUNY's User Access Management Guidelines

Please share with students:

As part of a system-wide effort to enhance data security, the offices of Internal Audit and Systems Operations and Integration are jointly writing to share important new guidance that affects every member of our campus. Stemming from a recent update to the SUNY Information Security Policy, SUNY has released comprehensive Managing User Access Guidelines and is recommending they be shared openly across all 64 campuses to foster a collective culture of security.

Why This Matters

These guidelines call for a critical shift in how we think about and manage access to the College’s digital resources. Think about your role here on campus. Whether you're in admissions, finance, student services, or facilities, you access specific systems and information to do your job effectively. The principle behind these new guidelines is straightforward: your access should match your role, nothing more, nothing less.

For years, it has been common practice in many institutions of higher education, including here at MCC, to grant a new employee the same system of access as the person they replaced. While convenient, this "copy-paste" approach often leads to "privilege creep," where unnecessary or outdated permissions accumulate over time, creating significant and often invisible security risks. An account might retain access to a system that is no longer part of the job, or a temporary permission granted for a special project might never be revoked.

The new guidelines challenge us to move beyond this habit. Instead of asking, "What access did the last person have?" we must now ask, "What access does this specific individual need to perform their job effectively and securely today?"

This principle, known as "least privileged access," is about more than just restricting information; it's about strengthening each person's digital identity. When your access rights precisely match your job functions, your account becomes a more secure and efficient tool. It reduces the risk of accidental data modification, protects sensitive information from being exposed to a potential account compromise, and ensures we are all responsible stewards of the data entrusted to us, from student records to financial information.

This is a shared responsibility that extends beyond the IT department. Supervisors, in particular, play a crucial role. They are on the front lines of defining what access their team members need, reviewing those permissions regularly, and ensuring that access is modified or removed promptly when roles change or an employee separate from the university. This active management is the only way to prevent the accumulation of stale accounts and legacy permissions that represent a significant vulnerability.

The IT Department is currently reviewing its processes and procedures to integrate the new guidelines seamlessly. They will be collaborating with several departments across campus, including Institutional Compliance and the Internal Audit Office, among others, to ensure the College’s current user access process aligns with the SUNY directive. More information regarding this effort will be provided in the near future.

We encourage every member of our community to familiarize themselves with this new framework. Understanding the "why" behind these changes is the first step toward building a more secure environment for everyone.

You can access SUNY’s new Managing User Access guidelines (PDF) directly or through the Institutional Compliance and Internal Audit website.

Thank you for your partnership in this vital effort to protect our institution's data and resources.

Jeff Savage, Chief Information Security Officer (CISO)

Brenda Ronan
Institutional Compliance & Internal Audit & Information Security
01/30/2026