IV. Access Control:

IV. Access Control:

   a. Physical Access

   i. The data center shall only be accessible by the Network Administrator. If a contract worker or anyone else needs to access NSC's servers in the data center the Network Administrator must accompany them. Physical access to the data center shall be granted by smart card credentials and fingerprint scanning of the Network Administrator by the OCIO and building security.

   ii. Access to the storage vault(s) used for equipment storage by the NSC-IT (Nebraska Supreme Court Information Technology) Department in the basement of the state Capitol shall be controlled by the Court Administrator's office. The employee (employee, intern or contractor) must have smart card access to the basement of the Capitol and a vault key, or be accompanied by an authorized employee.

   iii. Access to the NSC-IT work areas will be secured to ensure the protection of stored computer assets, as well as preventing unauthorized access to any IT workstations and equipment.

   iv. NSC-IT will have a smart card and / or key access to all employee work areas before, during and after work hours for emergency IT purposes. NSC-IT will schedule visits ahead of time wherever possible.

   v. Devices are available for checkout that allow end users to utilize hardware or software needed to do their job while away from their office. NSC-IT will manage access to and security for these devices. End users are responsible for safekeeping during the period in which they are checked out.

   vi. Use of removable media shall be limited to purposes of direct support of work-related functions where other means of secure data transfer are not available. Only removable media issued by NSC-IT shall be used on judicial branch owned or leased equipment. NSC-IT will be responsible for scanning and securing removable media when not in use.

   b. User Access

   i. The Network Administrator and or NSC-IT is responsible for creating user accounts and accompanying passwords, active directory (AD) structures for different departments and the needed group policies (GPO) to accompany them within the NSCAP (Nebraska Supreme Court Administration and Probation) domain. The state OCIO is responsible for exchange services and all other services and applications it provides and administers support for.

   ii. When an employee position is open for hire, the hiring manager must notify the Network Administrator as soon as possible by submitting the approved NSC-IT checklist. This is necessary in order to facilitate procuring the hardware by the employee's start date.

   iii. Once an employee has passed a background check and has been formally hired, the manager must then notify NSC-IT by submitting the approved form. Depending upon the needs of the position and requirements of the hiring manager, the new employee will be given access to the NSCAP domain. This will facilitate the creation of AD accounts, creation of a state email account and forwarding of the new employee's information on to other departments for additional program accounts to be created. Employees may be issued state equipment for accessing state systems. Employees will also be given access needed for web applications and necessary software relating to the position.

   iv. State issued cellular devices are available upon the approval of the hiring manager assuming the position is eligible for a cellular device. The phone must be requested through the Network Administrator or other designated Communications Coordinators authorized to procure through the OCIO.

   v. Personal phones may have state email accounts installed on them but only after the required form is filled out and returned to the Network Administrator, signed by the Court Administrator and Chief Information Officer for the state. See: NITC 5-204: Linking a Personal Portable Computing Device to the State Email System.

   vi. Hiring managers must notify the NSC-IT department of any upcoming employee termination/separation. For security reasons, all accounts must be immediately disabled upon any employee leaving his or her position. Any data that is still needed, whether email or network-related, must be transferred or saved by 5 p.m. on the employee's last day. For unplanned separations, the hiring manager must contact NSC-IT immediately.

   vii. Contractors / Interns

   Access for contractors or interns must be requested by the administrator or director of the department under which the systems reside. An AD account and a state email account can be created by NSC-IT at the request of the administrator or director.

   c. Network Access

   i. The Network Administrator is responsible for the NSCAP domain and all servers running within that domain. The Administrator is responsible for the daily upkeep, setup, disaster recovery and usage of these servers. The Administrator must be a part of any planned changes to the NSCAP domain, or usage of the domain by employees or third parties.

   ii. The Network Administrator shall be the only one who is allowed to make programmatic changes to the NSCAP servers unless designated otherwise by the Administrator. The NSC-IT department is allowed to access AD for user setup and disabling user accounts along with creating file server shares. The NSC-IT department is also allowed to push software installs and updates over the NSCAP domain to its employees as needed.

   iii. The Network Administrator shall utilize AD security event logs to log login and logout times for NSCAP domain access. The Network Administrator will also be responsible for administering the judicial branch's Mobile Device Management (MDM) solution for all state purchased mobile devices.

   iv. The state OCIO department is responsible for VPN creation, upkeep and usage monitoring for all judicial branch employees, contractors and interns.

   d. Computer Access

   i. Only NSC devices with NSCAP user accounts shall be allowed to log onto the NSCAP domain. No other devices will have access to shared drives or applications residing on the NSCAP domain or VPN access to the NSCAP domain.

   ii. User accounts will use ID's of employees' first initial of their first name and their whole last name. If this user ID is already taken, a middle initial will be used after the first initial of the first name. The password will conform to minimum password requirements. See NITC 8-302 Minimum Password Configuration. NSC-IT will not override these requirements for any employee.

   iii. All judicial branch employees with system administrative credentials and contractors must use the state's VPN solution with dual authentication.

   e. Application Access

   i. All computers assigned from the NSC-IT department will have an operating system and basic software package that will allow employees to perform all necessary job responsibilities. Each office shall have software to fit their specific needs.

   ii. If the application is controlled by the NSC-IT department, they will furnish the username and password and be in charge of resetting passwords. If the application is controlled by the individual departments, that department must appoint a person to handle usernames and passwords.

   iii. Terminated end users must have their application access removed within 3 calendar days by the responsible department.