2.4.10: Access Management
All computer equipment and media used for the generation, distribution, and storage of information used by the university are to be controlled and physically protected. The controls and physical protection in place must be commensurate with the classification designation of the information contained on the media or computer equipment. The controls and protection are in place to prevent damage to assets, minimize interruption to business activities, and protect confidential data.
Need to Know
Individuals having elevated access privileges (e.g. system administrators) are prohibited from accessing information they otherwise would not have a need to know, unless required to do so in the performance of specific tasks to support critical system needs. All such access must be logged and periodically reviewed. Enforcement of this standard requires sufficient resources to carefully monitor system logs. Additionally, requirements such as FERPA and HIPAA, policies for information dissemination and authorization, must be taken into account.
Formal standards and procedures cover all stages in the lifecycle of user access, from the initial registration of new users to the final termination of users who no longer require access to information systems and services. The allocation of privileged access rights, which allow users to override system controls, are audited and documented.
Access control privileges for university information resources shall be assigned to users via roles, policies, or attributes wherever possible and practical. The use of roles, policies, and attributes simplifies the administration of security by permitting access privileges to be assigned to groups of users versus individual users. Roles are established based upon department and job function and are reviewed and updated when job or departmental functions change.
Review of Administrative Rights
When a change to an individual’s access privileges is needed, an IT Privileges form must be completed. Information from the forms will then be archived and maintained for a period of one (1) year and kept in secure storage. The privileges granted to all university employees will be periodically reviewed by information owners and/or custodians to ensure that university employees have access only to data that they have a need to know. Access control change forms and current system access control settings will be used during the review of access privileges for university employees.
Email access is allowed through the communicated separation date for currents students, alumni, faculty emeritus or with special permission from Human Resources.
Identification and Authentication
University employees must provide valid identification before being granted access to university computing resources. For employees, this process is within the HR proofing process that completes the I-9 form. For students, the proofing process is handled by the Office of Admissions and Office of the Registrar.
Each user of university computing resources must be assigned a unique user ID for use during the authentication (login) process. Users are forbidden to share their user ID and will be held responsible for activities that take place using their user accounts. Users that have a need for privileged access are to use their standard account for normal access.
Shared access accounts are discouraged but in certain cases are necessary. Due to the risk inherent with shared accounts, additional controls need to be in place:
- Before a shared account is approved, alternatives that could help accomplish the objective without using a shared account are analyzed.
- Passwords for shared accounts must be changed when anyone with knowledge of the password leaves the organization or changes responsibilities and no longer requires access to the account. Passwords will also follow the standard password policy.
- Scripts containing passwords for shared accounts are only used when necessary, and must be secured from unauthorized viewing/modification. The scripts should contain an encrypted form of the password whenever possible.
- Upon a user’s separation date, their access is revoked.