User Access Control Standard

Effective Date: February 1st, 2022

 

Title of Standard: User Access Control Standard

Purpose of Standard: The University of North Carolina Board of Governors (BoG) created policy 1400.3 to mandate constituent universities implement user access controls for university information. The UNC System CIO further clarified the policy via the Standard on Information Technology User Identity and Access Control. The purpose of this document is to provide further details on ECU’s standards and procedures related to compliance with the UNC policy and standards.

Person(s) with Primary Responsibilities: Data Stewards and Data Stewardship Committee

Approved: Chief Information Officer

General Statement: ECU has many information systems on campus. Any information system that hosts (processes or stores) Level 3 or Level 4 information, determined by the ECU Data Classification Levels, require a minimum set of access controls. Data Stewards are responsible for documenting their control processes for information systems that house Level 3|4 information within their area, ensuring the access control activities are conducted, and attesting to compliance. Data Stewards should have documented procedures in place within 6 months of the effective date of this standard.

Minimum Required Access Controls for Level 3 and Level 4 Data: Any information system that stores or processes Level 3 or Level 4 data, as defined by the ECU Data Classification, must have the minimum controls below in place:

  • Documented process for users to request access to the system to include:
    • Type of access needed (role)
    • Business justification
    • Level of approval needed, at a minimum must include the supervisor and data steward (or designee)
  • Data Steward, or designee, must review the HR Termination report and take the appropriate action below:
    • if the system utilizes single sign on then the user should be removed within a reasonable timeframe, typically within 7 calendar days of the termination report
    • if the system doesn’t utilize single sign on for access the user should be removed immediately, typically the day the termination report is received.
  • Data Steward, or designee, must review the HR Transfer report, and remove users that changed duties and no longer need access, within a reasonable time frame, typically within 7 calendar days of the termination report.
  • Data Steward, or designee, performs semi-annual reviews (every 6 months), at a minimum, of all users within the information system, with an attestation that the review has been conducted, the attestation will be maintained by the Data Stewardship Committee.
  • Application Administrators with privileged access (account management access, access to configuration, or access to sensitive data) should be reviewed quarterly.
  • Rationale for review timeline and associated risk.

Certain types of regulated data may require more stringent controls, for example, more frequent access reviews. Data Stewards may implement more stringent controls at their discretion, but are expected to be documented in their departmental procedure.

The Data Steward and CIO will review and approve the departmental procedures.

Exceptions: Any exceptions to this standard must be approved in writing by the CIO, approvals will be maintained by the Data Stewardship Committee and the Data Steward. Exception requests must be appropriate given the risk, include the reason for the exception, and include mitigating controls in place in lieu of the controls in this document.

Roles and Responsibilities
Data Stewards are responsible for documenting access control procedures for their information systems. The procedures should include the process for initial authorization, regular reviews (including intervals and justification), and processing employee terminations and transfers.

Supervisors are responsible for approving initial access for their subordinates, participate in semi-annual reviews, and requesting removal of employee access per ECU regulation REG08.05.05.

Data Stewardship Committee is responsible for maintaining the system access controls procedures, semi-annual review attestations, and exception requests approved by the CIO.

The CIO is responsible for maintaining this standard, providing clarification and guidance on the standard, approving departmental documentation, and reviewing exception requests.

References: