Information Technology Access Control Policy

Title

University of North Carolina at Chapel Hill Policy on Information Technology Access Control

Introduction

Purpose

The University of North Carolina at Chapel Hill (“University”) has a strong interest in the integrity, confidentiality, and availability of University information and systems. Access controls protect University information by only allowing authorized people to access systems. Following this policy minimizes risk to the University resulting from unauthorized use of resources. Access control at the University happens through procedures and standards that follow this policy. The University has a layered approach to securing information systems. Access controls cover many topics. Physical controls protect IT devices. Technical and other controls protect the information on them.  

Scope

People and units at the University responsible for managing IT systems or University Data must follow this Policy. 

Policy

Policy Statement

Access controls for University information systems must balance making it difficult for unauthorized people to access our systems and easy for authorized people to use these systems. Procedures supporting this Policy should consider both business and security needs for all ways of access to each program or system. 

Access control sits beside other University Policies and IT Standards (see references below). This Policy is supporting rather than taking the place of any related University Policies, Standards, or Procedures. 

Access Rights Management

Access Controls: IT Access controls consider separation of duties (making sure it takes more than one person to do important things). Controls protect the data from mishandling and protect the system from unauthorized changes. Mission critical systems and Tier 2 or Tier 3 (Sensitive Information) systems must always have correct security controls in place. Access controls should be stronger for higher tiers of data. The Information Security Control Standard describes that. 

Processes used to give access must consider all ways access is granted. That may be quite a lot of ways with systems with many parts (“distributed systems”). 

Access Review: Have documented ways to regularly review access rights as often as it makes sense to do. Reviews for Privileged user accounts must be documented and happen regularly, following strong procedures.  

Access Termination: Have documented ways to make sure that access to systems is taken away when people are no longer allowed to use the system. When someone leaves the University for any reason, or they change job or other role, their access rights must change correctly. Those changes may be made automatic. 

Authorization: Standards or Procedures must require formal and documented ways that access requests are approved. However the approval happens, the review considers: "need to know" principles; classification of the information in the system; and contract or other legal requirements for access to system and data. When you give a user access, consider the whole range of data and functions they will have access to. 

Emergency Access: Each University business unit must have documented ways to provide needed emergency access to Mission Critical systems and applications. 

Remote Access: Tier 2 or 3 information (Sensitive Information) that can be accessed away from the University must have the same protection as information at the University. This applies to remote access to University systems, and access to remote third-party systems from any location. 

Physical Access

Standards must address requirements for the physical security of University information systems. Custodians of those systems will follow those standards. 

Tier 2 or Tier 3 information (Sensitive Information) and Mission Critical systems must be protected physically. Access to areas in which they are stored must be controlled by the technical unit or individual responsible for the area. Only authorized people may be in secure areas and only when they have a business reason to be there. 

For shared areas, containing Tier 2 or 3 information (Sensitive Information), like data centers, the IT Guardian (See University Data Governance Policy) or their delegate must have documented processes or Procedures for giving permission to be in those places (including badge access). The IT Guardian or their delegate must also have a documented way of reviewing who has that permission and if they still need it. 

Access Audit and Review

Keep records of who users are and how they are allowed access to systems following the University’s current Records Retention Schedule and any other requirements that apply. Consider the business need for logs when deciding how long to keep them. 

Make audit processes focus on how sensitive the data is. Look for ways to spot suspicious data-access activities. Investigate bad situations with important data. Respond to weaknesses you find. Consider the overall approach to security of system access. 

Exceptions

Exceptions to this Policy may be made by the Vice Chancellor for Information Technology and Chief Information Officer (CIO) or their delegate(s) in writing. Exceptions may also be in the Standard for Information Technology Access Control or other related supporting Standards or Procedures. 

Definitions

Access: Ability and means to communicate or interact with a system, to use system resources to handle information, to gain knowledge of the information the system contains, or to control system components and functions. 

Access Controls: Access controls determine who is allowed to have an account on UNC-Chapel Hill's IT systems, what they are allowed to do with their account, and how they can access the systems they have permission to use. Access controls are designed to protect people and information. 

Authentication: Verifying the identity of a user, program, process, or device, often before they are allowed to use resources in an information system. 

Authorization: Access privileges given to a user, program, device, or process or the act of giving those privileges. Privileges are no longer "authorized" when a user leaves a role upon which the permission was based (for example, leaving a job or changing to a new job with different responsibilities). 

Mission Critical: Any resource that is critical to the mission of the University. Mission critical resources can usually be down for no more than three consecutive hours. The business unit that owns the resource decides if it is mission critical is mission critical. If it is, information security policies and standards apply. This is to make sure the resource remains available. If the resource is not marked mission critical, it is not a priority for being restored if there is an incident or outage. Once designated as mission critical, heightened information security policies and standards apply to make sure that the system remains available. If a business unit does not designate a system as mission critical, it may not be a priority to take care of problems immediately. 

Role: A description of function. When someone or something is given a role, they are given certain rights that belong to that role. When the entity leaves the role, those rights are removed. The rights given are consistent with functions the entity needs to perform the expected tasks. 

Sensitive Information: Information classified as Tier 2 or Tier 3 in the UNC-Chapel Hill Information Classification Standard. 

University Data: Any data or information the University may have a responsibility to protect or disseminate. 

Related Requirements

External Regulations and Consequences

Failure to comply with this policy may put University information assets at risk and may have disciplinary consequences for employees, up to and including termination of employment. Students who fail to adhere to this policy may be referred to the UNC-Chapel Hill Office of Student Conduct. Contractors, vendors, and others who fail to adhere to this policy may face termination of their business relationships with UNC-Chapel Hill.

Violation of this policy may also carry the risk of civil or criminal penalties.

University Standards and Procedures

• Access Control Standard
• Acceptable Use Policy
• Information Security Policy
• Information Classification Standard
• Information Security Controls Standard
• Information Security Liaison Policy
• University Data Governance Policy
• Enterprise Data Governance Standard
• Onyen Policy
• Password Standard
• Transmission of Sensitive Information Standard
• Standard for the Transmission of Protected Health Information and Sensitive Information
• Information Technology Access Policy
• Protocol for Responding to Security Breaches of Certain Identifying Information
• UNC-Chapel Hill Records Retention Schedule

Contact Information

Policy Contact

Unit: ITS Policy Office

Phone: 919-962-HELP

Email: its_policy@unc.edu

Report a Violation: 919-962-HELP