Information Technology Access Control Policy

University Policy

University of North Carolina at Chapel Hill Policy on Information Technology Access Control

Introduction

Purpose

The Access Control Policy states the University's strong interest in preserving the integrity, confidentiality, and availability of University information and information systems. Access controls are intended to minimize inappropriate exposure of University information by limiting system access to authorized individuals. Adherence to this policy minimizes risk to the University resulting from unauthorized use of resources.

Access controls are implemented at UNC-Chapel Hill through the development and implementation of procedures and standards conforming to this policy. Physical controls for access to IT devices and technical controls for access to information provide a layered approach to securing the University's information systems.

Scope of Applicability

University Constituents and units responsible for management of IT systems or University Enterprise Data.

Policy

Policy Statement

Access controls for UNC-Chapel Hill information systems are to be established in a manner that carefully balances restrictions preventing unauthorized access to information and services against the need to facilitate access for authorized users. Procedures supporting this Policy should take into account business needs and security requirements for each method of access to each application or system.

Access control takes place within the context of other University Policies and IT Standards (see references below). This Policy should be read as supporting rather than superseding provisions in related Policies, Standards, or Procedures.

Access Rights Management

Access Controls: IT Access control should be designed to address segregation of duties, protect the data from mishandling, and protect the system from unauthorized alterations. Mission Critical systems, and those containing Tier 2 or Tier 3 information (sensitive information) must have appropriate security controls in place. Access controls should be appropriate to the sensitivity of the data as outlined in the Information Security Control Standard.

Access Methods: Given the nature of distributed systems, access control mechanisms and procedures must take into account any manner in which access may be granted to the system.

Access Review: Standards, Procedures, or processes must be established to regularly review access rights as appropriate. Review of privileged user accounts must take place regularly, be documented, and follow appropriate procedures.

Access Termination: Procedures or processes must be established to ensure termination of access rights when authorization ends. Removal of access rights must occur upon termination or change of role. (which may occur through the effective automated deprovisioning of accounts).

Authorization: Standards or Procedures must be established to require formal and documented authorization of access requests. Review of such requests must apply "need to know" principles, classification of the information contained within the affected system, and contractual or legal requirements for access to system and data. Granting user access must follow access control Procedures which take into account the full scope of data and system access being granted.

Emergency Access: Each University business unit is required to establish processes or Procedures to provide appropriate and necessary emergency access to Mission-Critical systems and applications.

Remote Access: Tier 2 or 3 information (sensitive information) that is stored or accessed remotely must maintain at least the same level of protections as information stored and accessed within the University network. This applies to remote access to University systems, and access to remote third-party systems from any location.

Physical Access

Standards must be defined to address requirements for the physical security of University information systems. Custodians of those systems shall adhere to such standards.

Physical access to Tier 2 or Tier 3 information (sensitive information) and mission critical computing resources must be controlled. Access to areas in which such resources are stored must be authorized by the technical unit or individual responsible for management of the area. Only authorized personnel may access secure areas and only when there is a legitimate business need.

For shared areas, such as data centers, containing Tier 2 or 3 information, it is the responsibility of the IT Guardian (See Enterprise Data Governance Policy) or their delegate to develop processes or Procedures for approval of access (including badge access), as well as processes or Procedures for regular review of this access.

Access Audit and Review

Records of events concerning the use and management of user identities and authentication should be preserved according to the requirements of the UNC-Chapel Hill Records Retention Schedule or other governing requirements. Logging and retention should take business need for the information into account.

Appropriate audit processes based on the sensitivity of the data should be designed and implemented to identify questionable data-access activities, investigate breaches, respond to potential weaknesses, and assess the security program.

Exceptions

Exceptions to this Policy may be made by the Vice Chancellor for Information Technology and Chief Information Officer (CIO) or their delegate(s), authorized in writing. Exceptions may also be defined in the Standard for Information Technology Access Control or other related supporting Standards or Procedures.

Definitions

Access: Ability and means to communicate with or otherwise interact with a system, to use system resources to handle information, to gain knowledge of the information the system contains, or to control system components and functions.

Access Controls: Access controls determine who is authorized to have an account on UNC's Information Technology systems, what they are authorized to do with their account, and how they are to proceed with accessing the systems which they have permission to use. Access controls are designed to protect both individual and University information.

Authentication: Verifying the identity of a user, process, or device, often as a prerequisite to allowing access to resources in an information system.

Authorization: Access privileges granted to a user, program, or process or the act of granting those privileges. Privileges are no longer "authorized" when a user leaves a role upon which the authorization was based (for example, leaving a job or changing to a new position with different responsibilities).

Mission Critical: A system so critical to the mission of the UNC-Chapel Hill business unit that any incident requires immediate response.  If a system is deemed mission critical by the department, then contact and escalation information has been provided for the system in advance of any incident or outage. The owning business unit determines whether a resource is mission critical. Once designated as mission critical, heightened information security policies and standards apply in an effort to assure that the resource remains available. If a business unit does not designate a resource as mission critical, that resource may not be a priority for restoration of services in the event of an incident or outage.

Role: A group attribute that ties membership to function. When an entity assumes a role, the entity is given certain rights that belong to that role. When the entity leaves the role, those rights are removed. The rights given are consistent with the functionality that the entity needs to perform the expected tasks.

Sensitive Information: Information classified as Tier 2 or Tier 3 in the UNC-Chapel Hill Information Classification Standard.

University Constituent: UNC-Chapel Hill faculty, staff, students, retirees and other affiliates, contractors, distance learners, visiting scholars and others who use or access UNC-Chapel Hill resources.

Related Requirements

External Regulations and Consequences

Failure to comply with this policy may put University information assets at risk and may have disciplinary consequences for employees, up to and including termination of employment. Students who fail to adhere to this policy may be referred to the UNC-Chapel Hill Office of Student Conduct. Contractors, vendors, and others who fail to adhere to this policy may face termination of their business relationships with UNC-Chapel Hill.

Violation of this policy may also carry the risk of civil or criminal penalties.

University Standards and Procedures

Access Control Standard

Acceptable Use Policy

Information Security Policy

Information Classification Standard

Information Security Controls Standard

Information Security Liaison Policy

Enterprise Data Governance Policy

Enterprise Data Governance Standard

Onyen Policy

Password Standard

Transmission of Protected Health Information and Sensitive Information Policy

Standard for the Transmission of Protected Health Information and Sensitive Information

Information Technology Access Policy

Protocol for Responding to Security Breaches of Certain Identifying Information 

UNC-Chapel Hill Records Retention Schedule

Contact Information

Policy Contact

Unit: ITS Policy Office

Phone: 919-962-HELP

Email:its_policy@unc.edu

Report a Violation: 919-962-HELP

Details

Article ID: 131248
Created
Thu 4/8/21 9:04 PM
Modified
Wed 4/21/21 9:38 AM
Effective Date
If the date on which this document became/becomes enforceable differs from the Origination or Last Revision, this attribute reflects the date on which it is/was enforcable.
12/15/2020 10:51 AM
Issuing Officer
Name of the document Issuing Officer. This is the individual whose organizational authority covers the policy scope and who is primarily responsible for the policy.
Issuing Officer Title
Title of the person who is primarily responsible for issuing this policy.
Vice Chancellor for IT and CIO
Last Review
Date on which the most recent document review was completed.
12/15/2020 10:51 AM
Last Revised
Date on which the most recent changes to this document were approved.
11/01/2019 4:13 PM
Origination
Date on which the original version of this document was first made official.
04/24/2018 12:00 AM
Responsible Unit
School, Department, or other organizational unit issuing this document.
Information Technology Services