Title
University of North Carolina at Chapel Hill Standard on Information Technology Access Control
Introduction
Purpose
This Standard guides everyone at the University of North Carolina at Chapel Hill ("University" or "UNC-Chapel Hill") in how to preserve the integrity of University information and information systems. This Standard also explains how to keep University information and information systems safe and available. We want to make sure that the only people who can access University systems are those who have been approved to. If we do that, there’s less chance that an unauthorized person will cause harm.
Scope
Everyone at the University who manages IT systems or University data.
Standard
Managing Access Rights
If a system has University data and more than one person uses it, it must have a process for authorizing access.
Having more than routine access is called “privileged access.” Systems need to have a process for asking for privileged access. A person should only receive privileged access if they have a business or academic need for it.
If a system is mission-critical or has Tier 2 or 3 (sensitive) information, then access to that system must be revoked if a person:
- Changes employment status,
- Changes job function, or
- No longer has responsibilities that require specialized access.
It’s okay to authorize access to non-privileged (regular) accounts by user role or group instead of by person.
Access Controls
Access controls need to match the sensitivity of the data as outlined in the Information Security Controls Standard.
Mechanisms to control access to Mission-Critical Devices and those having information classed as Tier 2 or Tier 3 (Sensitive Information) must include at a least the following methods:
Authorization
The person who manages access for a system needs to approve changes to that access. Those changes include adding or removing access methods. Every change needs a valid business justification. For example, access to an administrative system may require approval by:
- a person’s supervisor,
- an access request coordinator, and
- the Data Steward or another person with authority to grant access to the specific data.
The unit that manages the technical aspects or the security of a system approves authorized accounts. That includes creating, removing, or changing authorized accounts. It also includes granting or changing access to protected data and network resources. Sometimes, units delegate the authority to manage a system to another unit.
Allowing technical support staff to use administrative and system technical support accounts must be approved by (at a minimum) those who manage the system's technical aspects. This may be an IT Guardian or their delegate. Every system and service account must have a designated person responsible. If that person changes, a new person must be named.
A person may not authorize their own access unless an exception applies.
Identification and Authentication
The UNC-Chapel Hill Information Security Controls Standard requires each person to have a unique ID to authenticate with. Everyone who uses a system must follow the IT policies related to User ID's, especially the rules intended to keep ID’s safe and used only by the people they are assigned to. People who handle this work must enforce those policy requirements by holding Users accountable if they do not follow the rules.
For details see the Information Security Controls Standard and the Standard on the Transmission of Sensitive Information.
Third Party Access
When third parties need access to a multi-user system, access must go through an approval process. A person who manages technology for the system and a person who can stand for the data are the correct approvers.
Third parties may have admin/privileged access to University systems if they have University business and an authorization for each system.
All third-party accounts on Mission Critical systems, or ones with Tier 2/3 data must be left in a disabled or inactive state except when they are needed. The technical staff for the system will enable/disabling accounts and monitor third-party access.
Third parties with access to Mission Critical or Tier 2 or 3 systems must follow law and University data governance requirements. (For example, PCI (Payment Card Industry) security requirements for cardholder data, FERPA (Family Educational Rights and Privacy Act) requirements for student records, HIPAA (Health Insurance Portability and Accountability) for protected health information (PHI)). Third-party accounts must be at once disabled when they are no longer needed.
Remote Access
All remote access to mission critical systems or those using Tier 2 or 3 University Data (sensitive information) have special remote access requirements. Those systems must require authentication and encryption following the Transmission of Sensitive Information Standard. Base Remote Access methods on required security controls for the type of system and data. Reference the Information Security Controls Standard. When third-party systems use University Data, make sure they use equivalent, well-controlled ways to manage remote access safely.
Physical Access
Systems we usually call "servers," ones with many users, that are mission-critical or have Tier 2 or 3 sensitive information need to be protected physically. They must be in access-controlled places following the Information Security Controls Standard. Protect those systems from physical access by anyone who isn’t authorized. Set up ways to regularly review the list of users with access to each secure area and remove access when their role or responsibilities change.
Mobile devices and disposable media must use required security controls if they use Sensitive Information. This means they need protection from being physically accessed by people who aren’t allowed to get that information. Follow the Information Security Controls Standard.
Access Audit and Review
Any units or persons responsible for access-controlled systems at the University must create, document, and follow processes to regularly review individual and system account and physical/badge access. Only mission critical and systems with Tier 2 or 3 data have required access review. But reviewing system access is always encouraged.
People who manage access control for a system must review and approve all access modifications as well. Responsibilities include:
- Keep security records current so they accurately reflect each person’s role and the access they need.
- Make sure to carefully follow procedures to handle employee suspensions, terminations, and transfers. Take steps to revoke access privileges when those changes happen.
- Revoke access when it is no longer needed or proper.
- Promptly report any possible or actual unauthorized access to University Sensitive Information (possible security breach). Follow the Information Security Incident Management Standard and other policies that may apply to the data or system.
- Take action when you identify other possible Information Security Incidents. Follow the Information Security Incident Management Policy.
Roles and Responsibilities
People in data governance roles (Data Trustees, Data Stewards, Data Managers, Data Liaisons, the Data Governance Oversight Group, and IT Guardians) defined in the UNC-Chapel Hill Policy on University Data Governance and Standard on Enterprise Data Governance work together on processes described in this Standard.
Supervisors respond when asked or may request to review their employees' authorization to a system. Supervisors answer requests to review their employees' access privileges to systems, and trigger removal when the employee should no longer have it.
The Vice Chancellor for Information Technology and Chief Information Officer (CIO) and IT service providers create access controls, document access processes, and manage activities in this Standard that IT staff handle.
Exceptions
The CIO or their delegate(s) may make written exceptions to this Standard.
Access roles that only allow people to access their own data in a system do not require access review.
People may authorize their own access to development or test systems having no Tier 2 or 3 data if the system is part of their job responsibility.
Definitions
- Access: Ability and means to communicate with or otherwise use a system. Using system resources to handle information. Gaining knowledge of the information the system has. Controlling parts of the system and its functions.
- Access Controls: Access controls decide who may have an account on UNC's Information Technology systems, what they may do with their account, and how they access those systems. Access controls are designed to protect both individual and University information.
- Authentication: Verifying the identity of a user, process, or device, often done before allowing access to resources in an information system.
- Authorization: Access privileges given to a user, program, or process or the act of granting those privileges. Privileges are no longer "authorized" when a user leaves a role if that role is why they were authorized (for example, leaving a job or changing to a new one with different responsibilities).
- Mission Critical: A system so critical to the mission of the UNC-Chapel Hill business unit that any incident requires immediate response. If a system is considered mission critical by the department, contact and escalation information has been provided to ITS for the system before any incident or outage. The owning business unit decides whether a resource is mission critical. Once named as mission critical, heightened information security requirements apply to assure the resource stays available. If a business unit does not choose a resource as mission critical, it may not be a priority for restoration of services in an incident or outage.
- Multi-User System: A server or other system that gives access or services to more than one user at the same time. A system that multiple people rely upon to be reliably available for use.
- Privileged: System or Application Administrators and users with elevated data-access privileges (beyond access to their own data) are considered "privileged" users. User accounts with higher privileges than a standard user of an application or operating system or those with access to Tier 2 or 3 information other than their own are considered "privileged" accounts. This includes administrators of servers or multi-user applications, privileged access to applications, or access with tools like "sudo." A user who can set privilege levels for other users is an administrator and therefore "privileged." NOTE: for purposes of this Standard, common use of "local-admin" privileges on individual devices by their assigned users is not "privileged."
- Role: A group attribute that ties membership to function. When someone assumes a role, they are given certain rights that belong to that role. When they leave the role, those rights are removed. The rights given match the functions needed to perform expected tasks.
- Sensitive Information: Information classified as Tier 2 or Tier 3 in the UNC-Chapel Hill Information Classification Standard.
- User: Anyone with access to University information technology systems or services.
- User Manager: A User Manager is any University administrator, faculty member, or staff member who supervises people or who has University administrative responsibilities.
Related Requirements
External Regulations and Consequences
Failure to follow this standard may put University information assets at risk and may have disciplinary consequences for employees, up to and including termination of employment. Students who do not adhere to this standard may be referred to the UNC-Chapel Hill Office of Student Conduct. Contractors, vendors, and others who do not adhere to this standard may face termination of their business relationships with UNC-Chapel Hill.
Violation of this standard may also carry the risk of civil or criminal penalties.
University Policies, Standards, and Procedures
Contact Information
Primary Contact
Unit: ITS Policy Office
Phone: 919-962-HELP/4357
Email: its_policy@unc.edu
Report a Violation: 919-962-HELP/4357