Information Technology Standard 06.14.0

Access Determination and Control Standard


Date of Current Revision or Creation: January 1, 2022


The purpose of an Information Technology Standard is to specify requirements for compliance with Old Dominion University Information Technology policies, other University policies, as well as applicable laws and regulations. Standards may include business principles, best practices, technical standards, migration and implementation strategies, that direct the design, deployment and management of information technology.

Purpose

The purpose of this standard is to establish the guidelines on the issuance of access to authorized users and to define the requirements necessary to restrict access to IT systems.

Definitions

Access Control Policy - outlines the controls to a computer system and software in order to limit access to computer networks and data. It provides details including but not limited to, access control standards, user access, network access controls, operating system software controls, passwords, and higher-risk system access, giving access to files and documents and controlling remote user access.

Data Compliance Owners - University managers (typically at the level of Unit Leader) who oversee data management functions related to the capture, maintenance, and dissemination of data for a particular operational area. They are responsible for decisions about the usage of university data under their purview.

Information Technology Resources are defined as computers, telecommunication equipment, networks, automated data processing, databases, the Internet, printing, management information systems, and related information, equipment, goods, and services.

IT Facilities - a static, mobile or portable facility (or facilities) or a location that contains Old Dominion University information technology equipment, systems, services, and personnel.

Sensitive System is a term given to any IT system in which the classification is confidential or higher according to ITS Standard 2.3.0 Data Administration and Classification.

Standards Statement

An access control policy will be established, documented, and reviewed and implemented based on business and information security requirements.

User Access Control

Access to data will be controlled through a formal management process. User access provisioning process will be implemented to assign or revoke access rights for all user types to all systems and services.

Access to sensitive IT systems and data and the facilities that house them based on the principle of least privilege. Users will only be provided with access to the network and networks services that they have been specifically authorized to use.

The allocation and use of privileged access rights will be restricted and controlled.

Data Owners will review users' access rights at regular intervals.

The Department of Human Resources will conduct a background check for fulltime staff employees at the initial recruitment.

Physical and logical access rights will be removed upon personnel transfer or termination, or when requirements for access no longer exist.

Non-disclosure and security agreements for access to IT systems and data will be required, based on sensitivity and risk.

Separation of duties will be established to protect sensitive IT systems and data, or compensating controls will be used when constraints or limitations of ODU prohibit a complete separation of duties.

System and Application Access Control

Access to information and application system functions will be restricted in line with the access control policy.

Where required, access to systems and applications will be controlled by a secure log-on procedure.

Based on the defined IT role, users, managers, officers, and owners are responsible for ensuring that access control standards are followed for their respective IT resource.

Password management systems will be interactive and will ensure quality passwords.

The use of utility programs that might be capable of overriding system and application controls will be restricted and tightly controlled.

Access to program source code will be restricted.

Visitor access to IT facilities that house sensitive systems or data will be controlled.

User Responsibilities

Users will be made accountable for following the University's practices in safeguarding their authentication information.

Procedures, Guidelines & Other Related Information

History

Date

Responsible Party

Action

October 2008

ITAC/CIO

Created

October 2009

ITAC/CIO

Reaffirmed

October 2010

ITAC/CIO

Reaffirmed
October 2011 ITAC/CIO Reaffirmed
October 2012 ITAC/CIO Reaffirmed
August 2015 IT Policy Office/ISO Three year review. Aligned content with ISO Standards. Updated titles, links, and definitions.
December 2018 IT Policy Office Definitions and links checked and revised.
January 2022 IT Policy Office Definitions and links checked.