Access Determination and Control Standard
Date of Current Revision or Creation: January 1, 2022
The purpose of an Information Technology Standard is to specify requirements for compliance with Old Dominion University Information Technology policies, other University policies, as well as applicable laws and regulations. Standards may include business principles, best practices, technical standards, migration and implementation strategies, that direct the design, deployment and management of information technology.
Purpose
The purpose of this standard is to establish the guidelines on the issuance of access to authorized users and to define the requirements necessary to restrict access to IT systems.
Definitions
Access Control Policy - outlines the controls to a computer system and software in order to limit access to computer networks and data. It provides details including but not limited to, access control standards, user access, network access controls, operating system software controls, passwords, and higher-risk system access, giving access to files and documents and controlling remote user access.
Data Compliance Owners - University managers (typically at the level of Unit Leader) who oversee data management functions related to the capture, maintenance, and dissemination of data for a particular operational area. They are responsible for decisions about the usage of university data under their purview.
Information Technology Resources are defined as computers, telecommunication equipment, networks, automated data processing, databases, the Internet, printing, management information systems, and related information, equipment, goods, and services.
IT Facilities - a static, mobile or portable facility (or facilities) or a location that contains Old Dominion University information technology equipment, systems, services, and personnel.
Sensitive System is a term given to any IT system in which the classification is confidential or higher according to ITS Standard 2.3.0 Data Administration and Classification.
Standards Statement
An access control policy will be established, documented, and reviewed and implemented based on business and information security requirements.
User Access Control
Access to data will be controlled through a formal management process. User access provisioning process will be implemented to assign or revoke access rights for all user types to all systems and services.
Access to sensitive IT systems and data and the facilities that house them based on the principle of least privilege. Users will only be provided with access to the network and networks services that they have been specifically authorized to use.
The allocation and use of privileged access rights will be restricted and controlled.
Data Owners will review users' access rights at regular intervals.
The Department of Human Resources will conduct a background check for fulltime staff employees at the initial recruitment.
Physical and logical access rights will be removed upon personnel transfer or termination, or when requirements for access no longer exist.
Non-disclosure and security agreements for access to IT systems and data will be required, based on sensitivity and risk.
Separation of duties will be established to protect sensitive IT systems and data, or compensating controls will be used when constraints or limitations of ODU prohibit a complete separation of duties.
System and Application Access Control
Access to information and application system functions will be restricted in line with the access control policy.
Where required, access to systems and applications will be controlled by a secure log-on procedure.
Based on the defined IT role, users, managers, officers, and owners are responsible for ensuring that access control standards are followed for their respective IT resource.
Password management systems will be interactive and will ensure quality passwords.
The use of utility programs that might be capable of overriding system and application controls will be restricted and tightly controlled.
Access to program source code will be restricted.
Visitor access to IT facilities that house sensitive systems or data will be controlled.
User Responsibilities
Users will be made accountable for following the University's practices in safeguarding their authentication information.
Procedures, Guidelines & Other Related Information
- Federal and State Law
- University Policy 3505 - Information Technology Security Policy
- IT Standard 01.2.0 IT Roles and Responsibilities Standard
- IT Standard 02.3.0 Data Administration and Classification Standard
- IT Standard 02.6.0 Remote Access and Virtual Private Network Standard
- IT Standard 02.11.0 Password Management Standard
- IT Standard 04.1.0 MIDAS Management Standard
- IT Standard 04.2.0 Account Management Standard
- IT Standard 09.1.0 Acceptable Use Standard
- Security Awareness Training
History
Date |
Responsible Party |
Action |
October 2008 |
ITAC/CIO |
Created |
October 2009 |
ITAC/CIO |
Reaffirmed |
October 2010 |
ITAC/CIO |
Reaffirmed |
October 2011 | ITAC/CIO | Reaffirmed |
October 2012 | ITAC/CIO | Reaffirmed |
August 2015 | IT Policy Office/ISO | Three year review. Aligned content with ISO Standards. Updated titles, links, and definitions. |
December 2018 | IT Policy Office | Definitions and links checked and revised. |
January 2022 | IT Policy Office | Definitions and links checked. |