Access Control Policy, Information Technology

Title: Access Control Policy, Information Technology
Policy Owner: Information Security Office
Applies to: Students, Employees, Users
Campus Applicability:  All University departments at all Campuses except UConn Health
Effective Date: May 16, 2012
For More Information, Contact Chief Information Security Officer
Contact Information: (860) 486-8255
Official Website: http://security.uconn.edu/

 

This policy is available in the Information Security Policy Manual.

All University information technology (IT) resources that store, process, or transmit Confidential or Protected data must require usernames and passwords for access.

Data Stewards must authorize all individuals prior to their accessing IT resources that store, process or transmit Confidential or Protected Data.

Individual units are responsible for developing and implementing procedures for authorizing and granting access to their IT resources that store, process or transmit Confidential or Protected Data.

Data Stewards shall document all data access privileges, and will reevaluate access privileges when a user’s job assignment changes. When a user no longer requires data access or leaves the University for any reason, the Data Steward shall revoke the user’s access privileges. The user’s supervisor is responsible for making appropriate and timely requests to the Data Steward for IT resource account access modification.

Individuals with access to Confidential or Protected Data may not share or redistribute this data without receiving the expressed, prior consent of the Data Steward.

Login Names and Passwords

Data Administrators will configure systems and applications to meet the following requirements to authentic users of IT resources that store, process or transmit Confidential or Protected Data:

  • Data Administrators must assign each user a unique login name.
  • Login names will have an associated password, which is required to minimally meet the standards outlined in the University password standards.

Users must not share account passwords with any other person.

Review & Compliance

For systems where Confidential Data is stored, processed, or transmitted, Data Stewards and Data Administrators will review user access rights annually using a documented process.

Data Stewards, or their designated representatives, shall ensure appropriate procedures are documented, disseminated, and implemented to ensure compliance with this policy.

Policy Effective May 16, 2012 (Approved by President’s Cabinet)