User Access Control Rule

1. Purpose

The University of North Carolina Board of Governors (BoG) created policy 1400.3 to mandate constituent universities implement user access controls for university information. The UNC System CIO further clarified the policy via the Standard on Information Technology User Identity and Access Control. The purpose of this document is to provide further details on ECU’s standards and procedures related to compliance with the UNC policy and standards.

2. Person(s) with Primary Responsibilities

Data Stewards and Data Stewardship Committee

3. General Statement

ECU has many information systems on campus. Any information system that hosts (processes or stores) Level 3 or Level 4 information, determined by the ECU Data Classification Levels, requires a minimum set of access controls. Data Stewards are responsible for documenting their control processes for information systems that house Level 3|4 information within their area, ensuring the access control activities are conducted, and attesting to compliance.

4. Minimum Required Access Control for Level 3 and Level 4 Data

• Any information system that stores or processes Level 3 or Level 4 data, as defined by the ECU Data Classification, must have the minimum controls below in place:
  • • Documented process for users to request access to the system to include:
    • o Type of access needed (role)
    • o Business justification
    • o Level of approval needed, at a minimum must include the supervisor and data steward (or designee)
  • • Data Steward, or designee, must review the HR Termination report and take the appropriate action below:
    • o if the system utilizes single sign on then the user should be removed within a reasonable timeframe, typically within 7 calendar days of the termination report
    • o if the system doesn’t utilize single sign on for access the user should be removed immediately, typically the day the termination report is received.
  • • Data Steward, or designee, must review the HR Transfer report, and remove users that changed duties and no longer need access, within a reasonable time frame, typically within 7 calendar days of the termination report.
  • • Data Steward, or designee, performs semi-annual reviews (every 6 months), at a minimum, of all users within the information system, with an attestation that the review has been conducted, the attestation will be maintained by the Data Stewardship Committee.
  • • Application Administrators with privileged access (account management access, access to configuration, or access to sensitive data) should be reviewed quarterly.
  • • Rationale for review timeline and associated risk.

Certain types of regulated data may require more stringent controls, for example, more frequent access reviews. Data Stewards may implement more stringent controls at their discretion but are expected to be documented in their departmental procedure.
The Data Steward and CIO will review and approve the initial departmental procedures.

5. Exceptions

Any exceptions to this rule must be approved in writing by the CIO, approvals will be maintained by the Data Stewardship Committee and the Data Steward. Exception requests must be appropriate given the risk, include the reason for the exception, and include mitigating controls in place in lieu of the controls in this document.

6. Roles and Responsibilities

Data Stewards are responsible for documenting access control procedures for their information systems. The procedures should include the process for initial authorization, regular reviews (including intervals and justification), and processing employee terminations and transfers.

Supervisors are responsible for approving initial access for their subordinates, participate in semi-annual reviews, and requesting removal of employee access per ECU regulation REG08.05.05.

Data Stewardship Committee is responsible for maintaining the system access controls procedures, semi-annual review attestations, and exception requests approved by the CIO.

The CIO is responsible for maintaining this rule, providing clarification and guidance on the rule, approving departmental documentation, and reviewing exception requests.

7. Best Practices for Documenting Access Controls Procedures

If Data Stewards or Administrators need assistance in documenting Access Controls Procedures, contact the ITCS Enterprise Data Management Support Services Team for assistance (edmss@ecu.edu).