Data Network Security and Access Control
Initially Approved: August 25, 2006
Revised and approved: August 10, 2015
Revised and approved: April 10, 2017
Revised and approved: January 28, 2019
Technical Changes: June 20, 2019
Revised and approved: June 30, 2020
Policy Topic: Information Technology
Administering Office: Office of the CIO
I. POLICY STATEMENT
Information technology resources are provided to support the University's mission.
To ensure that these shared and finite resources are used effectively to further the
University's mission, the integrity of the resources must be protected and access
to the resources must be properly controlled.
II. SCOPE AND APPLICATION OF THE POLICY
This policy applies to all individuals assigned a non-student University account who
access the University's information technology resources, whether the resources are
located on or off-campus and whether University-owned or contracted for use by the
University.
III. DEFINITIONS
“SHRA” means subject to the Human Resources Act (formerly SPA).
“EHRA” means Exempt from the Human Resources Act (formerly EPA).
“Information Technology Resource” means any system, media or software used to transmit, store or process information
or data.
“User” means any individual assigned a non-student University account to utilize a University
information technology resource as defined above.
“Separation” means the employee left employment with the University and is no longer affiliated
with an employment agreement.
IV. DATA NETWORK SECURITY POLICY
The Information Technology (IT) Division’s Networking & Communications (Networking
& Communications) Services has the responsibility for the design, maintenance, and
security of the university’s data network. To ensure the integrity of the network:
- No individual or office may connect a device to the campus data network that provides
unauthorized users access to the network or provides unauthorized IP addresses for
users.
- Networking & Communications has the right to limit network capacity, or disable, network
connections that are adversely impacting availability of information technology resources.
- Access to networking equipment in wiring closets, etc. is limited to the Networking
& Communications staff or their designees.
- No consideration of changing the architecture of any part of the data network may
be undertaken without the early and regular involvement of Networking & Communication.
V. ACCESS CONTROL POLICY
A. General Principles for User Access
Access to university information technology resources may only be granted to users
who have completed and submitted all requisite compliance documents as defined by
the IT Division. For initial access and termination of access, the guidelines detailed
below control access based upon the user’s employment or appointment status.
In most cases access to information technology resources will terminate on a user’s
last work/contract date. In some cases, access will terminate on an user’s last pay
date. In cases where separations are deemed involuntary, Human Resources (HR) will
immediately terminate access.
Hiring officials may not enter into employment contracts that commit the university
outside the scope of this policy.
B. Compliance Documents Needed for Access
All users obtaining non-student accounts are required to read and accept a Confidentiality
and FERPA agreement when electronically claiming their account. Other compliance
documents differ by user type and are outlined below in sections C and D.
C. Employee User Types
Employee user accounts will be created upon receipt of 1) a fully executed employment
contract or a letter offer of employment that has been accepted in writing by the
employee; and 2) all compliance documents required by HR. Access to the account will
be granted as follows:
- Non-Faculty Employees (includes all SHRA and EHRA non-faculty): Will be granted access on the first day
of their employment provided that complete and accurate employment compliance documents
have been received by HR. Access will be terminated on the last work date. HR may
grant early access exceptions up to 90 days in advance for eligible SHRA exempt and
EHRA employees upon request of the hiring supervisor and receipt of complete and accurate
employment compliance documents.
- Faculty Employees (includes tenured-track and fixed term appointment faculty): will be granted access
on the first day of contract provided that complete and accurate employment compliance
documents have been received by HR, or up to 90 days early upon processing by HR of
complete and accurate employment compliance documents. Access will be terminated on
the last day of the month of the last pay date.
- Temporary Faculty Employees (includes adjunct faculty, teaching and lab graduate assistants): will be granted
access on the first day of contract provided that complete and accurate employment
compliance documents have been received by HR, or up to 90 days early upon processing
by HR of complete and accurate employment compliance documents. Access will be terminated
on the last day of the month of the last pay date.
- Temporary/Hourly Non-Faculty Employees: will be granted access on their first day of employment provided that all employment
compliance documents have been received by HR. Access will be terminated on the last
work date. Early access cannot be granted. The supervisor is responsible for notifying
HR if early termination is necessary. Access is covered by appointment dates and monitored
by HR.
- Administrative Student Workers (students who need access to administrative systems, including graduate research
assistants): will be granted access provided that the supervisor has approved the
account request and their HR job record is complete. Access will be terminated on
the last work date or access will be terminated on the last day of the month of the
last pay date depending on the type of contract. Access must be re-requested and reauthorized
at the beginning of a new contract period. Early access cannot be granted. Continuing
access may be granted for graduate research assistants if a contract is in place for
a future term. The supervisor is responsible for notifying IT to terminate access
early if necessary.
D. Non-Paid User Types
Non-Paid user accounts will be created upon receipt of 1) a fully executed contract
or other engagement document; and 2) a completed IT Guest/Consultant access request
form or an approved equivalent electronic request. Access to the accounts will be
granted as follows:
- Affiliate Non-Faculty (includes guests, volunteers and interns): May be granted access during their engagement
dates in accordance with the start and end dates of their engagement document, provided
that complete and accurate compliance documents have been submitted to the CIO with
the access request. After the access request has been approved by the CIO, the documents
will be forwarded to HR and IT for processing. Access will be set to expire in accordance
with the approved dates. The requesting department will also be responsible for notifying
HR to terminate access prior to the expiration of the engagement letter if warranted.
Access is valid for a maximum of 1 year and must be renewed if necessary.
- Affiliate Faculty (a third-party providing instructional services to an academic unit and not paid by
the University): May be granted access during their engagement dates in accordance
with the start and end dates of their engagement document provided that the requesting
department submits complete and accurate compliance documents to the Dean and CIO
for approval and these have been processed by HR and IT. Access will be set to expire
in accordance with these dates. The requesting department will also be responsible
for notifying HR to terminate access prior to the expiration of the engagement if
warranted. Access is valid for a maximum of 1 year and must be renewed if necessary.
- Affiliate Former Faculty (includes Emeritus in Waiting and former adjunct faculty between contracts which
are within a year of last contract):
- For departments expecting to re-hire former adjunct faculty, that do not already have
Emeritus status, within a year, the Dean or department head must request the account
remain active as an Affiliate Former Faculty. HR will process the request and verify
a change of status. The term for this status is no more than one year. Users will
automatically be moved from this user type to a faculty type by a change in status
performed by HR.
- For individuals that are Emeritus in Waiting, HR will update their status and their
account will automatically be changed to Affiliate Former Faculty for up to one year
while they await the decision on Emeritus status.
- Supplier (a vendor that provides software or IT services through a contract or other agreement.
IT Services include the support or implementation of university technology infrastructure
or operations): Access is requested by a sponsoring individual and requires approval
by a supervisor and the CIO. Access will be set to expire in accordance with the approved
dates. The requesting department will also be responsible for notifying IT to terminate
access prior to the expiration of the engagement letter if warranted. Access is valid
for a maximum of 1 year and must be renewed if necessary.
- Consultant (a third-party providing non-IT and non-instructional consulting services to business
offices or functional users): May be granted access in accordance with the start and
end dates of their engagement provided that complete and accurate compliance documents
have been submitted to the CIO with the access request. After the access request has
been approved by the CIO, the documents will be forwarded to HR for processing. Access
will be set to expire in accordance with the approved dates. The requesting department
will also be responsible for notifying HR to terminate access prior to the expiration
of the engagement if warranted. Access is valid for a maximum of 1 year and must be
renewed if necessary.
- Emeritus Status (retired professors or chancellor who have emeritus approval): For Professors, access
will be granted upon approval by the Provost for conferment of Emeritus status. For
Chancellors, access will be granted upon approval by the Board of Trustees for conferment
of Emeritus status. Access may be continued as an Affiliate Former Faculty for up
to a year while waiting on Emeritus status
- Trustee/Board Member: Will be granted access upon his or her election or appointment and receipt by HR
of complete and accurate guest user compliance documents. Access will be granted for
the term of service.
E. User Account De-Provisioning
When user access is terminated per this policy the account will be placed in a disabled
status for one year. During that time the last supervisor may request that the Email
content or personal network storage content from the user be delivered to them. A
year after the account has been disabled it will be deleted, which will also delete
the user’s Email content and personal network storage folders.
Employees returning to the University after separation generally will not retain previous
content or system access permissions (i.e. the account will be re-provisioned). However,
adjunct faculty and other time-limited positions that work on a recurring basis may
retain access to previous content and systems if they return within twelve (12) months.
VI. RESPONSIBILITIES
It is the responsibility of each department to provide timely notification of all
changes related to employment and termination to HR to comply with the timeframes
set forth in this policy. Departmental notifications and personnel processing actions
are subject to audit by the University’s Internal Auditor and by external auditors.
As such, the timeframes for compliance rest at the departmental level.
VII. POLICY REVIEW
This policy shall be reviewed and revised as necessary every 2 years.
VIII. REFERENCES
International Standards Organization (ISO/IEC 27002:2022, Clause 5 Organizational
Controls, Clause 6 People Controls and Clause 8 Technological Controls)