In order to provide appropriate access to information and systems and to prevent unauthorized access, safeguards based on business and legal requirements must be identified and applied. Controlling access to personal information is a key element of providing information privacy.
Safeguards for Domain 8 Information Security & Privacy Program
Business requirements for access control
Documentation of access control policies and rights is necessary to provide appropriate access to information, and must be based on business, security, and privacy requirements.
- Policy IT-03: Eligibility to Use Information Technology Resources
- Sponsor a computing account for an IU affiliate | IU Knowledge Base
- IU Policy on Student Records: Release of Student Information Policy | Office of the Registrar
User access management
Procedures covering the full life-cycle of user access, from initial provisioning to final de-provisioning, should be in place to ensure authorized user access and to prevent unauthorized access.
- What computing accounts are available at IU? | IU Knowledge Base
- How do I get access to IU institutional data and applications? | IU Knowledge Base
- What are the ADS service policies at IU? | IU Knowledge Base
- Policy IT-02: Misuse and Abuse of Information Technology Resources
- Policy FIN-ACC-580: Risks of Potential Identity Theft in the Use of Stored-Value and Payroll Deduct requires that ID Card offices, when responding to requests by Account Card Holders for additional or replacement cards, refer to and implement the relevant provisions of the university's Identity Theft Prevention Program to ensure that the risks of identity theft are minimized.
- Identity Verification
User responsibilities
Users should be made aware of their responsibilities for maintaining effective access controls, particularly regarding the use of passwords and the security of user equipment.
- Users assent to the appropriate Acceptable Use Agreement prior to obtaining their first computing accounts at IU
- System administrators can use the agreement tool to verify that an employee has assented to the Acceptable Use Agreement - Access to Technology and Information Resources - Employees and on what date
- Passwords and passphrases | IU Knowledge Base
- About your device's administrator account | IU Knowledge Base
- Configure your macOS computer so IU users can log in with an IU username and passphrase | IU Knowledge Base
Network Access Control
Access to both internal and external networked services should be controlled.
- IU's policy on Extending the University Data Network assigns responsibility for networking infrastructure at IU.
- IU's policy on Wireless Networking assigns responsibility for wireless networking at IU.
- Register your wired device on the IU network | IU Knowledge Base
- About the IU VPN | IU Knowledge Base
Operating System Access Control
Security tools and procedures should be used to restrict access to operating systems to only authorized users.
- About your device's administrator account | IU Knowledge Base
- What is the principle of least privilege? | IU Knowledge Base
Application and Information Access Control
Application systems should apply access controls to limit access to only authorized users.
- About IU Login | IU Knowledge Base
- Integrate IU Login with a web application | IU Knowledge Base
- Managed Active Directory groups at IU | IU Knowledge Base
- Policy FIN-ACC-580: Risks of Potential Identity Theft in the Use of Stored-Value and Payroll Deduct requires applications that involve stored-value accounts and payroll deduct accounts for the purchase of goods and services on and off-campus, and payroll debit cards used by a limited number of university employees, to provide an automatic email response to an Account Card Holder at any time that his or her address is changed within the university's electronic systems.
- UISO InCommon Certificate Service
- UITS InCommon Root Certificate Installer
Mobile computing and telecommuting
The risks of mobile computing and telecommuting should be identified and appropriate security applied as appropriate. Mobile computing includes the use of laptops, cell phones, etc. Telecommuting uses communications technology to enable personnel to work remotely from a fixed location outside of their organization.
- Secure your iPhone, iPad, or iPod touch | IU Knowledge Base
- Secure your Android OS device | IU Knowledge Base
- About IU Secure wireless | IU Knowledge Base
Do you plan to travel abroad and take your university issued laptop computer, digital storage device, or any encryption products with you? The Export Control Office in the Office of Research Administration can help you determine if your university-issued electronic components require a license prior to international travel, can provide tips for international travel with information stored on electronic components, and can provide a list of sanctioned and restricted parties and entities with whom IU is prohibited by federal law from doing business with. Contact them at export@iu.edu.
Summary of domain objectives
The primary objectives of this domain are to ensure:
- access control policies based on business requirements are documented
- formal provisioning and de-provisioning procedures are in place
- users assent to statements indicating their understanding of their responsibilities
- access is removed or blocked for those who have changed roles or jobs or left the organization
- sanctions for attempting unauthorized access are established
- password allocation is managed securely
- access control lists are reviewed at regular intervals
- users are aware of requirements for selecting and protecting passwords
- devices are locked or logged off when left unattended
- documents are physically protected from unauthorized access
- policy outlines who is allowed to access what services and how
- remote access requires appropriate authentication methods
- remote diagnostic and configuration port access are protected
- network segregation is utilized as appropriate to control large networks
- network connection and network routing controls are required to manage access
- use of secure log on processes
- assignment of unique identifiers for each individual gaining access
- management of passwords according to best practices
- system utilities that could be used to override controls are limited to a small set of authorized users
- automatic time-outs are enabled for inactive sessions
- restrictions are applied to applications based on individual application requirements
- isolated computing environments are used for sensitive information and applications
- policy and procedures exist for securing mobile computing
- policy, operational plans and procedures exist for teleworking activities
Supplemental resources
Access Control | EDUCAUSE/Internet2 Information Security Guide