Access Control Management

Issue/Question

What is the USD policy on Access Control Management

Environment

  • CIS Control 6

Cause

Protect against cybersecurity threats, establish cybersecurity norms, enhance cybersecurity maturity 

Resolution

Access Control Management

Policy Statement: The University recognizes the critical importance of access control management in protecting sensitive information and ensuring the confidentiality, integrity, and availability of its resources. This policy establishes guidelines for implementing access control measures to safeguard University systems and data.

Policy Implementation:

  1. Role-Based Access Control (RBAC):

    • The University will implement role-based access control (RBAC) to manage user access rights based on predefined roles and responsibilities.
    • Access permissions will be assigned to roles rather than individual users, simplifying access management and reducing the risk of access creep.

  2. Access Request and Approval:

    • Requests for access to University systems and data will be submitted through formal channels and approved by authorized personnel, such as supervisors or data owners.
    • Access requests will include justification for access and undergo review to ensure compliance with access control policies and principles.

  3. Access Review and Recertification:

    • Regular access reviews and recertification processes will be conducted to validate the appropriateness of access privileges assigned to users.
    • Access reviews will involve verifying user access against current job roles, responsibilities, and business needs, and revoking unnecessary or outdated access permissions.

  4. Access Controls and Monitoring:

    • MFA is required for all externally facing applications, all remote access to the network, and administrative access to USD systems.
    • Access controls, such as authentication mechanisms, authorization policies, and encryption, will be implemented to restrict access to University systems and data based on the principle of least privilege.
    • Access activities will be monitored and logged for security and audit purposes to detect unauthorized access attempts and ensure compliance with access control policies.

  5. Access Termination:

    • User access to University systems and data will be promptly revoked upon termination of employment, contract, or affiliation with the University.
    • Access termination procedures will include disabling accounts, revoking access privileges, and removing user permissions to prevent unauthorized access.

Compliance and Enforcement: All members of the University community are responsible for adhering to this policy and actively participating in access control management activities.

Policy Review: This policy will be reviewed annually to ensure alignment with emerging threats, changes in technology, and regulatory requirements. Updates will be made as necessary to maintain the effectiveness and relevance of access control management practices.

This policy provides a framework for implementing CIS Control 6 within a university environment, focusing on access control management practices to safeguard University systems and data against unauthorized access and security breaches.

Please contact the Service Desk if you need further assistance

Details

Article ID: 8943
Created
Tue 3/5/24 8:58 AM
Modified
Tue 3/19/24 6:47 PM
KCS Article Status
WIP: Only Problem & some Environment captured
Not Validated: Complete & Resolution captured, confidence lacks in structure, content, no feedback
Validated: Complete & reusable, used by licensed KCS user, confidence in resolution & std. compliance
Validated

Related Services / Offerings (1)

VPN Remote Access
How to access services from off site using VPN.