Accessing University Data: System Access Control Guidelines

In this article

System access control guidelines

The University's systems store, transmit, and process large amounts of data daily. Based on the requirements specified in the UMD Data Classification Standards, all UMD data should be classified as Low, Moderate, High, or Restricted. Restricting access to university data to only individuals with a business need for this access will minimize the likelihood of unauthorized access to, and modification of, the data. This is key to maintaining the confidentiality, integrity, and availability of the data and the systems that the data reside on.

Application, database, and server owners, as well as other individuals responsible for protecting university data, can utilize the information in this document to develop access control processes and procedures for granting, reviewing, and managing system access. The information in this document is based on requirements documented in the USM IT Security Standards.


Guidelines for requesting system access

In order to ensure that you are granting system access in a secure manner, the following steps should be taken:


Guidelines for granting system access

The following guidelines direct how to properly grant users system access:


Guidelines for reviewing and managing system access

Below are guidelines that should be followed for performing reviews of user access:


Guidelines for auditing user activities

Auditing of user activities should be performed regularly to ensure that users are utilizing their access appropriately and that undesired activities are not occurring. Some guidelines that can be utilized to develop your department's auditing processes and procedures include:

For more information about establishing, reviewing, and managing users' system access, contact the Division of Information Technology Compliance Team at