In this article
System access control guidelines
The University's systems store, transmit, and process large amounts of data daily. Based on the requirements specified in the UMD Data Classification Standards, all UMD data should be classified as Low, Moderate, High, or Restricted. Restricting access to university data to only individuals with a business need for this access will minimize the likelihood of unauthorized access to, and modification of, the data. This is key to maintaining the confidentiality, integrity, and availability of the data and the systems that the data reside on.
Application, database, and server owners, as well as other individuals responsible for protecting university data, can utilize the information in this document to develop access control processes and procedures for granting, reviewing, and managing system access. The information in this document is based on requirements documented in the USM IT Security Standards.
Guidelines for requesting system access
In order to ensure that you are granting system access in a secure manner, the following steps should be taken:
- A formal process should be developed and utilized requiring the user's supervisor or manager to request system access on behalf of the user. For example, a request form could be developed and used or requests could be sent via e-mail from the manager/supervisor to the IT personnel responsible for establishing user accounts.
- The supervisor or manager should include in the request whether the access level should be read, modify, delete, or full access as well as what resources the user needs access to (details must be specific).
- The request for access should be sent to the IT personnel in your department responsible for establishing system accounts.
- The request for access should be documented and retained.
Guidelines for granting system access
The following guidelines direct how to properly grant users system access:
- An access control standard for all departmental system resources should be developed and documented detailing the appropriate access rights for each user type, how access is requested, and how access is approved as well as the staff members and corresponding roles and responsibilities involved in the process.
- Only IT personnel responsible for establishing user accounts should be able to grant system access.
- Access rights should reflect employee status, job classification, or function and be granted based on the minimum access needed to perform their job duties (least privilege strategy).
- Proper authorizations should exist and be documented for each user granted access to each of the department's resources. This information should be retained along with the access request.
- Departmental systems should have an automated function that prevents users from accessing system resources that they are not authorized to access.
Guidelines for reviewing and managing system access
Below are guidelines that should be followed for performing reviews of user access:
- Departments should establish a methodology for reviewing the access rights granted to all system users with the ability to read, modify, and delete data classified as Moderate, High or Restricted. In addition, a methodology of review should be created for users that have access to modify or delete data categorized as Low.
- Reviews of system accounts should be performed, at a minimum, on a quarterly basis for user accounts with privileged/administrator access as well as for accounts with access to data classified as Moderate, High or Restricted. Regular user accounts and accounts with access to modify or delete public information should be reviewed at least annually.
- User access should be reviewed by department managers or system owners who are familiar with system users' job duties and the access required to perform those job duties.
- Users that no longer require their assigned access rights should be identified and have those access rights disabled or deactivated.
- Disable or delete any accounts that are inactive or assigned to individuals that are no longer working for the department. For critical systems, employees' access rights will be modified, as appropriate, by the close of business on the same day.
- Verify that privileges are assigned to individuals based on job classification and function, also known as role-based access control (RBAC).
Guidelines for auditing user activities
Auditing of user activities should be performed regularly to ensure that users are utilizing their access appropriately and that undesired activities are not occurring. Some guidelines that can be utilized to develop your department's auditing processes and procedures include:
- Ensure that your department's systems have auditing capabilities enabled. At a minimum, the following critical actions should be logged:
- Additions and changes to critical applications or systems
- Actions performed by administrative level accounts
- Additions and changes to users' access control profiles
- Direct modifications to critical data outside the applications or systems
- Auditing of user activities should be performed regularly based on a timeframe convenient for your department. If it is not feasible to review all user activities, a regular review should be performed for users with administrative access; users with read, modify, and delete access to data classified as Moderate, High or Restricted; and users with modify and delete access to data classified as Low.
- Any suspicious activity discovered during the review of the user transactions should be investigated immediately and reported to the Security Operations Center at x64225 or firstname.lastname@example.org.
For more information about establishing, reviewing, and managing users' system access, contact the Division of Information Technology Compliance Team at email@example.com.