This document provides guidelines for responsible management of the access to information resources and data that support the primary administrative and academic functions of the University. The Information Technology Systems Division and the Departments of Application Services and Computing Services are responsible for managing access to ensure the integrity and confidentiality of these resources and data. This is not a comprehensive document covering all aspects of access management. This policy provides guidelines necessary to facilitate the processes that ensure integrity and confidentiality of the data and information resources.
Vice Chancellor Information Technology Systems
Updated February 15, 2010; Reformatted June 6, 2005; supersedes policy ITS 2.00; effective September 11, 2002
Consolidated University of North Carolina Netstudy – Security Subcommittee Baseline Recommendations (Feb. 16, 2003); International Standard ISO17799
Information Technology Systems Division
Purpose
This document provides guidelines for responsible management of the access to information resources and data that support the primary administrative and academic functions of the university. The Information Technology Systems Division is responsible for managing access to ensure the integrity and confidentiality of these resources and data. This is not a comprehensive document covering all aspects of access management.
Policy
General Statement
Information resources and data that support the primary administrative and academic functions of the university are accessed through broad impact systems and software, and/or data sets stored and maintained on university servers. The management of broad impact systems and software for the university is the responsibility of the Information Technology Systems Division (see Management of Broad Impact Systems and Software). Management of the central campus computer systems is the responsibility of the Department of Operations and Systems Administration. ITSD is responsible for ensuring the integrity and confidentiality of university information resources and data residing on broad impact systems and software on university servers.
Information Resources and Data
For the purpose of this document, information resources and data refer to those resources and data that support the administrative and academic functions for the university and provide services to the campus community. They include databases, datasets, and files that contain information and data that are accessed through university broad impact systems and other software. This information is used by academic and administrative offices for official reporting, record keeping, and performing the daily business of the university community.
Principles and Guidelines
Broad Impact Software Security and Integrity
IT Security in coordination with the appropriate data custodian is responsible for ensuring the data integrity and confidentiality such that access to the data is limited to the minimum required relative to job responsibilities of each individual or the individual’s right to know. ITSD and the departments with specific data responsibilities for systems/applications and/or components of individual systems have instituted policies and procedures that address security and access controls ensuring confidentiality and integrity of information resources and data. These policies and procedures follow industry standard guidelines for information systems security and integrity, including COBIT standards. They address different levels of access and security as follows:
The IT Security Office Systems Liaison for Security Administration is responsible for administering security for the SunGard Banner suite of administrative systems. This position performs periodic reviews and audits to ensure that the access granted to each individual continues to be limited to the minimum access required relative to job responsibilities of each individual or the individual’s right to know.
UNCW Division Heads are responsible for verifying that the permissions granted to their subordinates are appropriate for the roles that they are assigned in order to perform the functions associated with their position annually in accordance with provisions set forth in NC State Auditor requirements. This is a control measure necessary to support UNCW Policy 01.230.
User accounts are controlled by the following guidelines:
Users are required to adhere to the UNCW 07.100 Responsible Use of Electronic Resources policy.
User’s password information is for their exclusive use. Sharing password information will result in revocation of access privileges.
User access is limited to only those networked computer resources and privileges directly required to perform assigned duties, at the discretion of the appropriate Vice Chancellor, director or unit manager.
Accounts are generally limited to faculty (including adjunct and part time), staff and students of the University of North Carolina Wilmington. Accounts for contractors or time limited employees may be granted based on need established by the appropriate Vice Chancellor, director or unit manager.
Time limited user accounts will have an expiration date.
Service accounts may be allowed if they meet the following criteria
Requested by department head or unit manager.
Serve a demonstrated need not achievable by other means.
A responsible person within the department or operating group is designated.
Highly restricted in regards to access to intradepartmental information only.
No need exists to track any transactions the account may generate.
All user accounts are subject to password aging.
Blank passwords are not allowed.
User Accounts are locked out after five invalid login attempts.
Passwords are reset by computer operations staff.
Groups will be formed of users with a need for common resource access.Members of these groups will be added or removed at the request of the appropriate Vice Chancellor, director, unit manager or authorized designee.
Notice of Termination of employment received from Human Resources for faculty and staff will result in the user account being removed.
Student accounts will be removed when the student is no longer considered a student of the university.