Access control policy

Purpose

This policy outlines the University’s approach to access control of its computing facilities. It provides the guiding principles and responsibilities to ensure the University’s access control objectives are met.

Scope

This policy is applicable across the University and applies to:

• all individuals who have access to University information and technologies
• all facilities, technologies and services that are used to process University information
• all information processed, accessed, manipulated or stored, in any format, by the University pursuant to its operational activities
• internal and external processes used to process University information  
• external parties that provide information processing services to the University.
• access to ‘private’ and ‘confidential’ data/information is governed by this policy.

There are no restrictions on access to ‘public’ information.

The policy will be communicated to users and relevant external parties.

Objectives

The University’s objectives for this policy are to:

• safeguard the University’s information from security threats that could have an adverse effect on its operations or reputation
• fulfil the University’s duty of care toward the information with which it has been entrusted
• protect the confidentiality, integrity, availability and value of information through the optimal use of controls

Policy

The University will provide all employees, students, and contracted third parties with on-site access to the information they need to carry out their responsibilities in an effective and efficient manner.

Access rights and privileges

• Access rights will be accorded following the principles of least privilege and need-to-know.
• Generic or group IDs will not normally be permitted as means of access to University data but may be granted under exceptional circumstances if sufficient other controls on access are in place and the control is auditable.
• Under all circumstances, users of accounts must be identifiable
• Generic identities will never be used to access confidential data or personally identifiable data
• The allocation of privilege rights (for example, local administrator, domain administrator, super-user, root access) will be restricted, controlled, and not provided by default.
• Authorisation for the use of such accounts will only be provided explicitly, upon written request from a Director or Dean of School or head of school, and will be documented by the system owner.
• Staff user accounts can only be requested in writing, and by using the appropriate forms, by departmental managers.
• No access to any staff IT resources and services will be provided without prior authentication and authorisation of a user’s account.
• Multi-factor authentication (MFA) will be required for all privileged access where it can be practically implemented.
• Access to IT resources and services will be given through the provision of a unique user account and complex password.
• Passwords used to access University information systems are a critical part of the University’s identity management and must not be shared.
• IT Services staff will never ask you to reveal your password by email, in person, or on the phone.
• Do not use your University account password(s) for any other services you use (for example, Facebook, Twitter). This minimises the impact if your passwords to other services are discovered.
• Passwords used to access University information systems must comply with the University’s password standard.
• Usernames and passwords are for individual use only, and must not normally be disclosed to third parties, whether within or outside the University.
• Any user knowing or believing that they have disclosed their account details, or who knows or suspects that their email account has been compromised, must contact the University’s Service Desk immediately to outline the situation.

Access control

• Access to confidential, restricted and internal information will be limited to authorised persons whose job or study responsibilities require it, as determined by law, contractual agreement, and applicable University policies and regulations. The responsibility to implement access restrictions lies with the data and systems owners.
• Role-based access control (RBAC) will be used as the method to secure access to all resources
• Access for remote users will be subject to authorisation and be provided in accordance with the Remote Access Policy and the Information Security Policy. No uncontrolled external access will be permitted to any network device or networked system.
• The use of cloud-based systems must meet the access control provisions laid out in this policy.
• Evaluation of access controls implemented in any cloud system is performed during the vendor assessment and implementation stages of any project, via UoD IT’s cybersecurity assessment processes.
• Access rights will be reviewed annually.

Third party access

• Third parties are provided with accounts that solely provide access to the systems and/or data they are contracted to handle, in accordance with least privilege and need-to-know principles. The accounts will be removed at the end of the contract or when no longer required.
• Unless operationally necessary (and explicitly recorded in the system documentation as such) third party accounts will be disabled when not in use.
• Third party access must be set with a defined expiry date provided at the time of the original request and any extension of this must be supported by a new request.

Authentication credentials

• Password issuing, strength requirements, and changing and control will be managed through formal processes and standards.
• Password length, complexity, and expiration times will be controlled through Windows Active Directory Group Policy Objects.

Legal and regulatory obligations

The University of Dundee has a responsibility to abide by and adhere to all current UK and EU legislation as well as a variety of regulatory and contractual requirements.

A non-exhaustive summary of the legislation and regulatory obligations that contribute to the form and content of this policy is provided in IT policies - relevant legislation.

Related policies will detail other applicable legislative requirements or provide further detail on the obligations arising from the legislation summarised below.

Responsibilities

The following bodies and individuals have specific information security responsibilities:

• The University’s information technology department, UoD IT, is accountable for the effective implementation of this policy, and supporting information security rules and standards, within The University.
• The Data, Records and Information Committee (DRIC) has executive responsibility for information security within The University.  DRIC has responsibility for overseeing the management of the information security risks to the University's staff and students, its infrastructure and its information.
• The Assistant Director, UoD IT (Infrastructure, Security and Research Computing) is responsible for establishing and maintaining The University’s cyber security management framework to ensure the availability, integrity and confidentiality of The University’s information. The Assistant Director will lead on the definition and implementation of the University’s cyber security arrangements and make judgement calls when situations arise that are not covered by the current cyber security management framework.
• Users are responsible for making informed decisions to protect the information that they process. Users will familiarise themselves with the relevant policies governing the information and systems they access.

Supporting policies, codes of practice, procedures, and guidelines

Supporting policies have been developed to strengthen and reinforce this policy statement. These, along with associated codes of practice, procedures and guidelines are published together and are available for viewing on the University of Dundee website.

All staff, users, and any third parties authorised to access the University’ network or computing facilities are required to familiarise themselves with these supporting documents and to adhere to them in the working environment.

Compliance and breach of policy

The University will conduct cyber security compliance and assurance activities, facilitated by the University’s cyber security staff to ensure cyber security objectives and the requirements of the policy are met. Wilful failure to comply with the policy will be treated extremely seriously by the University and may result in enforcement action on a group and/or an individual. If you have any questions or concerns about this policy please discuss them with your line manager.

Review and development

This policy, and supporting documentation, will be reviewed and updated annually or more frequently when best practice or the legislative/regulatory environment changes to ensure that they:

• remain operationally fit for purpose
• reflect changes in technologies
• are aligned to industry best practice
• support continued regulatory, contractual and legal compliance

Changes to this policy will be presented to DRIC for review prior to publication.

Further information

Definitions

University

The University of Dundee is a Scottish Registered Charity, No. SC01509 with its registered office at Tower Building, Nethergate, Dundee DD1 4HN.

Staff

Staff are salaried members of the University or contracted individually by the University to provide a service.

Student

A person pursuing any course of study in the University.

Visitors

A visitor is anyone, not a member of staff or student, requiring access to University premises or services.

Information

The result of processing, manipulating, or organising data. Examples including but not limited to, text images, sounds, codes, computer programmes, software and databases.

Data

Information in raw form.

Confidentiality

Property that information is not made available or disclosed to unauthorized individuals, entities, or processes.

Integrity

Property of accuracy and completeness.

Availability

Property of being accessible and usable upon demand by an authorized entity.

Relevant legislation

A non-exhaustive summary of the legislation and regulatory obligations that contribute to the form and content of this policy is provided in IT policies - relevant legislation

If you have any questions regarding this policy please contact the University’s Help4U service