Access Control Standard ULIT-SXXX

PURPOSE 

 The University of Louisiana at Lafayette ("University" or "UL-Lafayette") has a strong interest in the integrity, confidentiality, and availability of University information and systems. Access controls protect University information by only allowing authorized people to access systems. Following this standard minimizes risk to the University resulting from unauthorized use of resources. Access control at the University happens through procedures and standards that follow university policies. The University has a layered approach to securing information systems. Access controls cover many topics, including physical controls for IT devices and technical and other controls for the information on them. 

 Access controls for University information systems must balance making it difficult for unauthorized people to access our systems and easy for authorized people to use these systems. Procedures supporting this policy should consider both business and security needs for all methods of access to each program or system. This standard is complementary to other University Policies and IT Standards and does not supersede them. 

 SCOPE 

 This standard applies to all members of the University of Louisiana at Lafayette main campus community, including staff, faculty, students, and approved external users, having authorized access to any University-owned computer system. People and units at the University responsible for managing IT systems or University data must follow this standard. 

 DEFINITIONS 

  1. Access: The ability and means to communicate with or otherwise use a system, including using system resources to handle information, gaining knowledge of information held by the system, and controlling parts of the system and its functions. 

  1. Access Controls: Mechanisms that decide who may have an account on University Information Technology systems, what they may do with their account, and how they access those systems. Access controls are designed to protect both individual and University information. 

  1. Authentication: Verifying the identity of a user, process, or device, often performed before allowing access to resources in an information system. 

  1. Authorization: Access privileges given to a user, program, or process, or the act of granting those privileges. Privileges are no longer "authorized" when a user leaves a role if that role was the basis for their authorization (e.g., leaving a job or changing to a new one with different responsibilities). 

  1. Mission Critical: A system so critical to the mission of a University business unit that any incident requires immediate response. 

  1. Multi-User System: A server or other system that provides access or services to more than one user at the same time, or a system that multiple people rely upon to be reliably available for use. 

  1. Privileged: System or Application Administrators and users with elevated data-access privileges (beyond access to their own data) are considered "privileged" users. User accounts with higher privileges than a standard user of an application or operating system or those with access to mission critical systems or information other than their own are considered "privileged" accounts. This includes administrators of servers or multi-user applications, privileged access to applications, or access with tools like "sudo". A user who can set privilege levels for other users is an administrator and therefore "privileged". NOTE: for purposes of this Standard, common use of "local-admin" privileges on individual devices by their assigned users is not "privileged". 

  1. Role: A group attribute that ties membership to function. When someone assumes a role, they are given certain rights that belong to that role. When they leave the role, those rights are removed. The rights given match the functions needed to perform expected tasks. 

  1. User: Anyone with access to University information technology systems or services. 

  1. User Manager: Any University administrator, faculty member, or staff member who supervises people or who has University administrative responsibilities. 

STANDARDS 

Access Rights Management 

 ​​​​​​​Access to University information assets must be authorized and managed securely in compliance with appropriate industry practice and with applicable legal and regulatory requirements (e.g., Health Insurance Portability and Accountability Act, Family Educational Rights and Privacy Act, Open Records Act of Tennessee, Gramm Leach Bliley Act, and identity theft laws). University information assets include data, hardware, software technologies, and the infrastructure used to process, transmit, and store information. 

Access Controls: 

  • IT Access controls must consider separation of duties, ensuring that important actions require more than one person to complete. Controls must protect data from mishandling and protect the system from unauthorized changes. 

  • Mission critical systems must always have correct security controls in place. 

  • Access controls should be stronger for higher tiers of data. The University Data Classification Policy provides more details and criteria regarding classification of data. 

  • Processes used to grant access must consider all ways access is granted, especially in distributed systems with many parts. 

  • Protection for information assets must be commensurate with the confidentiality of the information. 

  • Access control mechanisms may include user IDs, access control lists, constrained user interfaces, encryption, port protection devices, secure gateways/firewalls, and host-based authentication. 

  • Guest/unauthenticated access may be provisioned commensurate with usage and risk. 

  • Systems housing or using restricted information must be configured so that access to the restricted information is denied unless specific access is granted. 

Access Review: 

  • Documented processes for regularly reviewing access rights should be in place, occurring as often as appropriate. 

  • Reviews for Privileged user accounts must be documented and happen regularly, following strong procedures. The audit will consist of reviewing and validating that user access rights are still needed and are appropriate. 

Access Termination:  

  • Documented processes must ensure that access to systems is revoked when individuals are no longer allowed to use the system. 

  • When someone leaves the University for any reason, or changes job or other role, their access rights must change correctly. These changes may be made automatic. 

  • Access must be revoked immediately upon notification that access is no longer required or authorized. 

  • Access privileges of terminated or transferred users must be revoked or changed as soon as possible. In cases where an employee is not leaving on good terms, the user ID must be disabled simultaneously with departure. 

  • User IDs will be disabled after a period of inactivity that is determined appropriate by the current business process. Inactive accounts should be disabled after XXX days of inactivity. 

  • Temporary and emergency accounts should be disabled after 30 days. 

  • Promptly report any possible or actual unauthorized access to the IT Security Office. 

  • Recover or disable access control devices upon employee separation from the department or facility. If an individual is transferring to another department or location, the responsible controller must be notified so access can be changed as necessary. 

  • Verify annually, in consultation with the applicable Vice President, Dean, or Chair, that individuals with access control devices remain employed by the University and that their access privileges are current. Routinely verify that access privileges for contractors, guests, vendors, or volunteers are still justified for University purposes. If access is no longer warranted, recover the device(s) and deactivate the access. If the individual has separated from the University, within the week of separation, the supervisor or Chair should notify the applicable controllers to deactivate the access control device. 

Authorization:

  • Standards or Procedures must require formal and documented ways that access requests are approved. 

  • The approval process must consider "need to know" principles, classification of the information in the system, and contract or other legal requirements for access to the system and data. 

  • When granting user access, consider the whole range of data and functions they will have access to. 

  • Each user's access privileges shall be authorized on a need-to-know basis as dictated by the user's specific and authorized role. 

  • Authorized access will be based on the principle of least privilege, meaning only the minimum privileges required to fulfill the user's role will be permitted. 

  • Access privileges must be defined so as to maintain appropriate segregation of duties to reduce the risk of misuse of information assets. The person requesting a change in access should not be the person who plans and then implements the change. 

  • Any access that is granted to data must be authorized by the appropriate data custodian. 

  • Access privileges should be controlled based on identity (user ID), role or function, physical or logical locations, time of day/week/month, transaction-based access, and access modes such as read, write, execute, delete, create, and/or search. 

  • Privileged access (i.e., administrative accounts, root accounts) must be granted based strictly on role requirements. 

  • The person who manages access for a system needs to approve changes to that access, including adding or removing access methods. Every change needs a valid business justification. For example, access to an administrative system may require approval by a person's supervisor, an access request coordinator, and the Data Steward or another person with authority to grant access to the specific data. 

  • The unit that manages the technical aspects or the security of a system approves authorized accounts, including creating, removing, or changing authorized accounts, and granting or changing access to protected data and network resources. 

  • Allowing technical support staff to use administrative and system technical support accounts must be approved by (at a minimum) those who manage the system's technical aspects. 

  • Every system and service account must have a designated person responsible. If that person changes, a new person must be named. 

  • A person may not authorize their own access unless an exception applies. 

  • Account creation requests must specify access either explicitly or for a role that has been mapped to the required access. 

  • It is permissible to authorize access to non-privileged (regular) accounts by user role or group instead of by person. 

Emergency Access:

  • Each University business unit must have documented ways to provide needed emergency access to Mission Critical systems and applications. 

  • Emergency Access Control System Administrators serve as designated individuals with authority to make decisions that override the access system, such as the Chief of Police, CIO, or Director of University Computing Support Services.  

Remote Access 

  • All remote access to mission critical systems must require authentication and encryption. 

  • Remote Access methods must be based on required security controls for the type of system and data. 

  • When third-party systems use University Data, ensure they use equivalent, well-controlled ways to manage remote access safely. 

  • The University defines standards for connecting to the University's network from any host to minimize potential exposure from unauthorized use of resources, including loss of sensitive data, intellectual property, damage to public image, or critical internal systems. 

  • The University establishes and documents usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed. 

  • Remote access to the information system must be authorized prior to allowing such connections. 

  • The information system monitors and controls remote access methods. 

  • The information system implements cryptographic mechanisms to protect the confidentiality and integrity of remote access sessions. 

  • The information system routes all remote accesses through the University's primary firewall managed by OIT. 

  • Users must protect information about remote access mechanisms from unauthorized use and disclosure. 

  • The University provides the capability to expeditiously disconnect or disable remote access to the information system following one hour of idle time. 

Physical Access 

  • Standards must address requirements for the physical security of University information systems. Custodians of those systems will follow those standards. 

  • Mission Critical systems must be protected physically. Access to areas in which they are stored must be controlled by the technical unit or individual responsible for the area. 

  • Only authorized people may be in secure areas and only when they have a business reason to be there. 

  • Mission critical servers and data locations need to be protected physically. They must be in access-controlled places following the University Comprehensive Information Security Program. 

  • Protect those systems from physical access by anyone who isn't authorized. 

  • Set up ways to regularly review the list of users with access to each secure area and remove access when their role or responsibilities change. 

  • Mobile devices and disposable media must use required security controls if they use Sensitive Information, meaning they need protection from being physically accessed by people who aren't allowed to get that information. 

Managing Access Rights 

If a system has University data and more than one person uses it, it must have a process for authorizing access. 

  • Having more than routine access is called "privileged access." Systems need to have a process for asking for privileged access. A person should only receive privileged access if they have a business or academic need for it. 

  • If a system is mission-critical, then access to that system must be revoked if a person:  

  • Changes employment status, 

  • Changes job function, or 

  • No longer have responsibilities that require specialized access. 

  • The device holder will bring the device to the authorized partition controller to assign access permission. The controller shall activate access permissions that have been authorized by the department(s) that manages the space, using the campus system software. The controller shall retain a record of the authorization. 

  • For every device issued, including keys, fobs, cards, etc., the controller shall notify the device holder of his/her responsibilities and shall retain records that document the device number, name of recipient, date of issue, access permissions given, date of return or loss, and any dates upon which access permissions were suspended or deactivated. 

  • Maintain an inventory of and store unassigned department access control devices in a secure location with restricted access. This primarily applies to keys, fobs, and contractor access devices. Document and retain records of the destruction of any defective devices. 

  • Departments should consult with Human Resources regarding an individual's employment status and/or to reissue new access control devices associated with the new work assignment. If an employee is on long-term leave, investigatory leave, or when absence from the campus is for an extended period of time, HR must notify the applicable department manager. 

  • Issuance and recovery of temporary access control devices shall be in accordance with this policy and procedure. Access control device expirations shall correspond to the University's needs for individual's access privileges, as determined by the department issuing the access control device but may not exceed 12 months without Administrator approval. 

  • All individuals issued a University access control device are required to:  
  • Secure and be responsible for the access control device issued to him/her. Access control devices shall be used ONLY by the individual to whom the access control device was assigned. Access control devices MAY NOT be loaned to others. 
  • Return excess access control devices to the appropriate manager. Only one access control device per access control system will be assigned to each individual. Individuals who have been assigned more than one device per system may retain a second device if approved by their manager for their area and following execution of an agreement to pay cost of replacement if not returned prior to end of employment to be deducted from the user's final paycheck or other final payment from the University. 
  • Return the access control device to their manager upon separation from the applicable department. Access control devices are considered University property and individuals may be held responsible for failure to return them at the end of employment. 
  • Report the loss or theft of all access control devices to your manager AND the University Police Department within 24 hours of the discovery of the theft or loss. Individuals with access control devices enabled with other functions will also need to notify each service provider to deactivate the functions. 
  • Do NOT prop doors open or leave them unsecured during hours when the facility is normally closed to the public. High risk & security doors should remain locked at all times. 

  • Departments with restricted/high risk areas that require additional access controls, such as specialized labs, shall develop written procedures for controlling access to their restricted areas, in consultation with, Campus Access Control System Administrators, and other university officials as necessary. The procedures shall include:  

  • Eligibility requirements for access  

  • How to request access  

  • Who has authority to approve access  

  • Who issues the access control device  

  • Who maintains and secures the access control records and unassigned devices  

  • How access control devices will be recovered when required  

  • Other considerations, as appropriate  

Identification and Authentication 

The University requires each person to have a unique ID to authenticate with. Everyone who uses a system must follow the IT policies related to User IDs, especially the rules intended to keep IDs safe and used only by the people they are assigned to. People who handle this work must enforce those policy requirements by holding Users accountable if they do not follow the rules. 

  • The access control process must identify each user through a unique user identifier (user ID) account. 

  • User IDs are assigned HR. 

  • Users must provide their user ID at logon to a computer system, application, or network. 

  • Each user ID must be associated with an individual person who is responsible for its use. 

  • Authentication is the means of ensuring the validity of the user identification. 

  • All user access must be authenticated.  

  • The minimum means of authentication is a personal secret password that the user must provide with each system and/or application logon. 

  • All passwords used to access information assets must conform to certain requirements relating to password composition, length, expiration, and confidentiality. 

  • User interfaces into secure systems must be locked after a specified system/session idle time. 

  • Upon successful logon (access) to the system, the information system notifies the user of the date and time of the last logon (access). 

  • The information system prevents further access to the system by initiating a session lock after one hour of inactivity or upon receiving a request from a user, and retains the session lock until the user reestablishes access using established identification and authentication procedures. 

  • The information system automatically terminates a user session after one hour of inactivity. 

  • Users are required to log out when they no longer need the active session. 

  • Dynamic privilege management capabilities should be implemented when required. 

  • Privileged user accounts should be established and administered in accordance with a role-based access scheme that organizes allowed information system access and privileges into roles. 

  • Privileged role assignments should be monitored, and access removed when no longer appropriate. 

  • Accounts and access should be created dynamically when appropriate. 

  • Accounts of users posing a significant risk should be disabled within one hour of discovery of the risk. 

Access Audit and Review 

Any units or persons responsible for access-controlled systems at the University must create, document, and follow processes to regularly audit system account access. People who manage access control for a system must review and approve all access modifications as well. 

  • Responsibilities include:  

  • Keep security records current so they accurately reflect each person's role and the access they need. 

  • Make sure to carefully follow procedures to handle employee suspensions, terminations, and transfers. 

  • Take steps to revoke access privileges when those changes happen. 

  • Revoke access when it is no longer needed or proper. 

  • Appropriate logging will be implemented commensurate with sensitivity/criticality of the data and resources. 

  • Logging of attempted access must include failed logons. 

  • Logs should be monitored and regularly reviewed to identify security breaches or unauthorized activity. 

  • Logs should be maintained for a specified period of time. 

  • Audit account creation, modification, enabling, disabling, and removal actions, and notify the system owner. 

Use Of External Information Systems 

The University establishes terms and conditions, consistent with any trust relationships established with other organizations owning, operating, and/or maintaining external information systems, allowing authorized individuals to: 

  • Access the information system from external information systems. 

  • Process, store, or transmit organization-controlled information using external information systems. 

  • The University verifies the implementation of required security controls on the external system as specified in the information security policy and security plan; or retains approved information system connection or processing agreements with the organizational entity hosting the external information system. 

  • The use of organization-controlled portable storage devices by authorized individuals on external information systems is controlled. 

  • The use of network accessible storage devices in external information systems is controlled. 

Data Mining Protection 

This control establishes the process of securing Analysis Services that occur at multiple levels. Each instance of Analysis Services and its data sources must be secure to make sure that only authorized users have read or read/write permissions to selected dimensions, mining models, and data sources, and to prevent unauthorized users from maliciously compromising sensitive business information. The University employs data mining prevention and detection techniques to adequately detect and protect against data mining. 

Roles and Responsibilities Regarding Enforcement 

Each University department/unit is responsible for implementing, reviewing, and monitoring internal policies, practices, etc. to assure compliance with this standard. 

The Office of the Chief Information Officer is responsible for enforcing this standard. 

Non-Compliance and Exceptions 

Non-compliance with these standards may incur the same types of disciplinary measures and consequences as violations of other University policies, including progressive discipline up to and including termination of employment, or, in the cases where students are involved, reporting of a Student Code of Conduct violation. 

Contractors, vendors, and others who do not adhere to this standard may face termination of their business relationships with the University.  

Exceptions to this standard may be submitted in writing to the UL Lafayette IT Security Officer who will assess the risk and make a recommendation to the UL Lafayette Chief Information Officer. Written approval must be attained from UL IT prior to utilizing any exceptions. Exceptions must be reviewed for reauthorization on no less than an annual basis. 

Applicable UL Lafayette IT Policies: 

Comprehensive Information Security Program: ​​​​​​​ UL Lafayette Comprehensive Information Security Program 

Related UL Lafayette IT Policies and/or Standards: ​​​​​​​ Account Standards ULIT-S001  

Contact Information ​​​​​​​

RESPONSIBLE OFFICE: Information Technology 

APPROVAL AUTHORITY: Gene Fields, Chief Information Officer  

STANDARDS MANAGER:  

CONTACT:  

EFFECTIVE DATE:  

NEXT SCHEDULED REVIEW:  

REVISION HISTORY

28 May 2025 Matthew E Delcambre (Initial Draft Submitted) 

 

Print Article