Skip to main content

University Policy 95

Data Network Security and Access Control

Initially Approved:  August 25, 2006
Revised and approved:  August 10, 2015
Revised and approved: April 10, 2017
Revised and approved: January 28, 2019
Technical Changes: June 20, 2019

Policy Topic: Information Technology
Administering Office: Office of the CIO

I. POLICY STATEMENT

Information technology resources are provided to support the University's mission. To ensure that these shared and finite resources are used effectively to further the University's mission, the integrity of the resources must be protected and access to the resources must be properly controlled.

II. SCOPE AND APPLICATION OF THE POLICY

This policy applies to all individuals assigned a non-student University account who access the University's information technology resources, whether the resources are located on or off-campus and whether University-owned or contracted for use by the University.

III. DEFINITIONS

SHRA” means subject to the Human Resources Act (formerly SPA).
EHRA” means Exempt from the Human Resources Act (formerly EPA).
Information Technology Resource” means any system, media or software used to transmit, store or process information or data.
User” means any individual assigned a non-student University account to utilize a University information technology resource as defined above.
Separation” means the employee left employment with the University and is no longer affiliated with an employment agreement.

IV. DATA NETWORK SECURITY POLICY

The Information Technology (IT) Division’s Networking & Communications (Networking & Communications) Services has the responsibility for the design, maintenance, and security of the university’s data network. To ensure the integrity of the network:      

  1. No individual or office may connect a device to the campus data network that provides unauthorized users access to the network or provides unauthorized IP addresses for users.
  2. Networking & Communications has the right to limit network capacity, or disable, network connections that are adversely impacting availability of information technology resources.
  3. Access to networking equipment in wiring closets, etc. is limited to the Networking & Communications staff or their designees.
  4. No consideration of changing the architecture of any part of the data network may be undertaken without the early and regular involvement of Networking & Communication.

V. ACCESS CONTROL POLICY

A. General Principles for User Access

Access to university information technology resources may only be granted to users who have completed and submitted all requisite compliance documents as defined by the IT Division.  For initial access and termination of access, the guidelines detailed below control access based upon the user’s employment or appointment status.

In most cases access to information technology resources will terminate on a user’s last work/contract date. In some cases, access will terminate on an user’s last pay date. In cases where separations are deemed involuntary, Human Resources (HR) will immediately terminate access.

Hiring officials may not enter into employment contracts that commit the university outside the scope of this policy.

B. Compliance Documents Needed for Access

All users obtaining non-student accounts are required to read and accept a Confidentiality and FERPA agreement when electronically claiming their account.  Other compliance documents differ by user type and are outlined below in sections C and D.

C. Employee User Types

Employee user accounts will be created upon receipt of 1) a fully executed employment contract or a letter offer of employment that has been accepted in writing by the employee; and 2) all compliance documents required by HR.  Access to the account will be granted as follows:

  1. Non-Faculty Employees (includes all SHRA and EHRA non-faculty): Will be granted access on the first day of their employment provided that complete and accurate employment compliance documents have been received by HR. Access will be terminated on the last work date. HR may grant early access exceptions up to 90 days in advance for eligible SHRA exempt and EHRA employees upon request of the hiring supervisor and receipt of complete and accurate employment compliance documents.
  2. Faculty Employees (includes tenured-track and fixed term appointment faculty): will be granted access on the first day of contract provided that complete and accurate employment compliance documents have been received by HR, or up to 90 days early upon processing by HR of complete and accurate employment compliance documents. Access will be terminated on the last day of the month of the last pay date.
  3. Temporary Faculty Employees (includes adjunct faculty, teaching and lab graduate assistants): will be granted access on the first day of contract provided that complete and accurate employment compliance documents have been received by HR, or up to 90 days early upon processing by HR of complete and accurate employment compliance documents. Access will be terminated on the last day of the month of the last pay date.
  4. Temporary/Hourly Non-Faculty Employees: will be granted access on their first day of employment provided that all employment compliance documents have been received by HR. Access will be terminated on the last work date.  Early access cannot be granted.  The supervisor is responsible for notifying HR if early termination is necessary. Access is covered by appointment dates and monitored by HR.
  5. Administrative Student Workers (students who need access to administrative systems, including graduate research assistants): will be granted access provided that the supervisor has approved the account request and their HR job record is complete. Access will be terminated on the last work date or access will be terminated on the last day of the month of the last pay date depending on the type of contract. Access must be re-requested and reauthorized at the beginning of a new contract period. Early access cannot be granted. The supervisor is responsible for notifying IT to terminate access early if necessary.

D. Non-Paid User Types

Non-Paid user accounts will be created upon receipt of 1) a fully executed contract or other engagement document; and 2) a completed IT Guest/Consultant access request form or an approved equivalent electronic request.  Access to the accounts will be granted as follows:

  1. Affiliate Non-Faculty (includes guests, volunteers and interns): May be granted access during their engagement dates in accordance with the start and end dates of their engagement document, provided that complete and accurate compliance documents have been submitted to the CIO with the access request. After the access request has been approved by the CIO, the documents will be forwarded to HR and IT for processing. Access will be set to expire in accordance with the approved dates. The requesting department will also be responsible for notifying HR to terminate access prior to the expiration of the engagement letter if warranted. Access is valid for a maximum of 1 year and must be renewed if necessary.
  2. Affiliate Faculty (a third-party providing instructional services to an academic unit and not paid by the University): May be granted access during their engagement dates in accordance with the start and end dates of their engagement document provided that the requesting department submits complete and accurate compliance documents to the Dean and CIO for approval and these have been processed by HR and IT. Access will be set to expire in accordance with these dates. The requesting department will also be responsible for notifying HR to terminate access prior to the expiration of the engagement if warranted. Access is valid for a maximum of 1 year and must be renewed if necessary.
  3. Affiliate Former Faculty (includes Emeritus in Waiting and former adjunct faculty between contracts which are within a year of last contract):
  • For departments expecting to re-hire former adjunct faculty, that do not already have Emeritus status, within a year, the Dean or department head must request the account remain active as an Affiliate Former Faculty. HR will process the request and verify a change of status. The term for this status is no more than one year. Users will automatically be moved from this user type to a faculty type by a change in status performed by HR.
  • For individuals that are Emeritus in Waiting, HR will update their status and their account will automatically be changed to Affiliate Former Faculty for up to one year while they await the decision on Emeritus status.
  1. Supplier (a vendor that provides software or IT services through a contract or other agreement. IT Services include the support or implementation of university technology infrastructure or operations): Access is requested by a sponsoring individual and requires approval by a supervisor and the CIO. Access will be set to expire in accordance with the approved dates. The requesting department will also be responsible for notifying IT to terminate access prior to the expiration of the engagement letter if warranted. Access is valid for a maximum of 1 year and must be renewed if necessary.
  2. Consultant (a third-party providing non-IT and non-instructional consulting services to business offices or functional users): May be granted access in accordance with the start and end dates of their engagement provided that complete and accurate compliance documents have been submitted to the CIO with the access request. After the access request has been approved by the CIO, the documents will be forwarded to HR for processing. Access will be set to expire in accordance with the approved dates. The requesting department will also be responsible for notifying HR to terminate access prior to the expiration of the engagement if warranted. Access is valid for a maximum of 1 year and must be renewed if necessary.
  3. Emeritus Status (retired professors or chancellor who have emeritus approval): For Professors, access will be granted upon approval by the Provost for conferment of Emeritus status. For Chancellors, access will be granted upon approval by the Board of Trustees for conferment of Emeritus status. Access may be continued as an Affiliate Former Faculty for up to a year while waiting on Emeritus status
  4. Trustee/Board Member: Will be granted access upon his or her election or appointment and receipt by HR of complete and accurate guest user compliance documents. Access will be granted for the term of service.

E. User Account De-Provisioning

When user access is terminated per this policy the account will be placed in a disabled status for one year. During that time the last supervisor may request that the Email content or personal network storage content from the user be delivered to them. A year after the account has been disabled it will be deleted, which will also delete the user’s Email content and personal network storage folders.

Employees returning to the University after separation generally will not retain previous content or system access permissions (i.e. the account will be re-provisioned). However, adjunct faculty and other time-limited positions that work on a recurring basis may retain access to previous content and systems if they return within twelve (12) months.

VI. RESPONSIBILITIES

It is the responsibility of each department to provide timely notification of all changes related to employment and termination to HR to comply with the timeframes set forth in this policy.  Departmental notifications and personnel processing actions are subject to audit by the University’s Internal Auditor and by external auditors.  As such, the timeframes for compliance rest at the departmental level.

VII. POLICY REVIEW

This policy shall be reviewed and revised as necessary every 2 years.

VIII. REFERENCES

International Standards Organization (ISO/IEC 27002, 7.1 HR security prior to employment, 7.3 Termination and change of employment, 9.1 Business requirements of access control, and 13.1 Network security management)

Office of Web Services