3.8.5 Access Control Policy
The integrity, confidentiality and availability of the University’s information resources will be protected by logical and physical access control mechanisms commensurate with the value, sensitivity, risk of loss or compromise and ease of recovery of these resources.
Information Administrators are responsible for determining who should have access to protected information resources within their jurisdiction, and what type of access privileges will be granted. These access privileges should be granted in accordance with the User’s role or assigned responsibilities. Information Administrators must direct their Security Administrator(s) to grant the appropriate access privileges. Likewise, it is incumbent upon the User’s manager and/or the Information Administrator to direct the Security Administrator to remove access to information resources when a User's need no longer exists or their privilege ends. Access privileges generally involve the ability to view data, create new data, change existing data, delete data and/or run programs against data.
Physical access to data centers, wiring closets, and servers containing Restricted Access or Confidential Information must be physically secured from unauthorized access. Servers containing Public Information should be appropriately secured.
Access control is the primary means by which security objectives of the University are achieved. Access control mechanisms are designed and implemented to reduce unauthorized access to acceptable risk levels. The compromise of any sensitive information resource has the potential to impede the University's ability to competently and efficiently achieve its mission.