Data Network Security and Access Control
Initially Approved: August 25, 2006
Revised and approved: August 10, 2015
Revised and approved: April 10, 2017
Revised and approved: January 28, 2019
Technical Changes: June 20, 2019
Revised and approved: June 30, 2020
Revised and approved: June 10, 2025
Policy Topic: Information Technology
Administering Office: Office of the CIO
I. POLICY STATEMENT
Information technology resources are provided to support the University's mission.
To ensure that these shared and finite resources are used effectively to further the
University's mission, the integrity of the resources must be protected and access
to the resources must be properly controlled.
II. SCOPE AND APPLICATION OF THE POLICY
This policy applies to all individuals assigned a non-student University account who
access the University's information technology resources, whether the resources are
located on or off-campus, and whether University-owned or contracted for use by the
University.
III. DEFINITIONS
“SHRA” means subject to the Human Resources Act (formerly SPA)
“EHRA” means Exempt from the Human Resources Act (formerly EPA)
“Non-Faculty Employees” includes all SHRA and EHRA non-faculty
“Faculty Employees” includes tenured-track and fixed-term appointment faculty
“Temporary Faculty Employees” includes adjunct faculty, teaching and lab graduate assistants
“Administrative Student Workers” students who need access to administrative systems, including graduate research assistants
“Affiliate Non-Faculty” includes guests, volunteers and interns
“Affiliate Faculty” includes third-party individuals providing instructional services to an academic unit
and not paid by the University
“Affiliate Former Faculty” includes Emeritus in Waiting and former adjunct faculty between contracts which are
within a year of last contract
ٳܱ” a vendor that provides software or IT services through a contract or other agreement.
IT Services include the support or implementation of university technology infrastructure
or operations
“CDzԲܱٲԳ” a third-party providing non-IT and non-instructional consulting services to business
offices or functional users
“Emeritus Status” retired professors or chancellors who have emeritus approval
“Information Technology Resource” means any system, media or software used to transmit, store or process information
or data
“User” means any individual assigned a non-student University account to utilize a University
information technology resource as defined above
“Separation” means the employee left employment with the University and is no longer affiliated
with an employment agreement
IV. DATA NETWORK SECURITY POLICY
The Information Technology (IT) Division’s Networking & Communications (Networking
& Communications) Services has the responsibility for the design, maintenance, and
security of the university’s data network. To ensure the integrity of the network:
- No individual or office may connect a device to the campus data network that bypasses
any part of the network authentication and authorization process; or provide unauthorized
users access to the network; or provide unauthorized IP addresses for users.
- Networking & Communications has the right to limit network capacity or disable network
connections that are adversely impacting availability of information technology resources.
- Access to networking equipment in wiring closets, etc., is limited to the Networking
& Communications staff or their designees.
- Changing the architecture of any part of the data network is not permitted without
the prior approval of Networking & Communications.
V. ACCESS CONTROL POLICY
A. General Principles for User Access
Access to university information technology resources may only be granted to users
who have completed and submitted all requisite compliance documents as defined by
the IT Division. For initial access and termination of access, the guidelines detailed
below control access based upon the user’s employment or appointment status.
In most cases, access to information technology resources will terminate on a user’s
last work/contract date. In some cases, access will terminate on a user’s last pay
date. In cases where separations are deemed involuntary, the Division of Human Resources
and Payroll (HR) will immediately terminate access.
Hiring officials may not enter into employment contracts that commit the university
outside the scope of this policy.
B. Compliance Documents Needed for Access
All users obtaining non-student accounts are required to read and accept a Confidentiality
and FERPA agreement when electronically claiming their account. Other compliance documents
differ by user type and are outlined below in sections C and D.
C. Employee User Types
Employee user accounts will be created upon receipt of 1) a fully executed employment
contract or a letter offer of employment that has been accepted in writing by the
employee, and 2) all compliance documents required by HR. Access to the account will
be granted as follows:
- Non-Faculty Employees: will be granted access on the first day of their employment provided that complete
and accurate employment compliance documents have been received by HR. Access will
be terminated on the last work date. HR may grant early access exceptions up to ninety
(90) days in advance for eligible SHRA exempt and EHRA employees upon request of the
hiring supervisor and receipt of complete and accurate employment compliance documents.
- Faculty Employees: will be granted access on the first day of contract provided that complete and accurate
employment compliance documents have been received by HR, or up to ninety (90) days
early upon processing by HR of complete and accurate employment compliance documents.
Access will be terminated on the last day of the month of the last pay date.
- Temporary Faculty Employees: will be granted access on the first day of contract provided that complete and accurate
employment compliance documents have been received by HR, or up to ninety (90) days
early upon processing by HR of complete and accurate employment compliance documents.
Access will be terminated on the last day of the month of the last pay date.
- Temporary/Hourly Non-Faculty Employees: will be granted access on their first day of employment provided that all employment
compliance documents have been received by HR. Access will be terminated on the last
work date. Early access cannot be granted. The supervisor is responsible for notifying
HR if early termination is necessary. Access is covered by appointment dates and monitored
by HR.
- Administrative Student Workers: will be granted access provided that the supervisor has approved the account request,
and their HR job record is complete. Access will be terminated on the last work date
or on the last day of the month of the last pay date, depending on the type of contract.
Access must be re-requested and reauthorized at the beginning of a new contract period.
Early access cannot be granted. Continuing access may be granted for graduate research
assistants if a contract is in place for a future term. The supervisor is responsible
for notifying IT to terminate access early if necessary.
D. Non-Paid User Types
Non-Paid user accounts will be created upon receipt of 1) a fully executed contract
or other engagement document; and 2) a completed IT Guest/Consultant access request
form or an approved equivalent electronic request. Access to the accounts will be
granted as follows:
- Affiliate Non-Faculty: May be granted access during their engagement dates in accordance with the start
and end dates of their engagement document, provided that complete and accurate compliance
documents have been submitted to the Chief Information Officer (CIO) with the access
request. After the access request has been approved by the CIO, the documents will
be forwarded to HR and IT for processing. Access will be set to expire in accordance
with the approved dates. If warranted, the sponsoring department is responsible for
notifying HR to terminate access prior to the expiration of the engagement letter.
Access is valid for a maximum of one (1) year and may be renewed when necessary.
- Affiliate Faculty: May be granted access during their engagement dates in accordance with the start
and end dates of their engagement document provided that the requesting department
submits complete and accurate compliance documents to the Academic Dean and CIO for
approval, and these documents have been processed by HR and IT. Access will be set
to expire in accordance with these dates. If warranted, the requesting department
will also be responsible for notifying HR to terminate access prior to the expiration
of the engagement. Access is valid for a maximum of one (1) year and may be renewed
when necessary.
- Affiliate Former Faculty:
- For departments expecting to re-hire former adjunct faculty that do not already have
Emeritus status within a year, the Academic Dean or department head must request the
account remain active as an Affiliate Former Faculty. HR will process the request
and verify a change of status. The term for this status is no more than one year.
Users will automatically be moved from this user type to a faculty type by a change
in status performed by HR.
- For individuals that are Emeritus in Waiting, HR will update their status, and their
account will automatically be changed to Affiliate Former Faculty for up to one year
while they await the decision on Emeritus status.
- Supplier: Access is requested by a sponsoring individual and requires approval by a supervisor
and the CIO. Access will be set to expire in accordance with the approved dates. If
warranted, the requesting department will also be responsible for notifying IT to
terminate access prior to the expiration of the engagement. Access is valid for a
maximum of one (1) year and may be renewed when necessary.
- Consultant: May be granted access in accordance with the start and end dates of their engagement
provided that complete and accurate compliance documents have been submitted to the
CIO with the access request. After the access request has been approved by the CIO,
the documents will be forwarded to HR for processing. Access will be set to expire
in accordance with the approved dates. If warranted, the requesting department will
also be responsible for notifying HR to terminate access prior to the expiration of
the engagement. Access is valid for a maximum of one (1) year and may be renewed when
necessary.
- Emeritus Status: For professors, access will be granted upon approval by the Provost for conferment
of Emeritus status. For chancellors, access will be granted upon approval by the Board
of Trustees for conferment of Emeritus status. Access may be continued as an Affiliate
Former Faculty for up to a year while waiting on Emeritus status
Trustee/Board Member: Will be granted access upon his or her election or appointment and receipt by HR
of complete and accurate guest user compliance documents. Access will be granted for
the term of service
E. User Account De-Provisioning
When user access is terminated per this policy, the account will be placed in a disabled
status for one (1) year. During that time, the last supervisor may request that the
email content or personal network storage content from the user be delivered to them.
One (1) year after the account has been disabled, it will be deleted, which will also
delete the user’s email content and personal network storage folders unless additional
time is permitted by the CIO.
Employees returning to the University after separation generally will not retain previous
content or system access permissions (i.e. the account will be re-provisioned). However,
adjunct faculty and other time-limited positions that work on a recurring basis may
retain access to previous content and systems if they return within twelve (12) months.
VI. RESPONSIBILITIES
It is the responsibility of each department to provide timely notification of all
changes related to employment and termination to HR to comply with the timeframes
set forth in this policy. Departmental notifications and personnel processing actions
are subject to audit by the University’s Internal Auditor and by external auditors.
As such, the timeframes for compliance rest at the departmental level.
VII. POLICY REVIEW
This policy shall be reviewed and revised as necessary every two (2) years.
VIII. REFERENCES
International Standards Organization (ISO/IEC 27002:2022, Clause 5 Organizational
Controls, Clause 6 People Controls and Clause 8 Technological Controls)