 |
Longwood University |
Policy 6105
ACCESS TO INFORMATION
TECHNOLOGY
RESOURCES AND SYSTEMS
I. PURPOSE
Longwood is
responsible for assuring the confidentiality, integrity and availability of its
information technology resources and systems. While it is the responsibility of
the data owners to determine and implement appropriate security controls,
ultimately the integrity of shared information technology resources and systems
depends on responsible behavior on the part of the users of information
technology resources and systems within Longwood. The purpose of this policy is to
ensure that all users are aware of the procedures utilized to grant and revoke
their access privileges.
II. POLICY
In general, access to and
use of Longwood-owned information technology (IT) resources and systems will be
limited to persons directly affiliated with Longwood. Exceptions to this
limitation are permitted under certain conditions subsequently described.
A. Longwood Affiliated: Direct affiliation in this context means faculty, staff and students of Longwood University. Faculty includes persons holding either permanent or temporary appointments as well as adjunct faculty, instructors, retired faculty and visiting faculty. Faculty also includes those persons with faculty status such as research associates, research scientists and academic and service professionals. Staff includes all those non-faculty persons employed directly by Longwood or the Longwood University Foundation, either part-time or full-time, as well as retired staff. Students include any persons enrolled or who have signified their intent to enroll (by paying an admissions deposit) in the established academic programs of Longwood, including full or part-time students and degree or non-degree seeking students.
B. Not Longwood Affiliated:
1. Nature of the Work: Access to and use of IT resources and systems by persons not directly affiliated with Longwood must involve work to be performed which satisfies at least one (1) of the following conditions:
a. the work relates directly to or is in support of Longwood sponsored activities.
b. the work involves use of IT resources and systems available only from Longwood and can be accommodated without disruption to established Longwood workloads.
2. Approval for Access: Requests for access by persons not directly affiliated with Longwood must be sponsored by a Longwood employee who agrees to assume responsibility for use and adherence to the Acceptable Use of Information Technology Resources and Systems Policy. Requests must be submitted by the sponsor in writing to the Chief Information Officer for approval.
Requests must identify the person(s) needing access, describe the access needed, indicate the duration of the access (not to exceed 1 year), and provide names, addresses and phone numbers for technical contact individuals.
C. Granting Privileges: Access to Longwood IT resources and systems is granted only for the resources and systems that are necessary for an individual to perform his or her duties, is explicitly granted by the owner or designee to an individual and is assigned via a unique access account/ID. Authentication is required at the time of access through the use of a password, ID card, etc. (see Authentication Policy).
D. Accountability: The owner of an access account/ID is accountable for its use. It is the ID owner's responsibility to protect the integrity of accessible systems and preserve the confidentiality of accessible information as appropriate. Beyond the account/ID creation process any subsequent access to any discrete resources and/or data must be authorized by the appropriate data owner as outlined in the Ownership of Data Policy. Under no circumstances can the data owner, the data owner's authorized alternate or any other individual authorize access for him or herself.
E. Terminating Access: In general, access will be promptly terminated when the need for that access no longer exists. The Information Security Officer or his or her designee reserves the right to suspend and/or terminate any access privileges he or she determines to be a potential threat to the confidentiality, integrity or availability of any sensitive IT resources and systems. Access granted for students as part of their employment by the University will expire no later that the end of each academic year. Access for adjunct faculty will remain through a period of no more than 12 months of inactivity as an instructor at Longwood.
F. Access Reviews: At a minimum, all access to sensitive data, as defined by the Business Impact Analysis/Risk Assessment Policy, will be reviewed for accuracy by the data owner(s) on an annual basis. A review will be conducted every six (6) months for inactivity and will result in subsequent removal of e-mail and portal access for retirees and Academic Unix server access for students.
G. Exceptions and Exemptions: Exceptions to or exemptions from any provision of this policy must be approved in writing by the Chief Information Officer, or his/her designee, for Longwood University.
Approved by the Board of Visitors, September 7, 2002.
Revised March 20, 2004.
Revised April 1, 2005.
Revised and approved by the Board of Visitors, September 15, 2006.
Revised and approved by the Board of Visitors, December 7, 2007.