Account Access Change Control Policy
Version 1.2
For Students, Faculty, Staff, Guests, Alumni
Purpose
The purpose of this policy is to define the circumstances in which IT Resources account access modifications must occur.
Scope
This IT security policy, and all policies referenced herein, shall apply to all members of the University community, including faculty, students, administrators, staff, authorized guests, delegates, and independent contractors (the “User(s)” or “you”) who use, access, or otherwise employ, locally or remotely, the University’s IT Resources, whether individually controlled, shared, stand-alone, or networked.
Policy Statement
- Authorized parties may deem it necessary to modify an individual’s account access due to a qualifying event. Qualifying events include, but are not limited to:
- Change in role/position within the University department
- Transfer to another University department
- Retirement
- Non-working Leave of Absence (LOA)
- Employee’s job duties no longer require access to certain services or environments.
- The managing supervisor (or higher) is responsible for notifying Human Resources and the IT Service Desk to alter account access to pertinent systems should an entity’s job responsibilities change.
Definitions
IT Resources include computing, networking, communications, application, and telecommunications systems, infrastructure, hardware, software, data, databases, personnel, procedures, physical facilities, cloud-based vendors, Software as a Service (SaaS) vendors, and related materials and services.
Related Policies and Procedures
- Authorized Access to Electronic Information Policy
- Authorized Access to Electronic Information Procedure
- Change Control Policy
- Emergency Access via Privileged Access Management Policy
- Non-Persistent Administrative Access Guidelines
- Provisioning and Deprovisioning Policy
Implementation Information
Review Frequency | Triennial |
---|---|
Responsible Person | Senior Director of IT Security and Assurance |
Approved By | CISO |
Approval Date | March 1, 2017 |
Revision History
Version | Date | Description |
---|---|---|
1.0 | 07/28/2016 | Initial policy |
1.0.1 | 03/01/2017 | Grammatical changes only. No change to policy. |
1.0.2 | 5/22/2018 | Updated scope, disclaimer, definitions |
1.0.3 | 05/22/2019 | Updated related policies |
1.0.4 | 03/12/2020 | Updated related policies and changed the name of the policy for clarity |
06/22/2021 | Reviewed with no changes | |
1.1 | 09/08/2023 | Updated scope and policy disclaimer |
1.2 | 07/08/2024 | Updated purpose and policy statement |
Policy Disclaimer Statement
Deviations from policies, procedures, or guidelines published and approved by Information Security and Assurance (ISA) will only be considered cooperatively between ISA and the requesting entity with sufficient notice to allow for conducting appropriate risk analysis, documentation, review, and notification to authorized University representatives where necessary. Failure to adhere to ISA written policies may be met with University sanctions up to and including dismissal.