The purpose of an Information Technology Standard is to specify requirements for compliance with Old Dominion University Information Technology policies, other University policies, as well as applicable laws and regulations. Standards may include business principles, best practices, technical standards, migration and implementation strategies, that direct the design, deployment and management of information technology.

1. Purpose

   The purpose of this standard is to establish the guidelines on the issuance of access to authorized users and to define the requirements necessary to restrict access to IT systems.

2. Definitions

   Access Control Policy - outlines the controls to a computer system and software in order to limit access to computer networks and data. It provides details including but not limited to, access control standards, user access, network access controls, operating system software controls, passwords, and higher-risk system access, giving access to files and documents and controlling remote user access.

   Data Compliance Owners - University managers (typically at the level of Unit Leader) who oversee data management functions related to the capture, maintenance, and dissemination of data for a particular operational area. They are responsible for decisions about the usage of university data under their purview.

   Information Technology Resources are defined as computers, telecommunication equipment, networks, automated data processing, databases, the Internet, printing, management information systems, and related information, equipment, goods, and services.

   IT Facilities - a static, mobile or portable facility (or facilities) or a location that contains Old Dominion University information technology equipment, systems, services, and personnel.

   Sensitive System is a term given to any IT system in which the classification is confidential or higher according to ITS Standard 2.3.0 Data Administration and Classification.

3. Standards Statement

   An access control policy will be established, documented, and reviewed and implemented based on business and information security requirements.

   User Access Control

   Access to data will be controlled through a formal management process. User access provisioning process will be implemented to assign or revoke access rights for all user types to all systems and services.

   Access to sensitive IT systems and data and the facilities that house them based on the principle of least privilege. Users will only be provided with access to the network and networks services that they have been specifically authorized to use.

   The allocation and use of privileged access rights will be restricted and controlled.

   Data Owners will review users' access rights at regular intervals.

   The Department of Human Resources will conduct a background check for fulltime staff employees at the initial recruitment.

   Physical and logical access rights will be removed upon personnel transfer or termination, or when requirements for access no longer exist.

   Non-disclosure and security agreements for access to IT systems and data will be required, based on sensitivity and risk.

   Separation of duties will be established to protect sensitive IT systems and data, or compensating controls will be used when constraints or limitations of ODU prohibit a complete separation of duties.

   System and Application Access Control

   Access to information and application system functions will be restricted in line with the access control policy.

   Where required, access to systems and applications will be controlled by a secure log-on procedure.

   Based on the defined IT role, users, managers, officers, and owners are responsible for ensuring that access control standards are followed for their respective IT resource.

   Password management systems will be interactive and will ensure quality passwords.

   The use of utility programs that might be capable of overriding system and application controls will be restricted and tightly controlled.

   Access to program source code will be restricted.

   Visitor access to IT facilities that house sensitive systems or data will be controlled.

   User Responsibilities

   Users will be made accountable for following the University's practices in safeguarding their authentication information.

4. Procedures, Guidelines & Other Related Information

   Federal and State Law

   University Policy 3505 - Information Technology Security Policy

   IT Standard 01.2.0 IT Roles and Responsibilities Standard

   IT Standard 02.3.0 Data Administration and Classification Standard

   IT Standard 02.6.0 Remote Access and Virtual Private Network Standard

   IT Standard 02.11.0 Password Management Standard

   IT Standard 04.1.0 MIDAS Management Standard

   IT Standard 04.2.0 Account Management Standard

   IT Standard 09.1.0 Acceptable Use Standard

   Security Awareness Training

5. History

   Date	Responsible Party	Action
   October 2008	ITAC/CIO	Created
   October 2009	ITAC/CIO	Reaffirmed
   October 2010	ITAC/CIO	Reaffirmed
   October 2011	ITAC/CIO	Reaffirmed
   October 2012	ITAC/CIO	Reaffirmed
   August 2015	IT Policy Office/ISO	Three year review. Aligned content with ISO Standards. Updated titles, links, and definitions.
   December 2018	IT Policy Office	Definitions and links checked and revised.
   January 2022	IT Policy Office	Definitions and links checked.