Data Protection – Authorization Controls Standard
Introduction
Purpose
The purpose of the Authorization Controls Standard is to provide guidance to those who are responsible for granting access to West Virginia University (WVU) technology resources and data. The technology resources and data referred to in this standard include those owned by or entrusted to the University for the purpose of supporting academic, administrative, research or service related activities.
In addition to fulfilling the responsibility of effectively protecting data belonging to the University, as well as its customers and partners, the University must implement appropriate controls to help ensure compliance with external regulations, including but not limited to:
- Family Educational Rights & Privacy Act (FERPA)
- Gramm-Leach-Bliley Act (GLBA)
- Federal Export Technology Control Laws
- The Health Insurance Portability and Accountability Act (HIPAA)
- Payment Card Industry Data Security Standard (PCIDSS)
- Sarbanes Oxley Act (SOX)
Definitions
Definitions of regulations and technology terms are presented in the Information Security Glossary. The first time occurrence of each glossary term in this document is identified by and presented with an underscore.
Scope
This Standard applies to students, faculty members, officers and employees of West Virginia University and the WVU Research Corporation, as well as contractors, consultants, vendors and all others granted use of or access to WVU data and technology resources.
Standard
Standard Statement
University entities with ownership and custodial responsibilities for operating and maintaining University applications/systems and data must implement formal procedures for granting, tracking and revoking access to data. With respect to technology resources, this authorization is typically implemented through the assignment of an electronic account, access card or other authentication mechanism. Authorization must be based on the least privilege and need to know principles according to an individual’s job responsibilities. The authorization controls must include methods to collect and maintain the following records:
- Purpose for access to the resource or data
- Dates of authorization (initial and subsequent changes)
- Effective dates or duration of authorization
- Record of individual(s) authorizing the access
- Record of the individual(s) receiving the access privileges
- Type and scope of access privileges
- Procedures for tracking accounts and privileges based on responsibilities and employment status, including position changes or separation from the University
Violations
Responsibility
As described in the Information Security Program Charter, all members of the WVU community are responsible for information security. Accordingly, all members are charged with providing full support to maintain this standard. It is the responsibility of the Dean or Director to implement measures to achieve and maintain these standards within their college, department or unit.
Exceptions
Exceptions to IT Standards will be considered using the IT Standard Exception Procedure.
Back to top
Contacts
Questions or Problems
Questions, concerns or additional information about this and any OIT policy should be directed to the CIO office at OIT_Admin@mail.wvu.edu.
Related Information
Add information here…
Back to top
Revision History
Policy Last Updated: November 13, 2007
Back to top