Skip To Main Content
Site Name Here
MenuSearchA-ZSeven Schools One UniversitySeven Schools One University

Menu

  • Give
  • Apply
  • Visit
Close Menu
About
  • Administrative Offices
  • Campus Maps
  • Core Values
  • Fast Facts
  • Travel and International Services
  • Other USM Schools
  • Policies and Procedures
  • Strategic Plan
  • Sustainability
  • Middle States
  • MPowering the State
  • News
  • University Leadership
  • UMB Experts Guide
Academics
  • Academic Calendar
  • Academy of Lifelong Learning
  • Blackboard
  • Libraries
  • Office of the Provost
  • SURFS
  • UMB Program Explorer
Admissions
  • Financial Aid
  • International Students
  • Military and Veterans
  • Office of the Registrar
Research
  • Breakthroughs Can’t Wait
  • Offices and Contacts
  • Resources for Investigators
  • Services for Investigators
  • UMB Research Profile
University Life
  • Arts and Culture
  • Bookstore
  • Emergency
  • Housing
  • Museums
  • Parking and Transportation Services
  • Rooms Available on Campus
  • SMC Campus Center
  • Student Organizations
  • Student Policies
  • URecFit and Wellness
  • UMB shuttle
  • Welcome to Baltimore
  • One Card
Info For
  • Current Students
  • Faculty and Staff
  • Alumni and Donors
  • Community Members
Resources
  • The Elm
  • Calendar
  • myUMB
  • Directory
  • Blackboard
  • SURFS
  • Emergency
  • UMB Shuttle
Seven Schools One University

Search

Close Menu
Common Searched Terms
  • Graduation 2025
  • Campus Tour
  • Jobs at UMB
  • Parking
  • Tuition Remission
  • Registrar
  • Qualtrics
  • Human Resources
  • URecFit and Wellness
  • Tuition
  • Help Desk

A–Z

Close Menu
    Policies and Procedures

    Information Technology Policies

    1. UMB Home
    2. About UMB
    3. Policies and Procedures
    4. Library
    5. Information Technology
    6. Information Technology Policies
    • UMB HomeAbout UMBPolicies and ProceduresLibraryInformation TechnologyInformation Technology Policies
    • Information Technology Policies
    • Information Technology Procedures

    UMB User Access Control Policy

    X-99.20(A)  |  Information Technology  |  Approved September 11, 2017  |  Last Reviewed April 30, 2024

    Responsible VP/AVP: Peter J. Murray, PhD, CAS, MS

    Revision History

    Reviewed/Updated July 7, 2020

    Policy Statement

    University information systems and data are important assets of the University of Maryland, Baltimore (UMB) and must be protected from the loss of integrity, confidentiality and availability.

    Procedures must be in place to protect UMB digital assets and they must be in compliance with University policy and guidelines, Board of Regents policy, and state and federal laws and regulations. 

    Purpose

    The purpose of this document is to provide guidance in complying with the latest version of the USM IT Security Standards.  These standards state that USM institutions are required to have authentication and authorization processes that uniquely identify users and appropriately control access to systems. 

    Policy

    Access to University systems and data will be granted to users based on their need for information and for performing their job responsibilities.  The Access Control Schema below will be used to define users, controls, and access to systems and data.  Additional security measures may be implemented and required, depending on the type of access needed for users to perform their job responsibilities,

    Definitions

    Sensitive Data:  are data that if compromised, with respect to confidentiality, integrity, and/or availability, could adversely affect UMB interests, the conduct of UMB programs, and/or the privacy to which individuals are entitled.  USM has defined confidential data to include:

    Under State Government Article, §10-1301 (SB 676 - 2012), personal information is defined as:
    An individual’s first name or first initial and last name, personal mark, or unique biometric or genetic print or image, in combination with one or more of the following data elements: 

    • a social security number; 
    • a driver’s license number, state identification card number, or other individual identification number issued by a unit; 
    • a passport number or other identification number issued by the united states government; 
    • an individual taxpayer identification number; or 
    • a financial or other account number, a credit card number, or a debit card number that, in combination with any required security code, access code, or password, would permit access to an individual’s account.

    Educational Records, as defined and when protected by 20 U.S.C. § 1232g; 34 CFR Part 99 (FERPA), in the authoritative system of record for student grades

    In addition, any Protected Health Information (PHI), as the term is defined in 45 Code of Federal Regulations 160.103 (HIPAA)

    Administrative Rights:  allows users complete and unrestricted access to a University computer.

    VPN (Virtual Private Network):  a VPN provides a secure communication channel over the internet, requires authentication to set up the channel, and encrypts all traffic flowing through the channel.

    Critical Systems: the Student Information Management System (SIMS), Human Resource Management System (HRMS), and the Financials System (FN).

    Key Business Transaction:  transactions that involve areas such as procurement, fixed assets/inventory, accounts payable/disbursements, payroll/human resources, billing and collections, financial reporting, financial aid and student records.  

    Data Owners:  are persons in leadership positions in offices which own the data in a particular system.  For instance, the Human Resource Services Office would be the data owner for the Human Capital Management System. They authorize access control privileges for users of the system.  Data owners are required to change their passwords every 90 days and have Functional user privileges and responsibilities.  

    Access Control Schema

    Three levels of access control will be used to classify users of University systems and data based on their required need for information and for performing their job responsibilities.

    Highly Privileged Users

    Highly privileged users are users who have been granted direct network access to subnets that house applications and/or database servers of critical applications and/or users who have access to core networking equipment.  These users are required to use a virtual private network (VPN) as well as multi-factor authentication when accessing these critical systems or a static IP address controlled by firewall ACL restrictions for access to core networking equipment.  They are also required to change their password, which is used to access these critical systems, every 90 days.  These users will be allowed to have administrative rights to their University computer, with a documented deviation on file for audit review.

    Privileged Users

    Privileged users have access to sensitive data and/or key business transactions in a critical system(s), and/or administrative access to servers connected to the UMB network in order to perform their job responsibilities.  Users in this category can belong to one of three defined subcategories of privileged users with corresponding security controls.  

    Functional users have elevated access within a critical application (anything beyond self-service capabilities).  These users have a 90 day password aging requirement. Administrative rights to University computer are not granted to these users.  Functional users are only granted access to sensitive data and/or the ability to perform key business transactions upon completion of a user access agreement form which has been signed by an authorized approver.

    IT/System Administrators have access to servers (web/application/database) that are not in subnets that house application and/or database servers of critical applications.  They are required to change their password every 90 days.  They are allowed administrative rights to their University computer with a documented deviation on file for audit review.

    Network access to specific ports to a specific server in a secure subnet.  These users are required to have a static IP address for their University computer.  They are required to change their password every 90 days.  Administrative rights to their University computer are not granted to these users.

    General Users

    Users in this category do not have: direct network access to subnets that house application or database servers of critical applications; access to core networking equipment; elevated access to critical applications (anything beyond self-service); or administrative access to critical or non-critical web, application or database servers.  General users have a one-year password aging requirement.  They do not have administrative rights to their University computer.

    Access Control Review

    A formal process shall be conducted annually by system owners to review users’ access rights.  This review shall be documented and retained by system owners for audit verification purposes. 

     


    • Back to Information Technology Policies

    University of Maryland Baltimore

    The University of Maryland, Baltimore is the founding campus of the University System of Maryland.

    620 W. Lexington St., Baltimore, MD
    21201 | 410-706-3100

    • The Elm
    • Calendar
    • Emergency
    • Mobile UMB
    • UMB Shuttle
    • myUMB
    • Directory
    • IT Help Desk
    • Facilities Work Request
    • Jobs
    • Middle States
    • Strategic Plan
    • Sustainability
    • Clery Report
    • UMB Hotline
    • Facebook
    • Twitter
    • Instagram
    • LinkedIn
    • YouTube
    The University of Maryland, Baltimore prohibits sex discrimination in any education program or activity that it operates. Individuals may report concerns or questions to the Title IX Coordinator. Read the UMB Notice of Non-Discrimination.
    © 2024-2025 University of Maryland, Baltimore. All rights reserved.
    • Privacy Policy
    • Web Accessibility
    • Web Feedback
    • Non-Discrimination