UMB User Access Control Policy
X-99.20(A) | Information Technology | Approved September 11, 2017 | Last Reviewed April 30, 2024
Responsible VP/AVP: Peter J. Murray, PhD, CAS, MS
Revision History
Reviewed/Updated July 7, 2020
Policy Statement
University information systems and data are important assets of the University of Maryland, Baltimore (UMB) and must be protected from the loss of integrity, confidentiality and availability.
Procedures must be in place to protect UMB digital assets and they must be in compliance with University policy and guidelines, Board of Regents policy, and state and federal laws and regulations.
Purpose
The purpose of this document is to provide guidance in complying with the latest version of the USM IT Security Standards. These standards state that USM institutions are required to have authentication and authorization processes that uniquely identify users and appropriately control access to systems.
Policy
Access to University systems and data will be granted to users based on their need for information and for performing their job responsibilities. The Access Control Schema below will be used to define users, controls, and access to systems and data. Additional security measures may be implemented and required, depending on the type of access needed for users to perform their job responsibilities,
Definitions
Sensitive Data: are data that if compromised, with respect to confidentiality, integrity, and/or availability, could adversely affect UMB interests, the conduct of UMB programs, and/or the privacy to which individuals are entitled. USM has defined confidential data to include:
Under State Government Article, §10-1301 (SB 676 - 2012), personal information is defined as:
An individual’s first name or first initial and last name, personal mark, or unique biometric or genetic print or image, in combination with one or more of the following data elements:
- a social security number;
- a driver’s license number, state identification card number, or other individual identification number issued by a unit;
- a passport number or other identification number issued by the united states government;
- an individual taxpayer identification number; or
- a financial or other account number, a credit card number, or a debit card number that, in combination with any required security code, access code, or password, would permit access to an individual’s account.
Educational Records, as defined and when protected by 20 U.S.C. § 1232g; 34 CFR Part 99 (FERPA), in the authoritative system of record for student grades
In addition, any Protected Health Information (PHI), as the term is defined in 45 Code of Federal Regulations 160.103 (HIPAA)
Administrative Rights: allows users complete and unrestricted access to a University computer.
VPN (Virtual Private Network): a VPN provides a secure communication channel over the internet, requires authentication to set up the channel, and encrypts all traffic flowing through the channel.
Critical Systems: the Student Information Management System (SIMS), Human Resource Management System (HRMS), and the Financials System (FN).
Key Business Transaction: transactions that involve areas such as procurement, fixed assets/inventory, accounts payable/disbursements, payroll/human resources, billing and collections, financial reporting, financial aid and student records.
Data Owners: are persons in leadership positions in offices which own the data in a particular system. For instance, the Human Resource Services Office would be the data owner for the Human Capital Management System. They authorize access control privileges for users of the system. Data owners are required to change their passwords every 90 days and have Functional user privileges and responsibilities.
Access Control Schema
Three levels of access control will be used to classify users of University systems and data based on their required need for information and for performing their job responsibilities.
Highly Privileged Users
Highly privileged users are users who have been granted direct network access to subnets that house applications and/or database servers of critical applications and/or users who have access to core networking equipment. These users are required to use a virtual private network (VPN) as well as multi-factor authentication when accessing these critical systems or a static IP address controlled by firewall ACL restrictions for access to core networking equipment. They are also required to change their password, which is used to access these critical systems, every 90 days. These users will be allowed to have administrative rights to their University computer, with a documented deviation on file for audit review.
Privileged Users
Privileged users have access to sensitive data and/or key business transactions in a critical system(s), and/or administrative access to servers connected to the UMB network in order to perform their job responsibilities. Users in this category can belong to one of three defined subcategories of privileged users with corresponding security controls.
Functional users have elevated access within a critical application (anything beyond self-service capabilities). These users have a 90 day password aging requirement. Administrative rights to University computer are not granted to these users. Functional users are only granted access to sensitive data and/or the ability to perform key business transactions upon completion of a user access agreement form which has been signed by an authorized approver.
IT/System Administrators have access to servers (web/application/database) that are not in subnets that house application and/or database servers of critical applications. They are required to change their password every 90 days. They are allowed administrative rights to their University computer with a documented deviation on file for audit review.
Network access to specific ports to a specific server in a secure subnet. These users are required to have a static IP address for their University computer. They are required to change their password every 90 days. Administrative rights to their University computer are not granted to these users.
General Users
Users in this category do not have: direct network access to subnets that house application or database servers of critical applications; access to core networking equipment; elevated access to critical applications (anything beyond self-service); or administrative access to critical or non-critical web, application or database servers. General users have a one-year password aging requirement. They do not have administrative rights to their University computer.
Access Control Review
A formal process shall be conducted annually by system owners to review users’ access rights. This review shall be documented and retained by system owners for audit verification purposes.