|University of Arkansas at Little Rock|
|Policy Name: IT System Security and Access Policy|
|Policy Number: 208.5|
|Effective Date: October 23, 2020|
|Revised Dates: September 17, 2020|
|Most Recent Review Date: September 17, 2020|
The purpose of IT is to further the research, education, and administrative functions of UA Little Rock in a secure, safe, controlled, auditable, and monitored fashion. To achieve this purpose, this policy complies with federal and state laws and regulations, related standards, and security frameworks. This policy complies partially or fully with PCI, ISO-27001, HIPAA, Arkansas Freedom of Information Act, FERPA, and NIST Cyber Security Framework.
This policy applies to University-owned IT Systems and to University-contracted systems and services, as well as privately-owned or publicly-provided devices using the University’s networks and resources to protect the confidentiality, integrity, and availability of information.
Privately-owned computer systems or mobile devices, or those owned by University organizations or by collaborative research projects, when attached to, or connected via, the campus data network and/or other campus resources or University-contracted services, are subject to the same responsibilities and regulations as pertain to University-owned devices and systems.
Definition of Terms
Sensitive Data: Sensitive data is a blanket term used to designate classes of data with a high level of security that the University is legally or contractually required to protect. Sensitive data refers to any element of data that is uniquely or in aggregate protected by federal regulations (ex: HIPAA, FERPA), categorized as PII or PHI, or any other data that has been identified as business critical or business-sensitive data, such as financial records or intellectual property of UALR
UA Little Rock is committed to safeguarding the confidentiality, integrity, and availability of all physical and electronic information assets of the University to ensure that regulatory, operational, and contractual requirements are fulfilled. The overall goals for information security at UA Little Rock are as follows:
- Ensure compliance with current laws, regulations, and guidelines.
- Comply with requirements for confidentiality, integrity, and availability for students, faculty and staff, and other users.
- Establish controls for protecting the University’s information and information systems against theft, abuse, and other forms of harm and loss.
- Motivate administrators and employees to maintain the responsibility for, ownership of, and knowledge about information security, in order to minimize the risk of security incidents.
- Ensure that UA Little Rock is capable of continuing its services even if major security incidents occur.
- Ensure the protection of personal data (privacy).
- Ensure the availability and reliability of the network infrastructure and the services supplied and operated by UA Little Rock.
- Comply with federal and state laws, local and international regulations including but not limited to HIPAA, FERPA, PCI, and international standards and frameworks like ISO-27001:2013, NIST 800-53, NIST Cyber Security Framework.
- Ensure that external service providers comply with the University’s information security needs and requirements.
- Ensure flexibility and an acceptable level of security for accessing information systems from off-campus.
- User Accounts
- Access provisioning procedure to request access to UA Little Rock IT Systems must be followed. Exceptions must be approved by the University Chief Information Officer(CIO).
- Each account that is provisioned must have a defined process to de-provision the account and remove UA Little Rock IT System privileges associated with the account
- All privileged accounts must be defined in Active Directory. Exceptions must be approved by the University CIO.
- Accounts should be audited annually and inactive accounts reviewed for possible removal.
- Privileged access rights should be assigned to a user ID different from those used for regular business activities. Regular business activities must not be performed from privileged ID, and privileged activities must not be performed with regular user IDs.
- All privileged account activity must be logged. Log files must be held for three months.
- All activity resulting from accounts with access to modify or view sensitive data must be logged. Log files must be held for three months.
- Privileged accounts must be reviewed every six months by the CIO and Chief Information Security Officer (CISO).
- Account Provision / de-provision
- Standard access rights will be removed immediately after departure from UA Little Rock.
- Elevated access rights will be removed immediately upon notification of departure.
- Removal of access rights may be requested of persons within a division by the Dean, AVC, or VC of the division in which the person is primarily employed or by whom the person is sponsored.
- Student Accounts may be revoked in cases involving
- Departure from UA Little Rock
- Upon notice from the Provost or AVP of Student Affairs
- Each system or functional module within a system must define an owner.
- Identified and documented owners are responsible for access requests to all of their systems and associated data whether these systems and data are managed by IT Services, distributed IT, or cloud providers.
- Access to data should include procedures outlined by data classification definitions.
- Permissions granted to applications or data must be Role-Based.
- Roles used to grant access must be documented and approved by IT Services.
- Access to systems based on the role must be defined based on “need to know” and “least privilege” principles.
- Elevated Workstation Permissions
- Granting elevated permissions to UA Little Rock IT Systems may be required in particular circumstances, but should remain an exception to “need to know” and “least privilege” principles.
- All requests for elevated permissions should be made through the UA Little Rock Assistance Center (501-91603011 – firstname.lastname@example.org). All requests must be approved by the appropriate Vice Chancellor (or Provost) and the CIO or CISO.
- Appropriate measures must be taken by users when using UA Little Rock IT Systems with elevated permissions to ensure the confidentiality and integrity of sensitive information and to minimize the possibility of unauthorized access or malicious compromise.
- Users with elevated permissions must
- Comply with password and acceptable use policies
- Restrict physical access to the UA Little Rock IT Systems to which they have been granted elevated permissions
- Secure the UA Little Rock IT System (screen lock or log-out) prior to leaving the area
- Never install unfamiliar or suspicious software on a UA Little Rock IT System
- Ensure regular updates, security bulletins, are installed
- Ensure UA Little Rock IT systems are still capable of receiving UA Little Rock provided updates, upgrades, and other IT Services support
- Users found in violation may have elevated permissions revoked.
- Applications Requiring Administrative Rights: In some circumstances, it may not be possible to make an application run properly with standard user permissions. If the application is used by an individual and the application is unable to run successfully without elevated permissions, an exception should be noted and the workstation administrative rights exception request should be submitted for approval.
- Frequent Software Installation/Maintenance: Users who have a frequent need to install software on their workstation may be granted administrative permissions for their workstation. Users in this situation should submit a workstation administrative rights exception request.
- Extended Travel: Users traveling overseas or who will be away from campus for an extended period (typically over 90 days), may be granted elevated permissions. Users in this situation should submit a workstation administrative rights exception request.
- Elevated privileges and administrative access rights can be requested by calling IT Services Assistance center (501-910 3011) and completing a workstation rights exception request, and all requests must be approved by the appropriate department head and the campus CISO.
- Instructors who use technology labs for teaching may be granted Administrative Rights, to enable them to manage their use of applications on the workstations, troubleshoot software problems, and install software where necessary. Users in this situation should submit a “Lab/Classroom Administrative Rights Exception Request” document.
- To help ensure the protection of University information resources and data by implementing the application of group security policies and configuration management, all information resources should be managed at an enterprise level utilizing Microsoft Active Directory.
- All University-owned or operated Workstations that are compatible with Microsoft Active Directory (AD) and connected to the University network must be a member of the University’s enterprise domain.
- As a member of the University’s AD, all Workstations must be configured as follows
- Workstation must be named according to the appropriate naming scheme to aid in identification
- Workstation must be placed in the appropriate Organizational Unit (OU) within the domain
- The “Managed by” field of the computer’s properties in AD needs to be populated with appropriate contact information
- The workstation must have the appropriate “Domain Admins” group as a member of the local “Administrators” group
- API/Source Code
- Access to system APIs or other means of viewing transactional data, making modifications to program logic, or other enhancements to centrally managed applications is strictly limited to authorized personnel within IT Services. Requests for access may be made to the CIO or designee. Request for access does not imply approval. Appeals on denials may go to the VC Finance and Administration.
- Since application source code provides details and insights about application security, data processing, and application behavior, source code must also be protected, and access to the source code must be limited to authorized developers and/ or users
- Access to enterprise application source code or modifications or data interface source code should be restricted members of IT Services
- Source code version management solutions must be in place for code which modifies or interfaces to any system accessing or performing transactions on data which is stored or presented in
- University’s Website or Intranet (Portal) environments
- University Enterprise Resource Planning and related modules
- University CRM or similar applications to manage interactions with others
- University Learning Management System
- University defined data warehouse
- University Document management and Imaging system
- University email and calendar applications
- Other systems which access data which is protected and/or regulated by HIPAA, FERPA, and/or PCI compliance standards
- Source code developed by UA Little Rock IT Services or developed within UA Little Rock departments to improve or enhance the process, store or manipulate data, or programmatically controls a service may be shared with other non-profit organizations with the approval of the CIO.
- Development systems, servers, and services must be isolated from other services, servers, and systems, specifically from production environments. Production services, servers, systems, and applications, cannot store, host, or run source code or source code development systems. Exceptions may be made for instruction and teaching of how to use development servers for instruction and learning. Requests should be submitted to the UA Little Rock CISO.
- The security level for services, systems, infrastructure components, data, and applications containing business-critical and sensitive or secret information, application, or service must be set to the highest level.
- Systems with the highest level of security must be isolated from other services, systems, infrastructure, data, and applications which have lower-level security.
- A protection system including but not limited to firewalls, infrastructure segmentation, active protection, and intrusion prevention systems must be implemented to protect the confidentiality, integrity, and availability of systems storing or performing operations on sensitive data.
- Authentication and Sessions Information
- In order to prevent brute force attacks, the number of unsuccessful access requests must be limited to at most 5.
- All successful and unsuccessful access attempts must be logged, and the records should be kept for at least three months.
- Where possible, details of any unsuccessful log-on attempts since the last successful log-on should be displayed upon successful log-on.
- Where possible, inactive sessions within sensitive systems should be terminated after 30 minutes of inactivity.
Incidents that violate this policy may or may not require an immediate response. Those that pose an immediate danger to persons, systems, or property will be addressed by the appropriate university agencies. Whether or not an incident requires an immediate response, violations of this policy may result in revocation of access, suspension of accounts, disciplinary action, or prosecution. Evidence of illegal activity will be turned over to the appropriate authorities.
Any violations of this policy should be reported by e-mail to the UA Little Rock Security Incident Response Team (UA Little Rock-SIRT) at email@example.com or by phone to the Chief Information Officer (CIO) in the office of Information Technology Services (ITS) at 501.916.5025
In general, UA Little Rock does typically not impose penalties for misconduct off-campus beyond the local vicinity. However, electronic misconduct directed by a member of UA Little Rock community against another member or members of UA Little Rock community may be actionable regardless of the location from which the misconduct originated or the network or devices used.
This policy should be reviewed at least once a year or when required by legal and/or regulatory changes.
Additional Documents and Policies
Following documents, policies, and procedures support this policy:
- Sensitive Data: Sensitive data is a blanket term used to designate classes of data with a high level of security that the University is legally or contractually required to protect. Sensitive data refers to any element of data that is uniquely or in aggregate protected by federal regulations (ex: HIPAA, FERPA), categorized as PII or PHI, or any other data that has been identified as business critical or business-sensitive data, such as financial records or intellectual property of UALR.
- Lab/Classroom Administrative Rights Exception Request
- UA Little Rock Acceptable Use Policy
- UA Little Rock E-Mail and Communication Policy
- UA Little Rock Password Management Policy
- UA Little Rock Network and Access Management Policy
- UA Little Rock Password Management Guidelines
- UA Little Rock E-Mail Communication Guidelines
- ISO 27001:2013
- NIST 800-53A
- NIST Cyber Security Framework
Source: Board of Trustees Policy 285.1
Approved By: Christina Drale, Chancellor, 10/21/2020
Originator: Vice Chancellor for Finance and Administration
Custodian: Information Technology Services