Guideline for User Access Management

I. Purpose

The purpose of this document is to provide guidance in meeting the university’s obligation to ensure that user access to systems and services is based upon authorization and that unauthorized access is prevented.

II. Scope

It is the responsibility of all system owners to determine appropriate controls, rules, access rights and restrictions for their information or information systems. They must assure that access is provided only to authorized users and that unauthorized access is prevented. Furthermore, it is important for all UNC Charlotte staff, faculty, students, associates, affiliates, contractors, volunteers or visitors using UNC Charlotte facilities, services or IT systems to understand the need to ensure appropriate authorization to any system or service provided by the university.

III. Contacts

Direct any general questions about this guideline to your unit’s Information Security Liaison. If you have specific questions, please contact OneIT Information Security Compliance at ISCompliance-group@uncc.edu.

IV. Guidelines

Information systems are required to use the university’s centrally managed authentication service which utilizes NinerNET accounts and standard password management protocols. A NinerNET account is automatically assigned to each authorized user at UNC Charlotte; however, having a NinerNET account does not automatically provide access to all university systems and services. In many cases, it is necessary to apply for access to a given system or service once the NinerNET account has been created.

System owners should follow these guidelines to assure only authorized access to their systems is provided:

A. Account Provisioning and De-Provisioning

Develop a formal user access provisioning and de-provisioning process to assign or revoke access rights. The following should be included in the process:

  • authorization for access should be governed by the owner of the system;
  • level of access granted should be verified and appropriate based on business purposes and other security controls;
  • the allocation and use of privileged access rights should be restricted and controlled;
  • unique user IDs should be used in order to link actions to a specific individual;
  • shared user IDs should only be permitted when critically necessary for business operations and the password should be changed when a member of the group leaves;
  • unnecessary vendor-supplied default accounts should be removed or disabled;
  • for required vendor accounts, default passwords should be changed following installation of systems or software;
  • a central record of access rights granted should be maintained;
  • access rights of all employees, student workers and third party users should be removed upon termination of employment, contract, or agreement.

B. Access Review Process

Develop a formal user access review process. The following should be included in the process:

  • user access rights should be reviewed periodically;
  • access rights for individuals who change roles or positions within the organization should be revised as appropriate;
  • accounts should be removed or disabled in a timely manner for users who have left the organization;
  • privileged access rights should be checked to ensure unauthorized access has not been obtained;
  • the list of privileged user accounts should be reviewed at least annually to ensure appropriate access and documentation of the review should be maintained.

NOTE: A privileged user account has powers within a system that are significantly greater than those assigned to the majority of users.

Related Resources

ISO/IEC 27002 was adopted by The University of North Carolina at Charlotte in 2012. All standards and guidelines are based on this code of practice for Information Security Management.

Revision History

Initially approved by Information Assurance Committee 5/15/15
Updated 8/03/23