Guideline for User Access Management

I.  Purpose

The purpose of this document is to provide guidance in meeting the university’s obligation to ensure that user access to systems and services is based upon authorization and that unauthorized access is prevented.

II.  Scope

It is the responsibility of all system owners to determine appropriate controls, rules, access rights and restrictions for their information or information systems.   They must assure that access is provided only to authorized users and that unauthorized access is prevented.  Furthermore, it is important for all UNC Charlotte staff, faculty, students, associates, affiliates, contractors, volunteers or visitors using UNC Charlotte facilities, services or IT systems to understand the need to ensure appropriate authorization to any system or service provided by the university.

III.  Contacts

Direct any general questions about this guideline to your unit’s Information Security Liaison. If you have specific questions, please contact ITS Information Security Compliance at ISCompliance-group@uncc.edu.

IV.  Guidelines

NinerNET accounts are automatically assigned for each authorized user at UNC Charlotte; however, having a NinerNET account does not automatically provide access to all university systems and services.  In many cases, it is necessary to apply for access to a given system or service once the NinerNET account has been created. System owners should follow these guidelines to assure only authorized access to their systems is provided: 

A.  Centrally Managed Authentication System

Use of the university’s centrally managed authentication system and password process is recommended.  If system owners are unable to use the centrally managed authentication system, they should follow a formal user password management protocol. The UNC Charlotte Standard for Account Passwords outlines the minimum requirements for all University-affiliated passwords. The following guidelines are recommended:

  • require users to sign statements indicating they understand the conditions of access including keeping password information confidential and keeping group password information within the members of the group;
  • develop procedures for verifying identity before providing a replacement password (“password reset”);
  • provide temporary or replacement passwords to users in a secure manner;
  • for shared user IDs, change the password frequently and as soon as possible when a member of the group leaves or changes jobs;
  • change default vendor passwords following installation of systems or software.

BAccount Provisioning and De-Provisioning

Develop a formal user access provisioning and de-provisioning process to assign or revoke access rights.  The following should be included in the process:

  • authorization for access should be governed by the owner of the system;
  • level of access granted should be verified and appropriate based on business purposes and other security controls;
  • the allocation and use of privileged (“super-user”) access rights should be restricted and controlled;
  • unique user IDs should be used in order to link actions to a specific individual;
  • shared user IDs should only be permitted when critically necessary for the business operations of the university;
  • unnecessary vendor-supplied default accounts should be removed or disabled;
  • a central record of access rights granted should be maintained;
  • access rights of all employees, student workers and third party users should be removed upon termination of employment, contract, or agreement.

C Access Review Process

Develop a formal user access review process.  The following should be included in the process:

  • access rights should be reviewed periodically;
  • documented audits of accounts with elevated privileges should be conducted at least annually;
  • access rights of users who change roles or jobs within the organization should be revised as appropriate;
  • accounts should be removed or disabled in a timely manner for users who have left the organization;
  • privileged allocations should be checked to ensure unauthorized privileges have not been obtained;
  • specific procedures should be maintained to avoid unauthorized use of generic system administration user IDs.

Related Resources

ISO/IEC 27002 was adopted by The University of North Carolina at Charlotte in 2012. All standards and guidelines are based on this code of practice for Information Security Management.

Revision History

Initially approved by Information Assurance Committee   5/15/15
Updated   9/14/17