Ģ������Ƶ

Data Network Security and Access Control

Initially Approved:  August 25, 2006
Revised:  August 10, 2015
Revised: April 10, 2017
Revised: January 28, 2019
Technical Changes: June 20, 2019
Revised: June 30, 2020
Revised: June 10, 2025
Revised: July 1, 2025

Policy Topic: Information Technology
Administering Office: Office of the CIO

I. POLICY STATEMENT

Information technology resources are provided to support the University's mission. To ensure that these shared and finite resources are used effectively to further the University's mission, the integrity of the resources must be protected and access to the resources must be properly controlled.

II. SCOPE AND APPLICATION OF THE POLICY

This policy applies to all individuals assigned a non-student University account who access the University's information technology resources, whether the resources are located on or off-campus, and whether University-owned or contracted for use by the University.

III. DEFINITIONS

��ٱ�鴡” means subject to the Human Resources Act (formerly SPA).
“E��鴡” means Exempt from the Human Resources Act (formerly EPA).
“Non-Faculty Employees” includes all SHRA and EHRA non-faculty
“Faculty Employees” includes tenured-track and fixed-term appointment faculty
“Temporary Faculty Employees” includes adjunct faculty, teaching and lab graduate assistants
“Administrative Student Workers” students who need access to administrative systems, including graduate research assistants
“Affiliate Non-Faculty” includes guests, volunteers and interns
“Affiliate Faculty” includes third-party individuals providing instructional services to an academic unit and not paid by the University 
“Affiliate Former Faculty” includes Emeritus in Waiting and former adjunct faculty between contracts which are within a year of last contract 
��ٳܱ��������” a vendor that provides software or IT services through a contract or other agreement. IT Services include the support or implementation of university technology infrastructure or operations 
“C�DzԲ��ܱ��ٲ��Գ�” a third-party providing non-IT and non-instructional consulting services to business offices or functional users 
“Emeritus Status” retired professors or chancellors who have emeritus approval “Information Technology Resource” means any system, media or software used to transmit, store or process information or data.
“U�����” means any individual assigned a non-student University account to utilize a University information technology resource as defined above.
��ٱ�貹�����پ��Dz�” means the employee left employment with the University and is no longer affiliated with an employment agreement.

IV. DATA NETWORK SECURITY POLICY

The Information Technology (IT) Division’s Networking & Communications (Networking & Communications) Services has the responsibility for the design, maintenance, and security of the university’s data network. To ensure the integrity of the network:      

1. No individual or office may connect a device to the campus data network that bypasses any part of the network authentication and authorization process; or provides unauthorized users access to the network; or provides unauthorized IP addresses for users.  
2. Networking & Communications has the right to limit network capacity or disable network connections that are adversely impacting availability of information technology resources.
3. Access to networking equipment in wiring closets, etc., is limited to the Networking & Communications staff or their designees.
4. Changing the architecture of any part of the data network is not permitted without the approval of Networking & Communications.

V. ACCESS CONTROL POLICY

A. General Principles for User Access

Access to university information technology resources may only be granted to users who have completed and submitted all requisite compliance documents as defined by the IT Division.  For initial access and termination of access, the guidelines detailed below control access based upon the user’s employment or appointment status.

In most cases, access to information technology resources will terminate on a user’s last work/contract date. In some cases, access will terminate on a user’s last pay date. In cases where separations are deemed involuntary, the Division of Human Resources and Payroll (HR) will immediately terminate access.

Hiring officials may not enter into employment contracts that commit the university outside the scope of this policy.

B. Compliance Documents Needed for Access

All users obtaining non-student accounts are required to read and accept a Confidentiality and FERPA agreement when electronically claiming their account. Other compliance documents differ by user type and are outlined below in sections C and D.

C. Employee User Types

Employee user accounts will be created upon receipt of 1) a fully executed employment contract or a letter offer of employment that has been accepted in writing by the employee, and 2) all compliance documents required by HR.  Access to the account will be granted as follows:

1. Non-Faculty Employees: will be granted access on the first day of their employment provided that complete and accurate employment compliance documents have been received by HR. Access will be terminated on the last work date. HR may grant early access exceptions up to ninety (90) days in advance for eligible SHRA exempt and EHRA employees upon request of the hiring supervisor and receipt of complete and accurate employment compliance documents.
2. Faculty Employees: will be granted access on the first day of contract provided that complete and accurate employment compliance documents have been received by HR, or up to ninety (90) days early upon processing by HR of complete and accurate employment compliance documents. Access will be terminated on the last day of the month of the last pay date.
3. Temporary Faculty Employees: will be granted access on the first day of contract provided that complete and accurate employment compliance documents have been received by HR, or up to ninety (90) days early upon processing by HR of complete and accurate employment compliance documents. Access will be terminated on the last day of the month of the last pay date.
4. Temporary/Hourly Non-Faculty Employees: will be granted access on their first day of employment provided that all employment compliance documents have been received by HR. Access will be terminated on the last work date.  Early access cannot be granted.  The supervisor is responsible for notifying HR if early termination is necessary. Access is covered by appointment dates and monitored by HR.
5. Administrative Student Workers: will be granted access provided that the supervisor has approved the account request and their HR job record is complete. Access will be terminated on the last work date or on the last day of the month of the last pay date, depending on the type of contract. Access must be re-requested and reauthorized at the beginning of a new contract period. Early access cannot be granted. Continuing access may be granted for graduate research assistants if a contract is in place for a future term. The supervisor is responsible for notifying IT to terminate access early if necessary.

D. Non-Paid User Types

Non-Paid user accounts will be created upon receipt of 1) a fully executed contract or other engagement document; and 2) a completed IT Guest/Consultant access request form or an approved equivalent electronic request.  Access to the accounts will be granted as follows:

1. Affiliate Non-Faculty: May be granted access during their engagement dates in accordance with the start and end dates of their engagement document, provided that complete and accurate compliance documents have been submitted to the Chief Information Officer (CIO) with the access request. After the access request has been approved by the CIO, the documents will be forwarded to HR and IT for processing. Access will be set to expire in accordance with the approved dates. If warranted, the sponsoring department is responsible for notifying HR to terminate access prior to the expiration of the engagement letter. Access is valid for a maximum of one (1) year and may be renewed when necessary.
2. Affiliate Faculty: May be granted access during their engagement dates in accordance with the start and end dates of their engagement document provided that the requesting department submits complete and accurate compliance documents to the Academic Dean and CIO for approval, and these documents have been processed by HR and IT. Access will be set to expire in accordance with these dates. If warranted, the requesting department will also be responsible for notifying HR to terminate access prior to the expiration of the engagement. Access is valid for a maximum of one (1) year and may be renewed when necessary.
3. Affiliate Former Faculty:

   1. For departments expecting to re-hire former adjunct faculty that do not already have Emeritus status within a year, the Academic Dean or department head must request the account remain active as an Affiliate Former Faculty. HR will process the request and verify a change of status. The term for this status is no more than one year. Users will automatically be moved from this user type to a faculty type by a change in status performed by HR.

   2.  

      For individuals that are Emeritus in Waiting, HR will update their status and their account will automatically be changed to Affiliate Former Faculty for up to one year while they await the decision on Emeritus status.

4. Supplier: Access is requested by a sponsoring individual and requires approval by a supervisor and the CIO. Access will be set to expire in accordance with the approved dates. If warranted, the requesting department will also be responsible for notifying IT to terminate access prior to the expiration of the engagement. Access is valid for a maximum of one (1) year and may be renewed when necessary.
5. Consultant: May be granted access in accordance with the start and end dates of their engagement provided that complete and accurate compliance documents have been submitted to the CIO with the access request. After the access request has been approved by the CIO, the documents will be forwarded to HR for processing. Access will be set to expire in accordance with the approved dates. If warranted, the requesting department will also be responsible for notifying HR to terminate access prior to the expiration of the engagement. Access is valid for a maximum of one (1) year and may be renewed when necessary.
6. Emeritus Status: May be granted access in accordance with the start and end dates of their engagement provided that complete and accurate compliance documents have been submitted to the CIO with the access request. After the access request has been approved by the CIO, the documents will be forwarded to HR for processing. Access will be set to expire in accordance with the approved dates. If warranted, the requesting department will also be responsible for notifying HR to terminate access prior to the expiration of the engagement. Access is valid for a maximum of one (1) year and may be renewed when necessary.
7. Trustee/Board Member: Will be granted access upon their election or appointment, or earlier if requested by the Chancellor’s Office, and receipt by HR of complete and accurate guest user compliance documents. Full access will be granted for the term of service. Former trustee/board members will be eligible for continued limited access after their term of service as a Board of Trustee Emeritus or a Board of Trustee Former designee. The Chancellor’s Office will determine the appropriate designation and will notify HR for processing.

E. User Account De-Provisioning

When user access is terminated per this policy, the account will be placed in a disabled status for one (1) year. During that time, the last supervisor may request that the email content or personal network storage content from the user be delivered to them. One (1) year after the account has been disabled, it will be deleted, which will also delete the user’s email content and personal network storage folders unless additional time is permitted by the CIO.

Employees returning to the University after separation generally will not retain previous content or system access permissions (i.e. the account will be re-provisioned). However, adjunct faculty and other time-limited positions that work on a recurring basis may retain access to previous content and systems if they return within twelve (12) months.

VI. RESPONSIBILITIES

It is the responsibility of each department to provide timely notification of all changes related to employment and termination to HR to comply with the timeframes set forth in this policy.  Departmental notifications and personnel processing actions are subject to audit by the University’s Internal Auditor and by external auditors.  As such, the timeframes for compliance rest at the departmental level.

VII. POLICY REVIEW

This policy shall be reviewed and revised as necessary every two (2) years.

VIII. REFERENCES

International Standards Organization (ISO/IEC 27002:2022, Clause 5 Organizational Controls, Clause 6 People Controls and Clause 8 Technological Controls)