Purpose
It is essential that access to and use of Organizational Data and Information Systems are properly secured and protected. Established access procedures contribute to the protection against cybersecurity threats and dangers.
Go to Procedures
Go to Resources
Related Policies
Data Governance and Management Policy
Related Guidelines, Procedures, and Resources
- Data Management Categorization
- Data Protection Categorization
- Data Regulation Categorization
- Data Domains
- Systems Inventory
- Data Element Dictionary
Definitions
Capitalized terms not otherwise defined herein shall have the same meaning as set forth in the Data Governance and Management Policy
Audience
Responsible | Data Steward Data Administrator Identity and Access Management Human Resources |
---|---|
Accountable | Associate Data Trustee System Owner |
Support | Associate Data Steward Technical Manager |
Consulted | Data Governance team |
Informed | Data Domain & Technology Sub-Committees Data User |
Procedures
- Guiding Principles for Access
-
- Everyone has a responsibility for preventing unauthorized access to Organizational Data and Information Systems.
- Associate Data Trustees, Data Stewards, and Associate Data Stewards have a responsibility to assign appropriate access to Organizational Data.
- System Owners, Technical Managers, and Data Administrators have a responsibility to provision assigned access to Information Systems and work with Cyber Security to secure those systems.
- Data Users have a responsibility to keep their access to Organizational Data and Information Systems private and secure.
- Data Stewards and Data Administrators must publish instructions for how to request access (new access, a change to access, or removal of access) to an Information System.
- Data Stewards must analyze Data User roles and determine the level of access required to perform a job function based on the Principle of Least Privilege.
- Data Stewards must analyze authorization roles to ensure they are free from Separation of Duties conflicts.
- Granted access must be used only for the purpose for which it was originally intended and only for the Data User who was originally approved.
- Access policies, principles, and procedures apply to both Individual Accounts and Service Accounts.
- Additional training may be required by a Data Steward and/or a System Owner before access is granted.
- Everyone has a responsibility for preventing unauthorized access to Organizational Data and Information Systems.
- Available Resources
-
- Data Stewards must ensure appropriate resources are available and maintained to adequately authenticate, assign, and verify access. Data Stewards must notify Associate Data Trustees of any resource constraints.
- Technical Managers must ensure appropriate resources are available and maintained to adequately authenticate, provision, and verify access. Technical Managers must notify System Owners of any resource constraints.
- The Chief Information Security Officer must ensure appropriate resources are available and maintained to prevent and detect unauthorized use of Organizational Data and Information Systems.
- Request New Access to an Information System
-
- A request for new access to an Information System should follow published instructions. The request must include the Data User’s name, account name (e.g., GT Account), job title, and job function as it relates to the Information System. Access to an Information System may require additional approvals (e.g., a Data User's supervisor or director). Access to an Information System may also be granted through pre-approved role-based permissions.
- The Information System may contain one or more Data Domains or Data Sub-Domains of Organizational Data. Each applicable Data Steward must review the request and if approved determine the level of access required to perform the job function. Based on published instructions, the Associate Data Trustee, the System Owner, and/or the Technical Manager may also play a role in reviewing the request and determining its rejection or approval.
- Each Data Steward must coordinate with the Data Administrator to review the approved request and determine the necessary authorization role(s) to grant access. The Data Administrator must provision the approved authorization role for the Data User in the Information System.
- Data Stewards and Data Administrators must keep record of the request details, the approved level of access, and the provisioned authorization role for auditing purposes.
- The Data Administrator must notify the Data User and their supervisor or director of the provisioned access.
- Request a Change to Access to an Information System
-
- A request to change access to an Information System should follow published instructions. The request must include the Data User’s name, account name (e.g., GT Account), job title, and job function as it relates to the Information System. Access to an Information System may require additional approvals (e.g., a Data User's supervisor or director). A change in access to an Information System may also be granted through pre-approved role-based permissions.
- The Information System may contain one or more Data Domains or Data Sub-Domains of Organizational Data. The Data Administrator must provide each applicable Data Steward a listing of the Data User’s active authorization roles to inform current access.
- Each Data Steward must review the request and if approved determine the level of access required to perform the job function. Based on published instructions, the Data Trustee, the System Owner, and/or the Technical Manager may also play a role in reviewing the request and determining its rejection or approval.
- Each Data Steward must coordinate with the Data Administrator to review the approved request and determine the necessary authorization role(s) to grant access. The Data Administrator must provision the approved authorization role for the Data User in the Information System.
- Data Stewards and Data Administrators must keep record of the request details, the approved level of access, and the provisioned authorization role for auditing purposes.
- The Data Administrator must notify the Data User and their supervisor or director of the provisioned access.
- Request Removal of Access to an Information System
-
- A request to remove access to an Information System should follow published instructions. The request must include the Data User’s name, account name (e.g., GT Account), and access removal effective date.
- The Information System may contain one or more Data Domains or Data Sub-Domains of Organizational Data. The Data Administrator must provide each applicable Data Steward a listing of the Data User’s active authorization roles to inform access that will be removed.
- The Data Administrator must remove all authorization roles for the Data User in the Information System on the requested access removal effective date.
- Data Stewards and Data Administrators must keep record of the request details and the removed authorization roles for auditing purposes.
- The Data Administrator must notify the Data User’s supervisor or director confirming removal of access.
- Employment Termination
-
- Human Resources must notify Data Stewards and Data Administrators of any employment terminations.
- The Information System may contain one or more Data Domains or Data Sub-Domains of Organizational Data. The Data Administrator must provide each applicable Data Steward a listing of the Data User’s active authorization roles to inform access that will be removed.
- The Data Administrator must remove all authorization roles for the Data User in the Information System. This must be done within five business days of termination.
- Data Stewards and Data Administrators must keep record of the termination and the removed authorization roles for auditing purposes.
- The Data Administrator must notify the Data User’s supervisor or director confirming removal of access.
- Employment Status Change
-
- Human Resources must notify Data Stewards and Data Administrators of any employment status changes which requires a change to such employee’s access to Organizational Data and Information Systems. Employment status changes include change in job function, job status, and transfer to another unit.
- The Information System may contain one or more Data Domains or Data Sub-Domains of Organizational Data. The Data Administrator must provide each applicable Data Steward a listing of the Data User’s active authorization roles to inform current access.
- The Data User’s supervisor or director and each Data Steward and Data Administrator must coordinate a review of access to determine which authorization roles remain appropriate and which need to be removed from Information Systems. This must be done within thirty calendar days of employment status change.
- Data Stewards and Data Administrators must keep record of the employment status change and the added and/or removed authorization roles for auditing purposes.
- The Data Administrator must notify the Data User’s supervisor or director confirming changes to access.
- Auditing Access
-
- System Owners, Technical Managers, and Data Administrators must be able to generate a list of Data Users granted access to an Information System.
- Data Stewards and Data Administrators must review Data User access to Information Systems at least every six months and document findings.
- Data Stewards and Data Administrators must create, document, maintain, and periodically review procedures related to access, including:
- Instructions for how to request access to an Information System
- How authorization roles are reviewed and assigned using the Principle of Least Privilege
- How authorization roles are reviewed to ensure they are free from Segregation of Duties conflicts
- Processing requests for new, changes to existing, or removal of access
- Auditing of access
- Human Resources, Data Stewards, and Data Administrators must create, document, maintain, and periodically review procedures related to access, including:
- Employment terminations
- Employment status changes
- Data Stewards and Data Administrators must maintain documented evidence that the procedures related to access are actively used and effective.
- Groups with Pre-Approved Access to Information Systems and Organizational Data
-
Certain Georgia Tech groups are given pre-approved read-only access to Organizational Data and Information Systems due to their job function. This approval is granted by the Data Governance Committee and is reviewed on a periodic basis. A listing of these approved groups can be found in the resource section.
To request access based on pre-approval, the following steps must be completed:
- The director or manager of a pre-approved group must send the Data Administrator of the Information System a request to grant read-only access for one or more Data Users in their group. The request must include the Data User’s name, account name (e.g., GT Account), and job title.
- The Data Administrator must provision access for the Data User in the Information System.
- The Data Administrator must notify the Data User and the requestor of the provisioned access.
- Data Administrators must keep record of the request details and the provisioned authorization role for auditing purposes.
Resources
- Is the Principle of Least Privilege going to prevent a Data User from performing their job duties?
- No. The Principle of Least Privilege ensures access does not provide more than what is required to perform one’s job duties. This is not in place to hamper one’s ability to perform their job.
- How often must access to an Information System be audited?
- Every six months. Any change to this frequency must be approved by the Data Governance Committee.
- Are enterprise tools available to manage access requests and Human Resources terminations or status changes?
- No. There is not currently an enterprise tool to centrally manage access requests. There is not currently an enterprise tool to communicate Human Resources employment terminations or employment status changes. Data Stewards, Data Administrators, and Human Resources must create, document, and maintain their own procedures for these activities.
- Groups with Pre-Approved Access to Information Systems and Organizational Data?
-
Group Scope Purpose Cyber Security All systems and data Monitor and audit security functions Data Governance All systems and data Monitor and audit data governance and management functions Privacy All systems and data Monitor and audit privacy functions Internal Audit All systems and data Provide enterprise audit capabilities OIT - Enterprise Applications Supported systems and data Build and maintain enterprise applications OIT - Enterprise Data Warehouse &
Integration ServicesSupported data Build and maintain the EDW and integrations OIT - Enterprise Business Intelligence Supported data Provide enterprise business intelligence capabilities Institutional Research & Planning Supported data Provide enterprise research and analysis capabilities
Revision Date | Author | Description |
---|---|---|
2021-09-15 | Zachary Hayes, Data Governance | Update to Groups with Pre-Approved Access |
2021-07-27 | Zachary Hayes, Data Governance | New |