960  Access Control

Approved by President
Effective Date: June 5, 2017
Responsible Division: Information Technology
Responsible Office:  Information Technology
Responsible Officer: 
Vice President for Information Technology

I. Purpose

This policy establishes a minimum expectation, with respect to access controls, in order to protect data stored on computer systems at Middle Tennessee State University (MTSU or University).

II. General

A. MTSU will control user access to information assets based on requirements of individual accountability, need to know, and least privilege.

B.  Access to University information assets must be authorized and managed securely in compliance with appropriate industry practice and with applicable legal and regulatory requirements (i.e., Health Insurance Portability and Accountability Act, Family Educational Rights and Privacy Act, Open Records Act of Tennessee, Gramm Leach Bliley Act, and identity theft laws).

C.  University information assets include data, hardware, software technologies, and the infrastructure used to process, transmit, and store information.

1.  Any computer, laptop, printer, or device that an authorized user connects to the campus network is subject to this policy.

2.  Guest/unauthenticated access may be provisioned commensurate with usage and risk.

3.  Authorized users accessing University computing resources and network with their own personal equipment are responsible for ensuring the security and integrity of the systems they are using to establish access.

III. Access Controls

A.  Access to information assets must be restricted to authorized users and must be protected by appropriate physical, administrative, and logical authentication and authorization controls.

B.  Protection for information assets must be commensurate with the confidentiality of the information.

C.  Each computer system shall have an automated access control process that identifies and authenticates users and then permits access based on defined requirements or permissions for the user or user type.

D.  All users of secure systems must be accurately identified; a positive identification must be maintained throughout the login session; and actions must be linked to specific users.

E.  Access control mechanisms may include user IDs, access control lists, constrained user interfaces, encryption, port protection devices, secure gateways/firewalls, and host-based authentication.

IV. User Identification, Authentication, and Accountability

A.  User IDs:

1.  The access control process must identify each user through a unique user identifier (user ID) account.

2.  User IDs are assigned by the Information Technology Division (ITD).

3.  Users must provide their user ID at logon to a computer system, applicati