RUL - 70.00.13 User Access Management Rule

Information Technology
Responsible Office:
Information Technology Services
Information Technology Services, 919-530-7171,
Effective Date: September 23, 2022

1.  Purpose

The purpose of the User Access Management Rule is to support the Information Security Policy and provide a framework for the management of user access to North Carolina Central University (NCCU) information systems, networks, and equipment.

The User Access Management Rule defines the standard procedures in place for granting, modifying, removing, and reviewing user access privileges to NCCU systems and applications in order to protect the privacy, security, and confidentiality of University information assets and systems.


2.  Scope

This rule applies to all users of NCCU information systems and services including employees, students, contractors, and third-party providers both on and offshore. It also applies to persons responsible for the management of user accounts or access to University information assets and systems, including departmental accounts (steward or custodian) and centrally managed accounts (ITS). Additionally, this applies to granting access to information systems and services owned and/or operated by NCCU or NCCU-affiliated vendors. It does not include physical access to NCCU computing equipment and ITS-controlled areas. Please see the Information Security Policy.


3. Definitions

3.1 Department Manager or Data Owner: Individuals with policy-level responsibility and accountability for data within their functional areas. Assigned to oversee the proper handling of administrative and academic data that is transmitted, used, and/or stored on Information Technology Resources.

3.2 Administrator Account: A User with a level of access above that of a normal User, or with supervisory responsibility for Information Systems and Information Resources. Examples of System Administrators include, but are not limited to, a Database Administrator, a Network Administrator, a Central Administrator, a superuser, or any other privileged User.

3.3 Data Custodian: Department Manager or Data Owner responsible for the operation and management of systems and servers which collect, manage, and provide access to institutional data. Ensures safe custody, transport, and storage of university data.

3.4 Delegate: Individually assigned tasks in systems to perform actions on the Manager or Data Owners’ behalf. Delegation should be used when an employee will be out of the office or unable to access the system long enough that business processes will be unduly delayed.

3.5 System Administrator:  A user responsible for the protection of administrator account details and must not share administrator account details with unauthorized users. Will only use administrator accounts for performing administration-related activities.


4.  Rule

4.1  Roles and Responsibilities of Data Custodians

4.1.1  Department Manager or Data Owner  Will comply with User Access Management Rule for their information system(s).  Are responsible for ensuring third-party service providers of services and systems comply with NCCU User Access Management rule.  Are responsible for retaining a record of user access requests, approvals, terminations, and disabling accounts for information systems for auditing purposes.  Are responsible for documenting and retaining a record of user access reviews for auditing purposes.  Department Manager will notify ITS of employees who are leaving the University (targeted or voluntarily) or have been dismissed/employment terminated.

4.1.2  ITS Will maintain a record of managers, system administrators or delegates who can approve user access privileges to information systems and services.

4.1.3  Employees, students, contractors, and third-party service providers Are responsible for the protection of their individual account and password, must not share their password with anyone or allow others to use their account in accordance with the Responsible Use Regulation. Will immediately change their password and/or notify ITS Service Desk if they believe their account details have been disclosed or used by an unauthorized user. Will log out of their account or use screen locking on a device when not present to prevent unauthorized access to their account and underlying University systems.

4.1.4 Administrator, Database Administrator, Application Administrator Are responsible for the protection of administrator account details and must not share administrator account details with unauthorized users. Will immediately change the account password and notify the Steward or Custodian of the relevant information system if they believe an administrator account has been improperly disclosed or used by an unauthorized user. Will only use administrator accounts for performing administration-related activities.


5.  Authentication Services

5.1 All NCCU equipment, networks, and information systems must be able to identify and authenticate NCCU users using approved authentication methods. Multi-factor authentication is required for user accounts.

5.2 Approval via the Director, IT Services must be obtained to use alternate authentication models.

5.3 The identification and authorization of user access to NCCU systems and applications must meet the access controls defined in the Information Security Policy and Information Security Program.

5.4 Students, employees, contractors, and third-party service providers accessing NCCU information systems will be uniquely identified.

5.5 The use of anonymous or 'guest' user accounts to access NCCU information systems is prohibited.


6.  Modifying User Access Privileges

6.1 Department Managers will ensure that when an employee changes role within the organization, their access will be amended so that it reflects the requirement of their new role. Any user access privileges to NCCU information systems or services that are no longer required for the employee’s new role will be removed.

6.2 Requests for changes to an individual's user access privileges for an NCCU information system or service lodged via the ITS Service Desk will be referred to the relevant Department Manager, Data Owner or ITS team for action.

6.3 Department Managers or data owners are responsible for approving changes to user access for information systems.

6.4 Departmental managers must provide approval for user access changes to file permissions within their department's information assets.

6.5  Removal of User Access Privileges

6.5.1  Employee Account Termination Employees that are leaving the University, for any reason will have their user access privileges disabled at the end of their employment unless an exemption is granted by the CIO, IT Services. System Administrators will remove application-specific access for the user account.

6.5.2  Student Account Termination Student employees will lose staff or faculty permissions after the appointment is terminated Students will continue to have student email access after the end of enrollment at NCCU if the following is met: Students who complete graduation requirements from the College: email accounts remain active until June 1 two years following the completion of their course of study. Students who voluntarily withdraw from the College prior to graduation: email account will be suspended/terminated at the direction of the Academic/Student Affairs. Accounts that are inactive for six months will be suspended and will only be reactivated at the direction of the Academic/Student Affairs department. Email accounts for withdrawn or suspended students will be suspended/terminated at the direction of the Academic/Student Affairs. Accounts that are inactive for six months will be suspended and will only be reactivated at the direction of the Academic/Student Affairs department. Students with an approved Leave of Absence: email account remains active pending the individual’s return to regular enrollment. Student access to other NCCU systems and services will be terminated at the end of the enrollment.

6.5.3  Suspension of User Access Privileges NCCU reserves the right to revoke the system privileges of any user at any time. Suspension of user access for student accounts requires approval from the Director, IT Services and must be conducted in accordance with Student Code of Conduct.


7. Reviewing User Access

7.1 System Administrator or ITS Security Administrator will conduct a user access review every 12 months at a minimum to ensure that current access privileges to information systems and services are relevant and appropriate for each individual user.

7.2 Department Managers are responsible for conducting annual user access reviews of file permissions within their department's information assets.

7.3 User access reviews should be documented and retained for auditing purposes.

7.4 Changes to user access for an information system identified as part of user access reviews should be performed by following the relevant procedures for modifying or terminating user access privileges.

7.5 Department Managers or Data Owners can create their own specific procedures in writing to review user access accounts for their NCCU information system and must be able to produce the documented procedures when required for auditing purposes.


8. Administrator Account Management

8.1. Administrator account details will only be disclosed to individuals who require this type of access based on their role.

8.2  Where possible, default administrator accounts for information systems should be disabled. If the account cannot be disabled, the account should be renamed and the default password should be changed immediately.

8.3  Requests for access to an administrator account must be authorized by the Department Manager or Data Owner or a relevant ITS manager.

8.4  Administrator accounts must only be used for performing administration-related activities. All non-administrator activities must be performed under the employee's user account.

8.5  Passwords for administrator accounts must be changed at least quarterly or immediately if a user with knowledge of the password leaves the University or no longer requires access to the account based on their role.

8.6  Administrator account access is to be reviewed at least quarterly.


9. Contractor Account Management

9.1  Contractors will be assigned a user account for temporary access to information systems that will be set to expire according to the expiry date obtained from the contract agreement.

9.2  Contractor user accounts will be terminated within the specified timeframes.

9.3  System Administrators are responsible for removing application-specific access for the contractor account.

9.4  Any contractor user account that has been inactive for a period of 30 days or more will be disabled.