Access Control Policy
Information is a valuable asset and access to it must be managed with care to ensure that confidentiality, integrity and availability are maintained.
The University of Sheffield provides access to information assets, accounts, systems and resources based on the principle of least privilege (see Information Security Glossary for explanation).
This policy outlines the rules relating to authorising, monitoring and controlling access to University accounts, information and information systems.
This policy applies to any person or systems that are granted or that grant access to accounts, information or information systems owned or operated by the University of Sheffield.
This policy specifically does not apply to Subject Access Requests under the General Data Protection Regulation or Data Protection Act 2018. These requests are managed separately by the Data Protection Officer in the University Secretary’s Office.
Compliance with this policy enables consistent controls to be applied throughout the University, minimising exposure to security breaches, whilst allowing systems and security administration and technical support staff to conduct their activities within the framework of the law.
This policy aims to ensure that, by having the appropriate access controls in place, the right information is accessible by the right people at the right time and that access to information, in all forms, is appropriately managed and periodically audited.
All personnel (e.g. employees, students, contractors, vendors and third-parties) at the University of Sheffield must abide by relevant Information Security and Access Control policies and procedures.
All account holders must:
- Only use their account and access in accordance with the University’s IT Code of Practice.
- Secure their credentials in line with the University’s password guidance.
- Be responsible for the systems, services and data within their control.
- Transfer services and data prior to vacating a role referring to the University Leaving Process and Account Closure Guidance.
All management must:
- Only sponsor access requests that have:
- A documented request
- Adequate and appropriate justification, based on the requester’s business need
- Document all access request sponsorships
Asset owners must:
- Periodically review access to their assets and investigate any anomalies. Review periods are based on the risk rating of a given asset.
Access administrators must:
- Only grant access requests that have:
- A documented request
- Adequate and appropriate justification, as confirmed by the sponsor
- Documented sponsorship and subsequent approval from a relevant personnel
- Document all access granted
4 Access Control Implementation
The following headings outline the principles around how access is managed at the University of Sheffield:
4.1 Identity Management
Formal user registration and de-registration processes are implemented to enable the assignment of identities and accounts on an individual basis.
This ensures accountability for all actions taken by employees, students and associate account users.
4.2 Authentication Management
All account, service and platform access is managed through secure authentication controls.
For more information on this please see the University’s password guidance.
4.3 Access Governance
A formal user access provisioning process is implemented to assign or revoke access rights for all user types to systems and information assets under the control of the University.
This access provisioning is based on the following principles:
Access changes for employees are primarily managed through the University's Starter, Mover & Leaver processes.
- All extra requests for or changes to access are documented and tracked.
- All access requests or changes require documented justification.
- Justification will be based on a simple risk assessment and the business need and will be confirmed by the request sponsor.
- Appropriate sponsorship & approval is required and documented for all access requests or changes.
- All access changes granted by administrators are documented and tracked.
- Reviews of access are performed by relevant asset owners periodically.
- These principles are agnostic of account type, service, application or system.
4.4 Privileged Account Management
Privileged accounts and privileged access (see Information Security Glossary for explanation) must be purpose driven, secure and always adhere to the principle of least privilege. (See Privileged Account Management Policy)
4.5 Removal or Adjustment of Access Rights
The access rights of all employees, students and associate account users to information and information processing facilities will be removed upon termination of their employment, contract or agreement, or adjusted upon change.
For all University employees, this is managed through the Starter, Mover & Leaver processes.
Additional access to accounts, assets, systems or services are subject to review and approval on a case-by-case basis, as outlined in the Access Governance section above.
4.6 Access Reviews
Access to assets, services and systems will be periodically reviewed. The frequency of these reviews depends on the identified risk surrounding the asset and access in question.
It is recommended that the risk relating to each individual asset is measured and given a risk rating in line with the single asset risk assessment process, outlined in the Information Security Risk Management policy.
Where an access review identifies an access anomaly it will be treated as a potential incident and investigated by the asset owner and information security team.
4.7 Access in Special Circumstances
There are special circumstances where extra or privileged access is needed. For all cases, access to an account, the information contained within an account or information pertaining to the activity of an account, is carefully restricted and must only be carried out with the appropriate authorisation and safeguards in place.
Appendix A below outlines the approach taken for special circumstances.
5 Supporting Information Security Policies, Procedures and Guidance
Supporting information security policies for the principles listed above can be found at https://www.sheffield.ac.uk/it-services/policies/infosec
The University’s Information Security Incident Reporting Page can be found at https://www.sheffield.ac.uk/it-services/policies/securityincident
Appendix A - Access in special circumstances
Special circumstances include, but are not limited to:
|Information Security and System Administration||The Information Security team may access accounts and user data. Some examples of when such access may be required are;
|Regulatory Requests||A request for information to satisfy a regulatory request (e.g. Subject Access Request) can be made to the Information Security team. Requests will be considered by the Director of IT, referring to the Data Protection Officer, Security Services, Academic Services and Human Resources as required.|
|Previous Account Owner||A request for information held against a previously active account by the account owner may be approved only after a careful review and on a case-by-case basis. Requests will be considered by the Director of IT, referring to the Data Protection Officer, Security Services, Academic Services and Human Resources as required.|
|Staff Account Access by Department||Requests must be sponsored by the Head of Department (or recognised designate). They will be considered by the Director of IT, referring to the Data Protection Officer, Security Services and Human Resources as required.|
|Student Account Access by Department||Requests must be sponsored by the Head of Department (or recognised designate). Requests will be considered by the Director of IT, referring to the Data Protection Officer, Security Services and Academic Services as required.|
|Law Enforcement Authorities||Requests must be directed to Security Management Team. The relevant documentation must be completed. Requests will be considered by the Director of IT, referring to the Data Protection Officer, Security Services, Human Resources and Academic Services as required.|
|Medically Incapacitated or Deceased User Account Access||Access requests can be made to the Information Security team. Requests will be considered by the Director of IT, referring to the Data Protection Officer, Security Services and Human Resources as required.|