Standard for Business Requirements for Access Control

I. Purpose

The purpose of this standard is to establish the university’s obligation to ensure that user access to information and information processing facilities is limited to those who have a business or academic need. Access to information should be prevented for those who do not have a need for that information.

II. Scope

It is the responsibility of all information owners to determine appropriate controls, rules, access rights and restrictions for their information or information systems. They must assure that access is provided only to authorized users and that the established authorization is based upon business or academic need for that information.

III. Contacts

Direct any general questions about this standard to your unit’s Information Security Liaison. If you have specific questions, please contact OneIT Information Security Compliance at

IV. Standard

To assure only authorized access to information or information systems, the following principles should be considered:

  • Need-to-Know
    Only grant access to information needed to perform a task. Different tasks or roles may require different access profiles.
  • Need-to-Use
    Only grant access to IT equipment, applications, rooms, or procedures needed to perform a task, job, or role.

Access to networks and network services should be provided only to those authorized according to business or academic need. Additional measures should be taken to limit access to network connections to sensitive or critical business applications from public or other off-campus locations.

Related Resources

ISO/IEC 27002 was adopted by The University of North Carolina at Charlotte in 2012. All standards and guidelines are based on this code of practice for Information Security Management.

Revision History

Initially approved by Information Assurance Committee 4/2/15
Updated 6/2/22