Standard for User Access Management
I. Purpose
The purpose of this standard is to establish the university’s obligation to ensure that user access is based upon authorization and that unauthorized access to systems and services is prevented.
II. Scope
It is the responsibility of all system owners to determine appropriate controls, rules, access rights and restrictions for their information or information systems. They must assure that access is provided only to authorized users and that unauthorized access is prevented.
III. Contacts
Direct any general questions about this standard to your unit’s Information Security Liaison. If you have specific questions, please contact OneIT Information Security Compliance at ISCompliance-group@charlotte.edu.
IV. Standard
To assure only authorized access to their systems, owners should implement the following:
- A process for assigning, enabling, and revoking a user account
- A process for providing and revoking privileges associated with a user account
- A process for the controlled allocation and use of privileged access rights
- A process for managing the use of passwords, and, if implemented, managing encryption/cryptographic keys, and tokens
- A process for the review of user access rights at regular intervals
- A process for the removal and adjustment of access rights upon change of role, employment, contract, agreement or other status.
Related Resources
- University Policy 311 Information Security
- Standard for Account Passwords
- Guideline for User Access Management
- Guideline for Privileged Account Management
- ISO/IEC 27002
ISO/IEC 27002 was adopted by The University of North Carolina at Charlotte in 2012. All standards and guidelines are based on this code of practice for Information Security Management.
Revision History
Initially approved by the Information Assurance Committee 4/2/15
Updated 6/2/22