Integrated Research

Campus

A.9.0 Access Controls

Information Security Management System

Document Information

Reference ISMS 27001

Category Information Security Management System (ISMS)
Title Access Controls
Purpose Defining the policies for access to the IRC
Owner Information Governance Management Group (IGMG)
Author Charles Hindmarsh
Compliance ISO 27001
Review plan Annually
Related Documents University of Leeds Information Protection Policy
ISMS Mandatory Clauses
A.5.0 Information security policies
A.6.0 Organisation of information security
A.7.0 Human resources security
A.8.0 Asset management
A.10.0 Cryptography Controls
A.11.0 Physical and environmental security
A.12.0 Operations security
A.13.0 Communications security
A.14.0 Systems acquisition, development and maintenance
A.15.0 Supplier Relationships
A.16.0 Information security incident management
A.17.0 Information security aspects of business continuity
management
A.18.0 Compliance

Version History

Change
Version Date Update by Approved By Date
description
Samantha
Barry Haynes
1.0 27/06/2016 Crossfield / Initial version 20/10/2016
(Chair of IGMG)
David Batty
Charles New format of Andy Pellow
2.0 01/03/2019 22/03/2019
Hindmarsh ISMS (Chair of IGMG)
Updated
Charles Andy Pellow
2.1 18/09/2019 A.9.2.1 & 25/09/2019
Hindmarsh (Chair of IGMG)
A.9.2.6

Page Version 2.1 Published 25/09/2019 Classification: IRC-Protect

2 of 8
Access Controls
Information Security Management System

Contents

Introduction ...........................................................................................4
Purpose .................................................................................................4
Applicability ..........................................................................................4
A.9.0 Access Controls ..........................................................................4
A.9.1 IRC Requirements for Access Control .......................................4
A.9.1.1 Access Control Policy ................................................................................. 4
A.9.1.2 Access to Networks and Network Services ................................................ 4
A.9.1.2.1 Network Access to IRC......................................................................... 5
A.9.1.2.2 Internet Access ..................................................................................... 5
A.9.2 User Access Management ..........................................................6
A.9.2.1 User Registration & De-registration ............................................................ 6
A.9.2.2 User Access Provisioning ........................................................................... 6
A.9.2.3 Management of Privileged Access Rights. ................................................. 6
A.9.2.4 Management of Secret Authentication Information of Users ....................... 6
A.9.2.5 Review of Access Rights ............................................................................ 6
A.9.2.6 Removal or Adjustment of Access Rights ................................................... 7
A.9.3 User Responsibilities ..................................................................7
A.9.3.1 Use of Secret Authentication Information ................................................... 7
A.9.4 System and Application Control ................................................7
A.9.4.1 Information Access Restriction ................................................................... 7
A.9.4.2 Secure Log-on Procedures ......................................................................... 7
A.9.4.3 Password Management System ................................................................. 7
A.9.4.4 Use of Privileged Utility Programs .............................................................. 8
A.9.4.5 Access Control to Program Source Code ................................................... 8

Page Version 2.1 Published 25/09/2019 Classification: IRC-Protect

3 of 8
Access Controls
Information Security Management System

Introduction
The Integrated Research Campus (IRC) is a University of Leeds IT service. It
provides secure technical infrastructure and services for research data handling,
analytics, application processing and development.

Purpose
This document sets the Access Control policy within the scope of the Information
Security Management System (ISMS).

Applicability
This policy is applicable to all staff who control, manage, update or change user
access within IRC services and/or LIDA Safe Rooms. It also applies to users who
are responsible for looking after passwords and tokens.

A.9.0 Access Controls

The Access Control policy sets the procedure for approving, setting up, revoking and
managing access to IRC services and resources held on the IRC infrastructure. The
purpose is to ensure secure, consistent and audited access and usage in
accordance with the IRC ISMS. For physical access controls, refer to the Securing
Offices, Rooms and Facilities policy (A.11.1.3).

A.9.1 IRC Requirements for Access Control

A.9.1.1 Access Control Policy

The Access Control policy applies to staff authorised to set up access to IRC
infrastructure or facilities. They include the Data Services Team (DST) and the
Leeds Institute of Data Analytics (LIDA) Office Administrators. Researchers must
agree to the terms of the IRC User Agreement before access is granted.

The Information Governance Management Group (IGMG) sets the policy for
assessing and providing system access rights under the User Access Management
policy (A9.2). Access Control is managed by the DST and is triggered when they
receive a request for access as part of a Project Proposal.

A.9.1.2 Access to Networks and Network Services

The IRC is a “walled garden” (restricted zone), segregated by firewalls from the rest
of the campus network. The restricted zone contains a set of virtual servers that
have restricted access controls governed by a dedicated IRC Active Directory and
two factor authentication service which is separate from the rest of the university. In

Page Version 2.1 Published 25/09/2019 Classification: IRC-Protect

4 of 8
Access Controls
Information Security Management System

all cases users use terminal services inside the walled garden to access their Virtual
Research Environment (VRE). See Figure A.9.1.2.1.

Figure A.9.1.2.1: THE IRC Virtual Research Environment

A.9.1.2.1 Network Access to IRC

Only approved users with University Network Active Directory accounts will be
granted access to the IRC.

Each project is allocated a VRE and access is provided to research team members.
Data that is classified as IRC-Confidential is accessible from anywhere within the
campus using university equipment or secured link from remote computers. Refer to
the Teleworking policy (A.6.2.2)

Firewall rules and Network Access Controls are in place to ensure that data residing
on servers that have a classification of IRC-Secure, can only be accessed from a
registered thin-client device in a safe room or other secure location.

A.9.1.2.2 Internet Access

The firewall prevents a VRE from accessing the internet or external messaging
systems.

Page Version 2.1 Published 25/09/2019 Classification: IRC-Protect

5 of 8
Access Controls
Information Security Management System

A.9.2 User Access Management

A.9.2.1 User Registration & De-registration

The Principal Investigator (PI) will have determined the user access requirement in
the Project Proposal. The DST will follow the WI_New User work instruction to
create the account, but also to ensure the user:

1. Has a university of Leeds Active Directory account.

2. Has completed all necessary training.
3. Has signed the IRC User Agreement.

Deregistration may be triggered by the termination of the researcher’s project(s), a

notification from HR or the PI, a security event or as a result of non-compliance with
the IRC User Agreement or ISMS. The DST will follow a working instruction call
“Removal of users” for the removal of a user account.

The DST will email the disabled account holder to ask them return their MFA token.

The DST maintains an IRC user register of active users, tokens, training and
association with projects for current and past users.

A.9.2.2 User Access Provisioning

A combination of IRC Active Directory credentials and two factor token
authentication is used to control access to the VRE. Access is provided after project
approval, completion of training and signing of an IRC User Agreement.

The process of assigning access to a VRE follows the principle of assigning ‘least
privileges’. Active Directory groups are used to assign rights and control access to
specific folders within a project area.

Researchers or third parties are provided with access to the secure file transfer
system if needed. Request are managed through DST.

A.9.2.3 Management of Privileged Access Rights.

The UoL policy for granting administration privileges applies to the IRC.

A.9.2.4 Management of Secret Authentication Information of Users

All users must comply with the UoL Password Management policy.

A.9.2.5 Review of Access Rights

A review of IRC Active Directory is conducted annually. Only project users and valid
services should have active accounts all other accounts must be logged for further
investigation and disabled.

Page Version 2.1 Published 25/09/2019 Classification: IRC-Protect

6 of 8
Access Controls
Information Security Management System

A.9.2.6 Removal or Adjustment of Access Rights

Access rights removal or adjustment may be triggered by a notification from HR, a
security event, an Information Governance requirement, or from the Principal
Investigator. The DST will complete the appropriate instructions found in
WI_15_Removal of users.

A.9.3 User Responsibilities

A.9.3.1 Use of Secret Authentication Information

All users will comply with the UoL Password Management for the use of secret
authentication information.

A.9.4 System and Application Control

A.9.4.1 Information Access Restriction

The Principal Investigator will determine project user access rights. The DST will
implement the requirements.

All users will access a VRE using an IRC Active Directory account via a thin client
remote access gateway. VRE access will be subject to two-factor authentication for
all users and locations without regard to the classification of the data hosted within
the VRE.

A.9.4.2 Secure Log-on Procedures

Following the authentication against the IRC Active Directory, a second factor
authentication service will be used which contains a limited life one-time password.
Tokens will be assigned to individual users and records kept for the issuing and
return of the tokens.

A.9.4.3 Password Management System

The IRC password must:
 be a minimum of 10 characters
 not contain any part of your name or username
 contain characters from 3 of the below:
o Contain an Uppercase letter: A through Z
o Contain a Lowercase letter: a through z
o Contain a Number: 0 to 9
o Special characters such as punctuation. Special characters are good
but they may not appear on international keyboards or all mobile
devices, please check before setting your password.
Passwords will be used in conjunction with a Multi Factor Authentication Token
Number.

Page Version 2.1 Published 25/09/2019 Classification: IRC-Protect

7 of 8
Access Controls
Information Security Management System

Passwords are changed and standards are enforced as per the UoL Password
Management. All IRC user passwords are created, issued to users and stored within
the IRC Active Directory service. System passwords (services and applications) are
stored within an encrypted Key pass safe which is only accessible by DST members.

Researchers are responsible for the safe keeping of their own passwords.

A.9.4.4 Use of Privileged Utility Programs

With the exception of IT staff, the use of privileged utility programs is forbidden. All
requests for other data processing software must be recorded within the Data
Management Plan and approved.

A.9.4.5 Access Control to Program Source Code

Principal Investigators that require researchers to develop code, are responsible for
ensuring the code is appropriately secured and controlled within their virtual research
environment.

Page Version 2.1 Published 25/09/2019 Classification: IRC-Protect

8 of 8
Access Controls