Professional Documents
Culture Documents
Campus
Document Information
Version History
Change
Version Date Update by Approved By Date
description
Samantha
Barry Haynes
1.0 27/06/2016 Crossfield / Initial version 20/10/2016
(Chair of IGMG)
David Batty
Charles New format of Andy Pellow
2.0 01/03/2019 22/03/2019
Hindmarsh ISMS (Chair of IGMG)
Updated
Charles Andy Pellow
2.1 18/09/2019 A.9.2.1 & 25/09/2019
Hindmarsh (Chair of IGMG)
A.9.2.6
Contents
Introduction ...........................................................................................4
Purpose .................................................................................................4
Applicability ..........................................................................................4
A.9.0 Access Controls ..........................................................................4
A.9.1 IRC Requirements for Access Control .......................................4
A.9.1.1 Access Control Policy ................................................................................. 4
A.9.1.2 Access to Networks and Network Services ................................................ 4
A.9.1.2.1 Network Access to IRC......................................................................... 5
A.9.1.2.2 Internet Access ..................................................................................... 5
A.9.2 User Access Management ..........................................................6
A.9.2.1 User Registration & De-registration ............................................................ 6
A.9.2.2 User Access Provisioning ........................................................................... 6
A.9.2.3 Management of Privileged Access Rights. ................................................. 6
A.9.2.4 Management of Secret Authentication Information of Users ....................... 6
A.9.2.5 Review of Access Rights ............................................................................ 6
A.9.2.6 Removal or Adjustment of Access Rights ................................................... 7
A.9.3 User Responsibilities ..................................................................7
A.9.3.1 Use of Secret Authentication Information ................................................... 7
A.9.4 System and Application Control ................................................7
A.9.4.1 Information Access Restriction ................................................................... 7
A.9.4.2 Secure Log-on Procedures ......................................................................... 7
A.9.4.3 Password Management System ................................................................. 7
A.9.4.4 Use of Privileged Utility Programs .............................................................. 8
A.9.4.5 Access Control to Program Source Code ................................................... 8
Introduction
The Integrated Research Campus (IRC) is a University of Leeds IT service. It
provides secure technical infrastructure and services for research data handling,
analytics, application processing and development.
Purpose
This document sets the Access Control policy within the scope of the Information
Security Management System (ISMS).
Applicability
This policy is applicable to all staff who control, manage, update or change user
access within IRC services and/or LIDA Safe Rooms. It also applies to users who
are responsible for looking after passwords and tokens.
The Information Governance Management Group (IGMG) sets the policy for
assessing and providing system access rights under the User Access Management
policy (A9.2). Access Control is managed by the DST and is triggered when they
receive a request for access as part of a Project Proposal.
all cases users use terminal services inside the walled garden to access their Virtual
Research Environment (VRE). See Figure A.9.1.2.1.
Each project is allocated a VRE and access is provided to research team members.
Data that is classified as IRC-Confidential is accessible from anywhere within the
campus using university equipment or secured link from remote computers. Refer to
the Teleworking policy (A.6.2.2)
Firewall rules and Network Access Controls are in place to ensure that data residing
on servers that have a classification of IRC-Secure, can only be accessed from a
registered thin-client device in a safe room or other secure location.
The DST will email the disabled account holder to ask them return their MFA token.
The DST maintains an IRC user register of active users, tokens, training and
association with projects for current and past users.
The process of assigning access to a VRE follows the principle of assigning ‘least
privileges’. Active Directory groups are used to assign rights and control access to
specific folders within a project area.
Researchers or third parties are provided with access to the secure file transfer
system if needed. Request are managed through DST.
All users will access a VRE using an IRC Active Directory account via a thin client
remote access gateway. VRE access will be subject to two-factor authentication for
all users and locations without regard to the classification of the data hosted within
the VRE.
Passwords are changed and standards are enforced as per the UoL Password
Management. All IRC user passwords are created, issued to users and stored within
the IRC Active Directory service. System passwords (services and applications) are
stored within an encrypted Key pass safe which is only accessible by DST members.
Researchers are responsible for the safe keeping of their own passwords.