University Policy 95
Data Network Security and Access Control

Initially Approved:  August 25, 2006
Revised and approved: June 21, 2010
Revised and approved: March 28, 2011
Revised and approved:  August 27, 2012
Administering Office: Office of the CIO


 

      I.        Policy statement

Western Carolina University’s data network and university systems and resources are utilities that are vital to the operation of the university. As such, the university must insure that nothing is inadvertently added to or changed in the network and that adequate security is in place to prevent the disruption of the availability of these resources to the campus.

     II.        Scope and application of the policy

A.     This policy applies to all Western Carolina University faculty, staff, assistants, guests, consultants, volunteers, interns, temporary workers, and any other person who require authenticated accesses the university wired or wireless network.

 

B.     The policy applies to all Western Carolina University locations.

 

    III.        Definitions

A.     None

 

 

    IV.        Data Network Security Policies

The Information Technology (IT) Division’s Networking & Communications department has the responsibility for the design, maintenance and security of the university’s data network. To insure the integrity of the network:

 

A.     No device may be added to the network which does not conform to the approved list of devices, maintained and published by the IT Division, without prior approval of Networking & Communications. Rogue network devices will be automatically and immediately disabled upon detection.

 

B.     No individual or office may connect a device to the campus data network that provides unauthorized users access to the network or provides unauthorized IP addresses for users.

 

C.    Networking & Communications has the right to quickly limit network capacity to, or disable, network connections that are overwhelming available network bandwidth to the detriment of the university.

 

D.    Access to networking equipment in wiring closets, etc. is limited to the Networking & Communications staff or their designees.

 

E.     No consideration of changing the architecture of any part of the data network may be undertaken without the early and regular involvement of Networking & Communication Services.

 

     V.        Access Control Security Policies and Procedures

A.     General Principles

Consistent with the requirements of the North Carolina State Auditor, the general rule is that access to university IT systems/networks may only be granted to employees who have completed and submitted all requisite compliance documents described below.  For initial access and termination of access, the guidelines detailed below control access based upon the individual’s employment or appointment status.

Access to IT systems will terminate on an employee’s last work/contract date.  In cases where separations are deemed involuntary, Human Resources shall notify IT and access will be immediately terminated.

Hiring officials may not enter into employment contracts that commit the university outside the scope of this policy.

B.    Compliance documents needed for access

All employees with access to the data network are required to sign a confidentiality agreement (Attachment A), and the signed agreements must be maintained within the employees’ personnel records (Human Resources, Graduate School, Financial Aid, and Career Services, as the case may be). Supervisors are responsible for ensuring that everyone subject to this policy complies with this requirement. Confidentiality agreements signed by guest users and consultants, interns, volunteers and others are maintained by the department requesting access for them.

1.Employees – all of the following:

a.     Fully executed employment contract or a letter offer of employment that has been accepted in writing by the employee

b.     I-9

c.     W-4

d.     NC-4

e.     Employee data form

f.      Confidentiality (including FERPA) agreements

g.     Direct Deposit form

2.Guest Users / Consultants – all of the following:

a.     Fully executed contract or other engagement document

b.     Confidentiality (including FERPA) agreements

c.     IT Guest/Consultant access request form

3.Volunteers – all of the following

a.     Standard form of volunteer engagement document

b.     Confidentiality agreement

c.     FERPA agreement

d.     IT Guest access request form

 

C.    Access initiated through Human Resources

1.SPA Permanent Employees: will be granted access on the first day of their employment provided that complete and accurate employment compliance documents have been received by HR.  Access will be terminated on the last work date.  Early access cannot be granted.

 

2.EPA Non-Faculty Employees: will be granted access on the first day of employment provided that complete and accurate employment compliance documents have been received by HR.  Early access exceptions can be granted by the Chief Information Officer (CIO) in accordance with the exception procedures detailed below.  Access will be terminated on the last work date.

 

3.Tenured/Tenure-track Faculty: will be granted access on the first day of contract provided that complete and accurate employment compliance documents have been received by HR, or upon earlier processing by HR of complete and accurate employment compliance documents. Access will be terminated on the last day of the month of the contract end date.

 

4.Fixed Term Faculty Appointments: will be granted access on the first day of contract provided that complete and accurate employment compliance documents have been received by HR, or upon earlier receipt by HR of complete and accurate employment compliance documents. Access will be terminated on the last day of the month of the contract end date.

 

5.Adjunct Faculty:  will be granted access on the first day of contract provided that complete and accurate employment compliance documents have been received by HR, or upon earlier processing by HR of complete and accurate employment compliance documents. Access will be terminated at the end of the semester they are contracted to teach. Access will be terminated on the last day of the month of the contract end date.

 

6.Affiliate Faculty (unpaid faculty volunteers):  may be granted access during their engagement dates in accordance with the start and end dates of their engagement document provided that the requesting department submits complete and accurate guest user compliance documents to the Dean and CIO for approval and these have been processed by HR and IT. Access will be set to expire in accordance with these dates. The requesting department will also be responsible for notifying HR to terminate access prior to the expiration of the engagement if warranted. Access is valid for a maximum of 1 year and must be renewed if necessary.

 

7.Temporary/Hourly Workers:  will be granted access on their first day of employment provided that all employment compliance documents have been received by HR.  Access will be terminated on the last work date.  Early access cannot be granted.  The supervisor is responsible for notifying HR if early termination is necessary. Access is covered by appointment dates and monitored by HR.

 

D.    Access initiated through the Graduate School

1.Teaching and Lab Graduate Assistants: will be granted access on the first day of contract provided that complete and accurate employment compliance documents have been received by the Graduate School, or upon earlier processing by the Graduate School of complete and accurate employment compliance documents.  Access will be terminated at the end of the semester they are contracted to teach. The supervisor is responsible for notifying the Graduate School of any changes to the contract dates to terminate access early if necessary. 

 

2.Research Graduate Assistants:  may be granted access on their first day of contract, provided that complete and accurate employment compliance documents have been received and processed by the Graduate School, or upon earlier processing by the Graduate School of complete and accurate employment compliance documents.  The graduate student’s supervisor may then request access on the appropriate IT access form submitted to IT.  Access will be terminated on contract end date. The supervisor is responsible for notifying the Graduate School of any changes to the contract dates to terminate access early if necessary. 

 

E.     Access initiated through IT

1.Guest Users and Consultants:  may be granted access during their engagement dates in accordance with the start and end dates of their contract provided that complete and accurate guest user compliance documents have been received and approved by the CIO.  After the access request has been approved by the CIO, the documents will be forwarded to HR for processing.  Access will be set to expire in accordance with the approved dates. The requesting department will also be responsible for notifying the CIO to terminate access prior to the expiration of the contract if warranted.  Access is valid for a maximum of 1 year and must be renewed if necessary.

 

2.Interns and Volunteers:  may be granted access during their engagement dates in accordance with the start and end dates of their volunteer document for unpaid intern or volunteer services; provided that complete and accurate volunteer compliance documents have been submitted to the CIO with the access request.  After the access request has been approved by the CIO, the documents will be forwarded to HR for processing.  Access will be set to expire in accordance with the approved dates.  The requesting department will also be responsible for notifying the CIO to terminate access prior to the expiration of the engagement letter if warranted.   Access is valid for a maximum of 1 year and must be renewed if necessary.

 

3.Administrative Student Workers (students who need access to administrative systems):  may be granted access on their first day of employment provided that complete and accurate employment compliance documents have been received and processed by Career Services (non-work study) or Financial Aid (work study), as the case may be. The student’s supervisor may then request access on the appropriate IT access form submitted to IT. Access will be terminated on the last work date. Access must be re-requested and reauthorized at the beginning of each semester. Early access cannot be granted. The supervisor is responsible for notifying IT to terminate access early if necessary.

 

4.Others: may be granted access by the CIO in accordance with the exception procedures detailed below.  Accounts of this category will have a predefined access termination date and may be valid for a maximum of 1 year. The requesting department is responsible for notifying the CIO to terminate access. 

 

F.     Access initiated through the Chancellor’s Office and the Provost’s Office

1.Chancellor Emeritus Status:  will be granted access upon conferment by the university Board of Trustees of Chancellor Emeritus status in recognition of services to the University. The Chancellor’s Office will notify HR to terminate Chancellor Emeritus access.

 

2.Professor Emeritus Status

a.     Access will be granted upon the Chancellor’s recommendation to the university Board of Trustees for conferment of Professor Emeritus status in recognition of services to the University.

b.     If the Chancellor has not taken action concerning the conferment prior to a Professor leaving university service, access will be temporarily continued if paperwork requesting conferment has been approved by the appropriate College Dean and submitted to the Provost’s Office. Access continuation will require submission of the Guest Access form to IT prior to a Professor’s last day of work for the time interval between leaving the university and the conclusion of the annual Professor Emeritus conferment process.

c.       Disapproval at any level or inaction by the Chancellor ninety (90) days after completion of the Emeritus conferment process will result in temporary access being terminated. 

d.     The Provost’s Office will notify HR to terminate Professor Emeritus.

 

3.Trustees:  will be granted access upon their election or appointment and receipt by IT of complete and accurate guest user compliance documents, including a confidentiality agreement.  The Chancellor’s Office will notify IT when to terminate Trustee access.

 

    VI.        Exception to Access Control Security Procedures

In exceptional circumstances, a Dean or Vice Chancellor may request access for certain individuals for good cause.  Requests should be made in writing to the CIO and should include explicit and detailed purposes/reasons for the request and a defined period of time during which access is to be granted. These individuals are required to complete the same confidentiality agreement as employees.  This procedure should be used only in rare and exceptional circumstances, and the number and nature of requests for exceptions shall be closely monitored to ensure that the procedure is not abused.  Deans and Vice Chancellors will be responsible for obtaining requisite confidentiality agreements from individuals who have been granted access through this process.

   VII.        Audit Accountability

It is the responsibility of each department to provide timely notification of employment and termination to HR and IR in order to comply with the timeframes set forth in this policy.  Departmental notifications and personnel processing actions are subject to audit by the University’s Internal Auditor and by external auditors.  As such, the timeframes for compliance rest at the departmental level. 

  VIII.        Policy Review

This policy shall be reviewed and revised as necessary every 2 years.

    IX.        Related Policies and Resources

University Policies

University Policy #52: Use Of Computers and Data Communications

University Policy #97: Data Security and Stewardship

UNC Policy Manual: http://www.northcarolina.edu/policy/index.php

Guest Access Form


Attachment A

 

Confidentiality Agreement

 

The undersigned (the “User”), in the course of providing certain services to Western Carolina University (the “University”), may have access to or may acquire confidential personally identifiable information, including but not limited to student and/or employee names, addresses, telephone numbers, bank and/or credit card numbers, social security numbers, and income and credit history information.

 

User acknowledges that the University is subject tovarious state and federal laws regarding privacy and security of confidential information maintained by the University, including the Financial Services Modernization Act of 1999 (the Gramm-Leach-Bliley Act), the Family Educational Rights and Privacy Act (FERPA), the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the Payment Card Industry (PCI) Data Security Standards, and the North Carolina Identity Theft Protection Act.  User acknowledges his/her responsibility to become familiar with and agrees to comply with applicable legal obligations, and agrees to cause any of his/her officers, employees, agents, and subcontractors to comply with these legal obligations.  User and any officers, employees, agents, and subcontractors shall also cooperate in every respect with University in its compliance activities.

 

User agrees to keep confidential all student education records, employee personnel records, and other personally identifiable information which is deemed to be confidential in accordance with applicable state and federal law and standards, as well as University policies and regulations, and will require that its officers, employees, subcontractors, and agents comply with the same.

 

User warrants that he/she is capable of safeguarding any confidential information accessed or acquired. User agrees that it will implement such safeguards as necessary to maintain the security and confidentiality of the information accessed or acquired, and that it will prevent the disclosure of the information except as required by law.  User will immediately report to University any unauthorized use or disclosure of the accessed or acquired confidential information.

 

User shall indemnify, protect, defend, and hold harmless the University and its trustees, officers, agents, employees, representatives, and assigns, and the University System of North Carolina and its governors, officers, agents, employees, representatives, and assigns from and against any and all claims, demands, suits, and causes of action and any and all liabilities, costs, damages, expenses, and judgments incurred in connection therewith (including but not limited to reasonable attorney’s fees and court costs) relating to or arising out of User’s or User’s authorized representative’s unauthorized use or disclosure of confidential information. This indemnification and hold harmless provision shall not apply or have force and effect if the User is an employee of the University.

 

 

___________________________________________                      ________________

Signature of User                                                                 Date

 

___________________________________________

Printed Name


 

 

Policy 95 – Data Network Security and Access Control

 

Access Control Procedures Checklist

 

All persons with access to the university network must sign a Confidentiality Agreement that is maintained in their personnel records for employees or by the requesting department for non-employees. Employee supervisors are responsible for having employees sign the agreement, and requesting departments are responsible for non-employee compliance with the requirement.

 

 

User Type

Access

Granted

 

Access

Access

Termination

SPA Permanent
Employee

HR on first day of work with completed employment compliance documents

Automatic with completed employment compliance documents received by HR

Last work date

EPA Non-Faculty Employee

HR on first day of contract with completed employment compliance documents

Automatic with completed employment compliance documents received by HR

Last work date

Tenured/Tenure-track
Faculty

HR on first day of contract with completed employment compliance documents or upon earlier processing by HR of complete and accurate employment compliance documents

Automatic with completed employment compliance documents received by HR

Access will be terminated on the last day of the month of the contract end date.

 

Fixed Term
Appointment Faculty

HR on first day of contract with completed employment compliance documents or upon earlier processing by HR of complete and accurate employment compliance documents

Automatic with completed employment compliance documents received by HR

Access will be terminated on the last day of the month of the contract end date.

 

Adjunct Faculty

HR on first day of contract with completed employment compliance documents or upon earlier processing by HR of complete and accurate employment compliance documents

Automatic with completed employment compliance documents received by HR

Access will be terminated on the last day of the month of the contract end date.

Affiliate Faculty
    (unpaid volunteers)

HR on start date of engagement document with guest user compliance documents approved by Dean and CIO.
Valid 1 year maximum

Manual request

End date of engagement agreement
(Requesting dept. notifies HR of termination prior to end date)

Temporary/Hourly
 Workers (including career services and financial aid students)

HR on first day of work with completed employment compliance documents maintained in HR/career services/financial aid.

HR to monitor

Automatic with completed employment compliance documents

Last work date or access may be terminated if employee does not submit time for more than 3 pay periods (6 weeks).  This will be monitored by HR.  The supervisor is responsible for notifying HR to terminate access early if necessary.

Teaching and Lab
 Graduate Assistants

Graduate School on first day of contract with completed employment compliance documents or upon earlier processing by Graduate School of complete and accurate employment compliance documents

Automatic

Contract end date.  Supervisor contacts Graduate School for termination prior to contract end date.

Research Graduate Assistants

Graduate School on first day of contract with completed employment compliance documents or upon earlier processing by Graduate School of complete and accurate employment compliance documents.  Supervisor submits appropriate IT access form to IT

Manual

Contract end date.  Supervisor contacts IT for termination prior to contract end date.

Guest Users and
Consultants

CIO on start date of contract with completed guest user compliance documents provided by requesting department. Valid 1 year maximum

Manual

End date of engagement agreement.  Requesting dept. notifies HR of termination prior to end date.

Interns and Volunteers

CIO on start date of intern or volunteer engagement letter with completed intern or volunteer compliance documents provided by requesting department.  Valid 1 year maximum

Manual

End date of intern/volunteer engagement agreement.  Requesting dept. notifies HR of termination prior to end date.

Administrative
Student Workers
who need access to administrative systems

IT on first day of work with appropriate IT access form from supervisor

Reauthorize each semester

Manual

Last work date. Supervisor notifies IT of early termination

Others

CIO on first date requested in writing by Dean or Vice Chancellor
Valid 1 year maximum

Manual

Last date specified in written request from Dean or Vice Chancellor

Chancellor Emeritus

Board of Trustees conferment

Manual

Chancellor’s Office notifies HR

Professor Emeritus

Chancellor’s recommendation to Board of Trustees

Manual

Provost’s Office notifies HR

Trustees

Upon election/appointment and IT receipt of completed guest user compliance documents from the Chancellor’s Office

Manual

Chancellor’s Office notifies IT

 

Copyright by Western Carolina University      •      Cullowhee, NC 28723      •      828.227.7211      •      Contact WCU
Maintained by the Office of Web Services      •      Directions      •      Campus Map      •      Emergency Information      •      Text-Only

Office of Web Services