Access to Information Technology Resources and Systems 6003

I. PURPOSE

The purpose of this policy is to identify the requirements for granting, maintaining and terminating users' access to university information technology (IT) resources and systems.

II. DEFINITION

Sponsor: A sponsor is a professional of Longwood who requests access to IT resources and systems for a not Longwood affiliated user, assumes responsibility for that access and the user's adherence to the Acceptable Use of IT Resources and Systems Policy and maintains communication with Information and Instructional Technology Services (IITS) as necessary regarding the given access.

III. POLICY

In general, access to and use of university IT resources and systems will be limited to persons directly affiliated with Longwood. Exceptions to this limitation are permitted under certain conditions subsequently described.

  1. Longwood Affiliated
    1. Learners: any persons enrolled, including full or part-time students and degree or non-degree seeking students, or those accepted into an established academic program.
    2. Professionals: any persons employed by, or retired from, the university or Foundation, including:
      1. Faculty holding either permanent or temporary appointments.
      2. Adjunct Faculty
      3. Instructors
      4. Visiting Faculty
      5. Staff holding either part-time or full-time positions
  2. Not Longwood Affiliated: Access to and use of IT resources and systems by persons not directly affiliated with Longwood must involve work to be performed, sponsorship and approval.
    1. Nature of the Work: Must satisfy at least one (1) of the following conditions: 
      1. the work relates directly to or is in support of university sponsored activities.
      2. the work involves use of IT resources and systems available only from Longwood and can be accommodated without disruption to established workloads.
    2. Sponsorship of Access: Requests for access by persons not directly affiliated with Longwood must be sponsored by a professional of Longwood who agrees to assume responsibility for use and adherence to the Acceptable Use of IT Resources and Systems Policy
    3. Approval of Access: Requests must be submitted by the sponsor in writing to the Chief Information Officer for approval. Requests must identify the person(s) needing access, describe the access needed, indicate the duration of the access (not to exceed 1 year), and provide contact information for the individual receiving access or the organization he or she represents.
  3. Granting Privileges: Access to IT resources and systems is granted only for the resources and systems that are necessary for an individual to perform his or her duties, is explicitly granted by the data owner or his or her designee to an individual and is assigned via a unique access account/ID. Authentication is required at the time of access through the use of a password, ID card, etc. (see Authentication Policy).
  4. Accountability:The owner of an access account/ID is accountable for its use. It is the ID owner's responsibility to protect the integrity of accessible systems and preserve the confidentiality of accessible information as appropriate. Beyond the account/ID creation process any subsequent access to any discrete resources and/or data must be authorized by the appropriate data owner. Under no circumstances can the data owner, the data owner's authorized alternate or any other individual authorize access for him or herself.
  5. Terminating Access:
    1. General Requirements: Access will be promptly terminated when the need for that access no longer exists. The Information Security Officer or his or her designee reserves the right to suspend and/or terminate any access privileges he or she determines to be a potential threat to the confidentiality, integrity or availability of any sensitive IT resources and systems.
    2. Specific Requirements:
      1. Professionals:access will be terminated after a period of 12 months of account inactivity.
      2. Learners:
        1. Access granted for learners as part of their employment by the University will expire no later than the end of each academic year.
        2. Academic Unix server access for students will be reviewed every six months for inactivity and inactive accounts will be subsequently removed.
  6. Access Reviews:Commensurate with sensitivity and risk, all access will be reviewed periodically for accuracy by the data owner(s).
  7. Exceptions and Exemptions: Exceptions to or exemptions from any provision of this policy must be approved in writing by the Chief Information Officer or his or her designee.

IV. ENFORCEMENT 

The university regards any violation of this policy as a serious offense. Violators of this policy are subject to disciplinary action, in addition to possible cancellation of IT resources and systems access privileges. Users of IT resources and systems at Longwood are subject to all applicable local, state and federal statutes. This policy does not preclude prosecution of criminal and civil cases under relevant local, state, federal and international laws and regulations.

Approved by the Board of Visitors, September 7, 2002.
Revised March 20, 2004.
Revised April 1, 2005.
Revised and approved by the Board of Visitors, September 15, 2006.
Revised and approved by the Board of Visitors, December 7, 2007.
Revised and approved by the Board of Visitors, September 12, 2008.
Revised and approved by the Board of Visitors, March 27, 2009.
Revised and approved by the Board of Visitors, March 26, 2010.
Revised and approved by the Board of Visitors, September 14, 2012.

Access to Information Technology Resources and Systems Procedures