Policy Introduction and Purpose

This policy is concerned with Access control and refers to selective and managed access to University data and information assets and information systems. Access includes consuming, using, or in any other sense deploying an information asset or system resource.

This Access Control Policy is an extension and expansion of the University’s Regulation 31. This Access Control Policy applies at all times and must be adhered to by all individuals accessing the University’s data and information assets and systems in any format.

Scope and Definitions

This Policy applies to everyone who has a contractual relationship with the University including all employees (both full-time and part-time across all grades), all directors, employees, visiting professors, contractors, students, interns and third parties who may need to access University of Warwick (herein the University) data and information assets and systems in the course of their work or study, including system support staff with access to privileged administrative passwords. Herein the term “individual” is used inclusively.

Access control refers to selective and managed access to University data and information assets and information systems. Access includes consuming, using, or in any other sense deploying an information asset or system resource.

This Access Control Policy describes the University’s primary access controls. Additional controls may be in place within individual departments, teams, functions or business units, and individuals should ensure that they adhere to any additional controls where required.

Responsibilities

Policy Responsibilities

The CITO is responsible for the production, maintenance, communication and review of this top-level policy document and all sub-policy documents within the Information Security framework.

Operational Responsibilities

Principles of this Policy

Access control is a vital component of information security. Information security consists of three key areas – technical, physical and personal:

• Technical security is the protection and safeguarding of all electronic information assets, computing devices and systems. Controls include authentication, access permissions, computing device protection and network connection requirements. These controls and safeguards ensure that only authorised individuals can safely perform actions or access University data and information.

• Physical security is protection of assets against real-world physical threats, such as unauthorised physical access and theft. It typically involves physical controls such as protective barriers and locks, lockable storage, and secure physical disposal.

• Personal security is about promoting vigilance by all individuals and an effective security culture and deterring or significantly hindering those seeking to cause harm.

Effective access control and information security requires the integration of all three.

Technical Access Control

1. All University data and information must only be accessed, stored or processed on University approved computing devices, which meet the University minimum security requirement for computing devices.

2. The University minimum security requirement for computing devices is published separately, see Information Security Framework for more details. Additional guidance, for example about purchasing new computing devices and how to use the purchasing portal, or the University upgrade and migration service, is also available separately.

3. Computing device means all types of device, including desktop and laptop computers, all forms of tablet, all types of mobile devices, all servers, and all other standard devices with the capability to access University systems, whether University managed, University registered, or personal.

4. All computing devices must have an assured level of encryption for the protection of University information; see Information Security Framework for more details.

5. All computing devices must have vendor-supported operating system and all software must be patched with the latest updates, see Information Security Framework for more details.

6. All computing devices supporting an authentication mechanism such as password and/or PIN must have this mechanism switched on.

7. The University minimum security requirement for computing devices includes enrolment in the prevailing University asset tracking and monitoring solution.

8. Devices not meeting this minimum security requirement for computing devices must not be used to access or process University data and information and will be denied access.

9. It is the responsibility of individuals to ensure they are familiar with relevant information management and security policies and good practice and to take steps to ensure that they are processing University data and information on compliant devices.

10. It is the responsibility of University management and support staff to ensure individuals have access to appropriate training, information and support to allow them to meet their data and information management responsibilities.

11. IT Services are normally responsible for the creation of user accounts and the allocation of access privileges to all University applications, systems and networks. However, some systems will have a separately allocated administrator responsible for granting and removing access (for example SITS).

12. Access to systems will be monitored and reviewed.

13. University employees will only be granted access to data and information appropriate to their roles and responsibilities, using Active Directory and Group Policy domain security.

14. The Director of IT Services will control allocation of domain administration access accounts.

15. Every user who requires access to a University IT system must have a personal user ID for the network and any IT System they will use. Only this ID can be used, unless specific business requirements dictate a specific limited exception authorised by the Director of IT Services.

Physical Access Control

16. Physical information security includes doors, locks, cupboards, security gates and any other physical barriers designed to protect data and information assets. It also encompasses buildings having 24hr security with access by either ID card or signed-for visitor badges.

17. Lockable cabinets, cupboards or drawers are provided for employees as appropriate so that they can keep personal belongings and information assets secure while they carry out their duties.

18. Passwords for keypad operated key safes should be changed in the following circumstances:

• When an employee with access changes departments.

• When an employee with access leaves the organisation.

19. Access to non-public University buildings is controlled, but local controls will vary. ID card readers are located at entry and exit points where required, excluding exits designated for emergency use only. Where necessary these are also covered by CCTV and are checked regularly by University Security. Usage of each ID card reader to gain access is recorded.

20. Doors that grant access to sensitive areas must be locked if the rooms are empty or unsupervised, and they must be closed if data and information of a sensitive nature is being processed, for example:

• Post, server and communications rooms

• Project or business management rooms

• Research laboratories and work areas

• Specific or specialist identified rooms – determined by senior managers

22. Filming or taking photos of protectively marked data and information either on-screen or in hard copy is not permitted. When filming takes place in University buildings and offices, content must be reviewed before visitors leave.

23. Where security risks are considered high the use of CCTV is employed as a deterrent to intruders and to provide a means of retrieving relevant information should an incident occur.

24. The primary function of CCTV cameras is the protection of all University assets. The cameras will be used, where possible, to offer some protection to employee’s property although this is a secondary function. Systems will be reviewed at regular intervals to ensure they are still appropriate for the task and modified to reflect any changes to the building or areas covered by the cameras.

25. Access to any other footage from the CCTV cameras can only be done with the permission of the Data Protection Officer. CCTV is not a means of monitoring employee’s movements even though they may occasionally be captured on video when it is active.

Personal Access Control

25. All individuals must set and use robust passwords to access University data and information and systems, details can be found in the Information Security Framework.

26. All individuals who have elevated device or system privileges must use enhanced authentication as detailed in the Information Security Framework.

27. Individuals must not re-use their University credentials or passwords in other applications and systems outside of the University, for example online banking, personal email accounts or social media.

28. Any classified information in hard copy or stored on encrypted removable media should be secured when you are not in sight of your desk.

29. Individuals must always keep their access cards in a safe place when not at their place of work or study and must inform Security immediately if they lose their access card or believe it to be stolen.

30. Security passes must be issued to all contractors, temporary employees and any other person who need access to the University’s premises for any authorised reason, other than members of the emergency service.

31. ID cards will be issued to all individuals and must be returned when individuals leave the University. It is the resource manager’s responsibility to ensure these are returned.

32. Postal / delivery service visitors must follow University procedures and instructions by University Security and University reception or porter staff.

33. Contractors, visitors and postal / delivery service visitors will be isolated from information processing unless this has been agreed in advance.

34. All visitors to University non-public buildings must be issued with a temporary pass which clearly identifies them as a building visitor giving their name, the organisation they represent and an expiry date. All visitors must be recorded.

35. Visitors must display their passes prominently at all items while they are on University premises and should be courteously challenged if the badges are not displayed.

In addition to the above controls, all individuals:

Must:

• Lock their screen when out of sight of their desk and workstation.

• Log out of desk phones at the end of the working day or when off premises or away from the work desk for long periods of time.

• Lock away laptops, Surfaces and other University devices at the end of the day or if away from the work desk for long periods of time.

• Log off applications once they have finished using them.

Must not:

• Share their passwords with others.

• Attempt to gain access to data, information, files, file servers, computers or systems to which they have not been authorised.

• Leave sensitive areas, materials, devices or systems in an unlocked state when unattended.

• Permit others to use their access card to enter any controlled non-public building or room.

• Allow access to others when entering the building, unless clearly identified via ID card or visitor badge.

If in doubt individuals must contact the University IT Services and Support or the Security and Information Management team.

Exemptions

‘Exemption requests’ under this policy must be submitted to the CITO or their designate. Exemptions to this policy may only be granted by the CITO or their designate. Activities that have received prior approval by the Research Ethics Committee will be exempt, but the CITO must be notified.

This policy may have an impact on users of assistive technology or assistive software due to their disability. These individual cases will be considered on a case by case basis.

Compliance Monitoring

All policies linked to this policy will be monitored and compliance performance will be reported monthly by Information Asset Owners to the University Information Management Committee.

A failure to comply with any of the linked policies will be deemed to be a disciplinary offence and will be subject to the University Information management Executive Committee escalation process and may lead to proceedings being taken through the University Disciplinary Process.