Skip to main content Skip to navigation

Information Security, Risk and Compliance

IMP08: Information Access Control Policy

Information Classification - Public

Policy Introduction and Purpose

This Policy sets out the requirements to access University information assets, systems, and infrastructure. It ensures that only authorised individuals can engage with these resources, thereby safeguarding sensitive data and supporting the University community’s safety and security.

Implementing access controls helps prevent unauthorised access, data breaches, and misuse of information. Additionally, the Policy ensures compliance with legal and regulatory requirements, fostering a secure environment for academic and administrative activities.

Overall the Policy is essential for maintaining the confidentiality, integrity, and availability of University information and the safety and security of its community.

Scope

The Policy covers everyone who has a contractual (formal or informal/implied) relationship with the University, including employees, students, visiting academics, and consultants. This list is not exhaustive.  

Additional controls may be in place within individual departments, teams, functions or business units, and individuals must ensure that they adhere to any additional controls where required.

Responsibilities (Policy and Operational)

The Chief Information Security Officer (CISO) retains overall accountability for this policy and for ensuring the Policy meets legal and regulatory requirements; for keeping this Policy up to date; and for ensuring that controls, checks, and audits are carried out as part of compliance with this Policy.

Operational Responsibilities

Adherence to this Policy and its supporting Standards and Standard Operating Procedures (SOPs) is achieved by following the Policy principles and the technical, physical and administrative controls it contains. It is everyone’s responsibility to ensure that they follow this Policy. 

Role Function

Designate of Head of Department (e.g. academic lead on research, individuals with delegated authority for information, system administrators) 

Responsible – for overseeing compliance with the Policy within areas of responsibility. 
Head of Department (or equivalent)

Accountable – for compliance with this Policy within Departments 

Information Risk and Compliance Team (with escalation to CISO and CITO required) 

Consult – to discuss organisational level compliance with the Policy

IDG Digital Business Partners 

Inform – must be informed of the content of the Policy to communicate it to their departments 

Principles of this Policy

Information access control is a vital component of information security. Information access control consists of three key areas – technical, physical and administrative.

The information access controls in operation at the University are set out as follows:

Technical Controls

Technical security is the protection and safeguarding of all electronic information assets, computing devices and systems. Controls include Identification and Authentication, role-based access permissions, computing device protection i.e. encryption and network connection requirements such as Virtual Private Network (VPN) or Firewall.

  • All digital data and information used for University work must only be accessed, stored or processed on University approved computing devices, which meet the IT Asset Management Standard (currently in development) and University minimum security requirements for computing devices.
  • All computing devices must have an assured level of encryption for the protection of University information in accordance with the Encryption Standard.
  • All computing devices must have a vendor/partner-supported operating system and all software must be up to date with the latest security updates.
  • All computing devices must support authentication mechanisms such as passwords, PINs and multi factor authentication (MFA) in accordance with IMST 02 Password Management Standard. In line with the Standard, where MFA is available, it must be used.
  • Devices not meeting the minimum security requirement for computing devices must not be used to access or process University data and information and will be denied access to University systems and information.
  • System administrators must maintain logs of access to systems and information assets.
  • University employees will only be granted access to data and information appropriate to their roles and responsibilities. The University uses network and resource access control to authenticate and authorise access, based on the user or device identity.
  • IDG will control allocation of privileged accounts where a business case for use must be submitted for review upon request.
  • Every user who requires access to a University IT system must have a personal user ID for the network and any IT System they will use. Only this ID can be used, unless specific business requirements dictate a specific limited exception authorised by IDG.
  • All University managed computers must have a mandatory five-minute screen lock Policy applied, except for Student devices and those within teaching work areas. Devices must be locked when workstations are out of sight of the individual.

Physical Access Control

Physical security is protection of information assets against real-world physical threats, such as unauthorised physical access and theft. It typically involves physical controls e.g. protective fencing, barriers, turnstiles and locks, lockable storage, guards, access control cards, CCTV, intrusion detection sensors, external building security, secure doors and windows.

  • All University members are issued University identity (ID) cards. These cards control access to University non-public facilities. These cards remain the property of the University and must be returned prior to termination of an individual’s contractual relationship with the University.
  • All individuals carrying out work on behalf of the University must wear their ID card visibly when in non-public University facilities.
  • ID cards must be issued to all contractors, temporary employees and any other persons who needs access to the University’s non-public premises for any authorised reason, other than members of the emergency services.
  • ID cards must be shown upon request to any University member of staff or authorised personnel.
  • ID cards (with the exception of temporarily issued visitor passes which will have ‘visitor’ and a valid date visible) must always clearly show the name and a photograph of the true likeness of the card holder. Avatars or similar images will invalidate the card. Any damaged or vandalised cards must be replaced immediately.
  • ID Cards are issued to all University members, contractors, temporary employees and others who require access for specific purposes linked to University business and operations and must be returned when individuals leave the University. It is the line manager’s (or individual with equivalent responsibility for temporary visitors) responsibility to ensure these are returned.
  • The ID card access expiry date for University members must not exceed the date of the end of the contractual relationship with the University. All access rights must be immediately rescinded upon the end of the contractual relationship.
  • Individuals must always keep their ID card in a safe place when not at their place of work or study and must inform Community Safety immediately if they lose their access card, or believe it to be stolen.
  • Failure to comply with any of the listed controls related to ID cards may result in disciplinary action being taken. Community Safety reserve the right to remove individuals from University premises in response to instances of non-compliance with these clauses.
  • Lockable cabinets, cupboards or drawers may be provided for employees as appropriate so that they can keep personal belongings and information assets secure while they carry out their duties. This must be managed in line with IMST 03 Handling Information Standard.
  • Passwords and pins for keypads must be in line with the requirements of IMST 02 Password Management Standard and must be changed in the following circumstances when an employee no longer needs access e.g.:
  • When an employee with access changes departments.
  • When an employee with access leaves the organisation or where their access is suspected to present a security risk.
  • Access to non-public University buildings is controlled, but local controls will vary. ID card readers are located at entry and exit points where required, excluding exits designated for emergency use only. Where necessary, these are also covered by CCTV and are checked regularly by Community Safety. Usage of each ID card reader to gain access is recorded and data for usage retained for 31 days as standard practice or longer for investigation purposes in response to incidents.
  • Everyone must be vigilant to the potential for unauthorised people to ‘tailgate’ them (follow an individual through a door or barrier) into an area containing information assets or digital IT infrastructure. If they feel confident to do so, individuals should politely ask for proof of authority when they suspect someone lacks access rights. If they don’t feel confident to do so, they must contact Community Safety.
  • Doors to areas with restricted access must be locked if the areas are empty or unsupervised, and they must be closed if data and information of a sensitive nature is being processed. For spaces that require access permits, these must be granted before an individual accesses the space, for example sensitive areas may include:
  • Post, server and communications rooms
  • Project or business management rooms
  • Research laboratories and work areas
  • Specific or specialist identified rooms – determined by senior managers
  • Filming or taking photos specifically of sensitive information either on-screen or in hard copy is not permitted unless explicitly permitted by the data owner.
  • Where filming or photography takes place in proximity or view of sensitive information in any University premises, content must be reviewed by a University member prior to any distribution of the content to ensure that sensitive content has not been captured.
  • Where security risks are considered high, the use of CCTV is employed to gather evidence and as a deterrent.
  • Camera systems will be reviewed at regular intervals to ensure they are still appropriate for the task and modified to reflect any changes to the building or areas covered by the cameras.
  • The Community Safety team have access to CCTV footage and any access beyond that must be agreed by the Data Protection Officer.

Administrative Access Control

  • Administrative controls relate to how University members conduct work, ensuring that security is embedded in processes to protect information.
  • Individuals must not re-use their University credentials or passwords in other applications and systems outside of the University, for example online banking, personal email accounts or social media in line with the IMST02 Password Management Standard.
  • Information classified above ‘public’ (see IMST 01: Information Classification Standard) in hard copy or stored on encrypted removable media must be secured when members are not in sight of the hard copy or removable media.
  • In the case of members moving between roles in the University, it is the responsibility of the line manager of the post being vacated to ensure that access rights have been rescinded where appropriate.
  • Postal/delivery service visitors must follow University procedures and instructions by Community Safety and University reception or porter staff.
  • All visitors to University non-public premises must be issued with a temporary pass which clearly identifies them as a building visitor giving their name, the organisation they represent and an expiry date. All such visits must be logged.

Exceptions

Exception requests under this policy must be submitted to the CISO or their designate. Authority to approve exception requests is delegated to the Information Risk and Compliance Team. Activities that have received prior approval by the Research Governance and Ethics Committee will be exempt, but the CISO must be notified.

This policy may have an impact on users of assistive technology or assistive software dependent on circumstances. These individual cases will be considered on a case-by-case basis.

Compliance Monitoring

All members of the University are expected to comply with this document as part of the Information Management Policy Framework (IMPF). Where breaches of the IMPF present a significant risk, including those falling under Regulations23 (Student Disciplinary Offences) Link opens in a new windowand Regulation 31(Information Management, Security and Records Management)Link opens in a new window, they will be subject to the appropriate student or staff disciplinary procedure or applicable contractual terms for staff not employed directly by the University or contractors.

It is the responsibility of all members to report any instances of non-compliance to the Information Risk and Compliance Team. This can be done via the Self Service PortalLink opens in a new window. This team monitors adherence to the IMPF using reported data and other available tools.

Where issues require escalation or further review, they will be referred to the Information Security and Data Protection Committee via the Chief Information Security Officer (CISO) and include either Conduct and Resolution Team or Employee Relations Team, as appropriate.

Version Date Created Date Published Next Review Notes
1.0 August 2025 26 January 2026 January 2029 Policy replaced IS02: Access Control Policy

Let us know you agree to cookies

We use cookies to give you the best online experience. Please let us know if you agree to functional, advertising and performance cookies. You can update your cookie preferences at any time.

Cookie policy