9.8.4 Procedures for Requesting, Granting, and Removing Access to the Enterprise Data Repository
I. Introduction
The following procedure for requesting and granting access to data contained within the Enterprise Data Repository (EDR) is designed to ensure that requests for access receive appropriate approvals and are fully auditable. This procedure includes the steps to request, authorize, modify, review, and revoke access to the Enterprise Data Repository. Any appeals or variations to this procedure must be approved by the University's Data Stewardship and Information Technology Services Council (Stewardship Council).
II. Appointment of Unit Security Liaisons
The Dean, Director, or Department Head for each department is responsible for appointing a primary Unit Security Liaison (USL) and a backup USL. The Dean, Director, or Department Head should notify the Information Security Officer by email (ATISO@ilstu.edu) of the appointment and include the liaison's first name, last name, ULID, and department code. Any future changes to the primary or backup USL appointment, must be submitted to the Information Security Officer by email.
The primary USL is the principal contact for matters related to data security. In the absence of the primary USL, the backup USL may submit access requests. As individuals cannot submit access requests for themselves, the backup USL is responsible for requesting access for security required for the primary USL.
Annually, the Dean, Director, or Department Head will review and confirm individuals who have been designated as a primary or backup USL. If the Dean, Director, or Department Head fails to complete the confirmation process within the time frame designated by the Information Security Officer, the privileges of the primary and backup USLs will be suspended until such time as the confirmation process is completed.
Upon appointment, the primary USL should review the department's current access list to become familiar with the types of access that have been granted to department personnel. A new primary or backup USL is required to complete the mandatory USL training. This training is arranged by contacting the Information Security Officer. Once the primary or backup USL has completed training, they will be granted access to the access request fulfillment form and access reports.
Annually, the USL is required to attend USL refresher training and review and confirm that the access granted to department users is appropriate and authorized. If, as a result of the review, a department users' access needs to be changed, the USL will submit the change through the access request fulfillment form. If the USL does not complete the mandatory refresher training within the time frame designated by the Information Security Officer, the privileges of the USL will be suspended until such time as the training is completed.
III. Processing of Access Requests
The Information Security Officer will work with Data Stewards to create a request fulfillment form that includes the information that Data Stewards will need to determine whether a request should be approved.
To obtain access to the Enterprise Data Repository (EDR), an individual must meet the criteria listed under the Access section within Policy 9.8, Policy on Security of Information Technology Resources and Systems. If the individual meets the Access requirements, the USL will ensure that the user completes any required compliance forms and training and will request access through the access request fulfillment form. When requesting access, the USL will ensure that the access is necessary for the individual to meet their job responsibilities and that the level of access is appropriate. If the USL has a question about the appropriate level of access, they should contact the Data Steward responsible for that portion of the EDR. Note that the Information Security Officer does not have enough knowledge about the business processes of a unit to offer advice on the appropriate access for a particular employee.
In the absence of the Master Access Plan, or if the request is outside of the Master Access Plan, the Data Steward, or their designee, will review the request to ensure that the correct access role was requested and that the level of access is appropriate. If the request is appropriate, the Data Steward, or their designee, will forward the approved request to the Security Administrator, who will enter the access into the appropriate system. The Security Administrator will notify the Data Steward and USL when the access has been entered into the system. The USL will notify the user that the access to the system has been granted.
If the request is not appropriate, the Data Steward, or designee, will notify the USL that the access is not appropriate. If the Data Steward, or designee, decides that the individual should not have access, the notification will contain the reasons for disapproving the access.
If the Data Steward, or designee, decides that the individual should have a different access, the notification will include the appropriate level of access that should be requested. Upon receiving this notification, the USL will submit a new request with the appropriate access.
The access request from the USL, the approval by the Data Steward, and the entry of the security into the system by the Security Administrator will be logged in the request fulfillment system. Periodically, the Information Security Officer will produce reports comparing the requested access against the actual access entered into the system for audit purposes.
If the USL disagrees with the decision of the Data Steward, or their designee, they will notify their Dean, Director, or Department Head. The Dean, Director, or Department Head should contact the Data Steward to discuss why the individual should have the requested security. If the Dean, Director, or Department Head and the Data Steward cannot agree on the appropriate access, then the matter may be referred to the Stewardship Council for consideration. The Stewardship Council will use its own process to consider the request and will notify the Dean, Director, or Department Head and the Data Steward of its decision.
IV. User Training
After a security access request is approved, the USL is responsible for determining whether the access requires the user to attend specific training (e.g., FERPA or HIPAA) on a periodic basis. If the user is required to attend supplemental training, the USL will schedule the training with the appropriate office as soon as possible. If the user does not attend the training in the time frame established by the sponsoring office, then the access of the individual will be suspended until such time as the training is completed.
V. Change of Access
When a user changes positions or duties for which they have been granted access, the USL will request a revocation of the access through the Access Request Fulfillment Form in accordance with the Master Access Plan, immediately.
The USL of the new unit will request the new access in accordance with Section III, Processing of Access Requests using the Access Request Fulfillment Form.
When an employee ends employment for any reason (i.e. termination, resignation, retirement, access will be revoked/modified according to the Master Access Plan the last day of employment or within one day of termination if no advance notice is given.
VI. Audit/Review of Access
Inactive Accounts
Every six months, the Information Security Officer will create a report of all security accounts that have not had activity for 180 consecutive days. The report will be sent to the appropriate USL. If the USL does not respond in the time frame established by the Information Security Officer, the Security Administrators will be instructed to suspend the access of the inactive accounts. The reason for the suspension will be noted within the request fulfillment system.
Annual Review of Access
Annually, the Information Security Officer will create a report of all users granted access to data by a particular Data Steward. The report will be sent to the Data Steward who will review and confirm that those individuals should still have access to the data. If the Data Steward decides that an individual should no longer have access to data, the Data Steward will notify the USL and a Security Administrator. The Security Administrator will remove the access and note the reason in the request fulfillment system.
Comprehensive Review of Security Roles
Every three years, the Stewardship Council will conduct a comprehensive review of all security roles for which they are responsible. The Data Steward will be responsible for making any changes to the roles within the production system.
Terminated Employees/Affiliated Members
Every two weeks, the Information Security Officer will create a report of users that are no longer employees or affiliated with the University. The report will be sent to the Security Administrators who will immediately revoke access and note the reason in the request fulfillment system.
Transferred Employees
Quarterly, the Information Security Officer will create a report of users who have changed positions within the University. The report will be compared against the user's current access. If the access to the old department is still in effect, the report will be sent to the USL of the old department. If the access should be revoked, the USL will create a request in accordance with Section V, Revocation of Access.
VII. Emergency Access Requests
Urgent or compelling circumstances that require immediate changes in access (authorizing, modifying, or revoking access to a University Information Technology system or resource) to University IT Resources and Systems must originate from the President or an authorized individual in one of the following offices: Illinois State University Police Department, University Ethics Office, Office of General Counsel, or the Office of Human Resources.
The originating office will contact the Information Security Officer at 438-4877 to begin action on the request and complete an Emergency Request Form. The Information Security Officer will act as liaison between the originating office and the data custodians to fulfill the request.
Last Review: July 2013