Authorization and Access Control
IT Resource Security Standards - Authorization Access Control
All IT Resources are to be configured in a manner that allows individuals only the minimum privileges required to complete the task assigned to them. Privileges assigned to individuals must be reviewed on a regular basis, and modified or revoked upon a change in status with the University.
- Access controls must be applied that limit individuals abilities to modify production data in an unrestricted manner, or access data they have no reason to access.
- Access controls must allow individuals enough privileges to modify production data in a manner approved by management.
- Access controls should include lockout capabilities (automated highly preferred) including a maximum number of connection or login attempts and a lock out time duration.
- Testing or attempting to compromise internal controls, when outside the scope of an individuals employment duties with the University of Winnipeg (includes attending students of the University), is prohibited unless specifically approved in advance and in writing by the Executive Director, Technology Solutions Centre.