Authorization and Access Control

All IT Resources are to be configured in a manner that allows individuals only the minimum privileges required to complete the task assigned to them. Privileges assigned to individuals must be reviewed on a regular basis, and modified or revoked upon a change in status with the University.

• Access controls must be applied that limit individual’s abilities to modify production data in an unrestricted manner, or access data they have no reason to access.

• Access controls must allow individuals enough privileges to modify production data in a manner approved by management.

• Access controls should include lockout capabilities (automated highly preferred) including a maximum number of connection or login attempts and a lock out time duration.

• Testing or attempting to compromise internal controls, when outside the scope of an individual’s employment duties with the University of Winnipeg (includes attending students of the University), is prohibited unless specifically approved in advance and in writing by the Executive Director, Technology Solutions Centre.

All authorized third parties, including contractors, consultants or other non-employees must only be given access privileges to IT Resources when the IT Resource owner or designate determines that they have a legitimate business need. These privileges must be enabled only for the time period required to accomplish approved tasks and then promptly disabled upon completion of those tasks