Affiliate User Access to Information Resources
- Purpose
The University of North Carolina School of the Arts (UNCSA) is committed to ensuring that all information technology (IT) resources, technology services, software, and systems that are acquired and used at UNCSA further the university’s mission and meet the university’s information security standards. UNCSA relies on affiliates in many capacities across the university. This Procedure establishes rules for affiliate access to UNCSA information resources. - Source of Authority
This Procedure is issued in support of Information Technology Security Regulation 512, and Information Technology Security Procedures 512(III)(D), Access Control. - Scope
This procedure applies to all vendors, contractors, consultants, and other third-party affiliates who access university information resources. This procedure applies to all university information resources, regardless of form or location, and the hardware and software resources used to electronically store, process, or transmit that information. This includes data processed or stored and applications used by the university in hosted environments in which the university does not operate the technology infrastructure.
All UNCSA employees involved in purchasing IT services, software, and systems must adhere to this procedure. - Definitions
- Affiliate. An affiliate is an individual who requires access to information resources to work in conjunction with the university but is not a UNCSA employee or student. Affiliates must have a sponsor who is an employee. Vendors, contractors, consultants, and other third-party providers who access information resources are considered affiliates.
- Information Security Program. The information security program is a set of coordinated services and activities designed to protect information resources and manage the risks associated with those resources. It includes regulations, procedures, standards, assessments, protocols, and training to govern the storage, accessibility, and security of information resources.
- Information Resources. As used in UNC System Policy 1400.1, “information resources are information owned or processed by the university, or related to the business of the university, regardless of form or location, and the hardware and software resources used to electronically store, process or transmit that information.” Information resources expressly include data, software, and physical assets.
- Procedure
The following procedure must be followed in all situations where university data or information resources are to be accessed by an affiliate:- Affiliate access to information resources is only permitted where there is a current, valid contract or service level agreement between the affiliate and UNCSA. Access to UNCSA information resources is only permitted where it is necessary to carry out the contractual agreements between the affiliate and UNCSA.
- UNCSA managers, supervisors, or other sponsors should request that an affiliate account
be created using the System Access Request Form.
- Requests for affiliate access to UNCSA information resources must be signed by the manager, supervisor, or sponsor requesting the access and must specify why the access is needed.
- Requests for affiliate access to UNCSA information resources must be counter-signed by the Chief Information Security Officer, the Chief Information Officer, a designee of the CIO, or a designee of the Chief Human Resources Officer.
- Affiliates must comply with all access form provisions, and applicable UNCSA policies, regulations, and procedures regarding the use, operation, and security of information resources.
- Each affiliate representative who plans to access UNCSA resources will need to submit a form. No generic or shared accounts will be issued.
- The Office of Information Technology or Office of Human Resources will review the System Access Request Form and create a Banner entry for the affiliate. The submission of the System Access Request form will trigger user account creation for the affiliate. Incomplete System Access Request Forms will be returned to the UNCSA manager, supervisor, or sponsor of the affiliate account for proper completion.
- The Office of Information Technology will review any requests for Remote Computer Access. If approved, Technology Support will work with the affiliate to ensure that the affiliate has remote, secure access to the UNCSA network as needed. The UNCSA VPN service requires multifactor authentication.
- Affiliate sponsors are required to notify the Office of Information Technology or Office of Human Resources when an affiliate account is no longer needed so that the account can be disabled.
- Affiliates requiring user account or VPN access in excess of one (1) year must reapply for such access using the process outlined above and must indicate that the access request is a renewal.
- Roles and Responsibilities
- All users of information resources, including affiliates, are responsible for following applicable UNCSA policies, regulations, and procedures regarding the use, operation, and security of university information resources.
- The Chief Information Officer is responsible for administering this procedure and providing guidance to senior leadership concerning affiliate access to UNCSA information resources.
- The Chief Information Security Officer shall be responsible for guiding the university's information security program and associated activities.
- The Information Security department in the Office of Information Technology is responsible for reviewing all affiliate requests for access to UNCSA information resources and ensuring affiliate access is only permitted where it is necessary to carry out the contractual agreements between the affiliate and UNCSA.
- The Office of Information Technology or Office of Human Resources is responsible for reviewing and processing the System Access Request Form and creating a Banner entry for the affiliate.
- Revision History
11/28/22– First issuance, approved by the UNCSA CIO - Related References
- University of North Carolina System Policy, Information Technology Chapter, Information Technology Governance 1400.1
- University of North Carolina System Policy, Information Technology Chapter, Information Security 1400.2
- University of North Carolina System Policy, Information Technology Chapter, User Identity and Access Control 1400.3
- ISO/IEC 27002:2013 Information technology -- Security techniques -- Code of practice for information security controls
- UNCSA Information Technology Security Regulation, 512
- System Access Request Form
February 20, 2023