Identity & Access Control

Safeguards for Domain 8
Information Security & Privacy Program

In order to provide appropriate access to information and systems and to prevent unauthorized access, safeguards based on business and legal requirements must be identified and applied. Controlling access to personal information is a key element of providing information privacy.

Standards-based expectations for this Domain		IU's Implementation of Safeguards for this Domain
Business Requirements for Access Control	Documentation of access control policies and rights is necessary to provide appropriate access to information, and must be based on business, security, and privacy requirements.	Policy IT-03: Eligibility to Use Information Technology Resources Who may have an IU computing account? \| IU Knowledge Base At IU, what computing accounts are available to people who are not students, faculty, or staff? \| IU Knowledge Base IU Policy on Student Records: Release of Student Information Policy \| Office of the Registrar
User Access Management	Procedures covering the full life-cycle of user access, from initial provisioning to final de-provisioning, should be in place to ensure authorized user access and to prevent unauthorized access.	What computing accounts are available at IU? \| IU Knowledge Base How do I get access to IU institutional data and applications? \| IU Knowledge Base What are the ADS service policies at IU? \| IU Knowledge Base Policy IT-02: Misuse and Abuse of Information Technology Resources Policy I-580: Risks of Potential Identity Theft in the Use of Stored-Value and Payroll Deduct requires that ID Card offices, when responding to requests by Account Card Holders for additional or replacement cards, refer to and implement the relevant provisions of the university's Identity Theft Prevention Program to ensure that the risks of identity theft are minimized. Identity Verification
User Responsibilities	Users should be made aware of their responsibilities for maintaining effective access controls, particularly regarding the use of passwords and the security of user equipment.	Users assent to the Acceptable Use Agreement for Access to Technology and information Resources prior to obtaining their first computing accounts at IU System administrators can use the agreement tool to verify that an employee has assented to the Acceptable Use Agreement - Access to Technology and Information Resources - Employees and on what date Passwords and passphrases \| IU Knowledge Base In Windows, how do I lock my workstation without logging off? \| IU Knowledge Base In Mac OS X, how do I password-protect my computer? \| IU Knowledge Base Data Security Agreement — Guidelines for Access and Use \| Used to inform of responsibilities and document when granting access to third parties
Network Access Control	Access to both internal and external networked services should be controlled.	IU's policy on Extending the University Data Network assigns responsibility for networking infrastructure at IU. IU's policy on Wireless Networking assigns responsibility for wireless networking at IU. At IUB, IUPUI, and IUN, how do I register my computer or other networked device? \| IU Knowledge Base At IU, how do I register my wireless Pocket PC, Windows Mobile, or Palm device with DHCP? \| IU Knowledge Base Network Access accounts (guest wireless access) at IUB, IUPUI, IUE, and IUN \| IU Knowledge Base The basics of VPN at IU \| IU Knowledge Base
Operating System Access Control	Security tools and procedures should be used to restrict access to operating systems to only authorized users.	On a computer, what are administrators and administrative rights? \| IU Knowledge Base What is the principle of least privilege? \| IU Knowledge Base
Application and Information Access Control	Application systems should apply access controls to limit access to only authorized users.	At IU, what is CAS? \| IU Knowledge Base Information about integrating CAS with a web site \| IU Knowledge Base For CAS, what is an application code? \| IU Knowledge Base Managed Active Directory groups at IU \| IU Knowledge Base Policy I-580: Risks of Potential Identity Theft in the Use of Stored-Value and Payroll Deduct requires applications that involve stored-value accounts and payroll deduct accounts for the purchase of goods and services on and off-campus, and payroll debit cards used by a limited number of university employees, to provide an automatic email response to an Account Card Holder at any time that his or her address is changed within the university's electronic systems. UISO InCommon Certificate Service UITS InCommon Root Certificate Installer
Mobile Computing and Telecommuting	The risks of mobile computing and telecommuting should be identified and appropriate security applied as appropriate. Mobile computing includes the use of laptops, PDA's, cell phones, etc. Telecommuting uses communications technology to enable personnel to work remotely from a fixed location outside of their organization.	Mobile Computing and Telecommuting Telecommuting Guidelines With an iPhone, iPod touch, or iPad, how can I secure my data? \| IU Knowledge Base What can I do to make my BlackBerry more secure? \| IU Knowledge Base About IU Secure wireless \| IU Knowledge Base Do you plan to travel abroad and take your university issued laptop computer, digital storage device, or any encryption products with you? The Export Control Office in the Office of Research Administration can help you determine if your university-issued electronic components require a license prior to international travel, can provide tips for international travel with information stored on electronic components, and can provide a list of sanctioned and restricted parties and entities with whom IU is prohibited by f

Indiana UniversityPublic Safety and Institutional Assurance

Identity & Access Control

Safeguards for Domain 8Information Security & Privacy Program

Business Requirements for Access Control

User Access Management

User Responsibilities

Network Access Control

Operating System Access Control

Application and Information Access Control

Mobile Computing and Telecommuting

Mobile Computing and Telecommuting

Safeguards for Domain 8
Information Security & Privacy Program