Identity & Access Control

 Identity and Access Management

Safeguards for Domain 8
Information Security & Privacy Program

In order to provide appropriate access to information and systems and to prevent unauthorized access, safeguards based on business and legal requirements must be identified and applied. Controlling access to personal information is a key element of providing information privacy.

Standards-based expectations for this Domain IU's Implementation of Safeguards for this Domain

Business Requirements for Access Control

Documentation of access control policies and rights is necessary to provide appropriate access to information, and must be based on business, security, and privacy requirements.


User Access Management

Procedures covering the full life-cycle of user access, from initial provisioning to final de-provisioning, should be in place to ensure authorized user access and to prevent unauthorized access.

User Responsibilities

Users should be made aware of their responsibilities for maintaining effective access controls, particularly regarding the use of passwords and the security of user equipment.

Network Access Control

Access to both internal and external networked services should be controlled.

Operating System Access Control

Security tools and procedures should be used to restrict access to operating systems to only authorized users.

Application and Information Access Control

Application systems should apply access controls to limit access to only authorized users.

Mobile Computing and Telecommuting

The risks of mobile computing and telecommuting should be identified and appropriate security applied as appropriate. Mobile computing includes the use of laptops, PDA's, cell phones, etc. Telecommuting uses communications technology to enable personnel to work remotely from a fixed location outside of their organization.

Mobile Computing and Telecommuting

Do you plan to travel abroad and take your university issued laptop computer, digital storage device, or any encryption products with you? The Export Control Office in the Office of Research Administration can help you determine if your university-issued electronic components require a license prior to international travel, can provide tips for international travel with information stored on electronic components, and can provide a list of sanctioned and restricted parties and entities with whom IU is prohibited by federal law from doing business with. Contact them at

Summary of Domain Objectives

The primary objectives of this domain are to ensure:

  • access control policies based on business requirements are documented
  • formal provisioning and de-provisioning procedures are in place
  • users assent to statements indicating their understanding of their responsibilities
  • access is removed or blocked for those who have changed roles or jobs or left the organization
  • sanctions for attempting unauthorized access are established
  • password allocation is managed securely
  • access control lists are reviewed at regular intervals
  • users are aware of requirements for selecting and protecting passwords
  • devices are locked or logged off when left unattended
  • documents are physically protected from unauthorized access
  • policy outlines who is allowed to access what services and how
  • remote access requires appropriate authentication methods
  • remote diagnostic and configuration port access are protected
  • network segregation is utilized as appropriate to control large networks
  • network connection and network routing controls are required to manage access
  • use of secure log on processes
  • assignment of unique identifiers for each individual gaining access
  • management of passwords according to best practices
  • system utilities that could be used to override controls are limited to a small set of authorized users
  • automatic time-outs are enabled for inactive sessions
  • restrictions are applied to applications based on individual application requirements
  • isolated computing environments are used for sensitive information and applications
  • policy and procedures exist for securing mobile computing
  • policy, operational plans and procedures exist for teleworking activities


Supplemental Resources