Policy for access control (A.9)

On this page you will find the current access control policy, which determines access to AU information and systems based on work-related needs.


Objective

The objectives of AU’s policy for access control are:

  • to limit the need for access to IT information, systems and applications
  • to ensure that that users have the necessary authorisation and prevent unauthorised access to IT systems and applications
  • to make users accountable for safeguarding their authentication information.

Business requirements of access control (A.9.1)

This access control policy is intended to ensure that the responsible managers establish, document and review the user authorisations granted to their employees A (9.1.1)

In relation to the above, the follow is particularly applicable to AU:

  • A collaboration agreement/confidentiality statementshall be concluded between the university and its external partners before access to information assets may be granted.
  • Students who are given access to the university’s sensitive and/or confidential data shall complete and fill out a confidentiality statement.

Users and AU employees shall only be given access to the networks and systems they have been specifically authorised to use. (A.9.1.2)

User access management (A.9.2)

A formal registration and deregistration procedure shall be implemented to enable assignment of access rights. (A9.2.1)

For overall AU systems, this takes place in the ‘medarbejderstamkort’ (employee registration) system. For other systems, a registration procedure shall be put in place, for example a spreadsheet.

A formal procedure for assigning user access to enable the assignment or withdrawal of registration rights for all user types for all systems and services. (A.9.2.2)

The allocation and use of privileged access rights shall be restricted and controlled. (A.9.2.3)

Physical and logical access shall be controlled.

The allocation of secret authentication information shall be controlled through a formal management process. (A.9.2.4)

Access codes and password control in addition to two-factor authentication shall be integrated into the systems that are used at AU.

Asset owners shall review users’ access rights at regular intervals. (A.9.2.5)

The access rights of all employees and external party users to information and information processing facilities shall be removed upon termination of their employment, contract or agreement, or adjusted upon change. (A.9.2.6)

A number of initiatives have been planned and established in order to comply with the abovementioned requirements:

  • re. A. 9.2.1 User registration:
    • overall on AU this takes place in the Medarbejderstamkortet, (employee registration system). For other systems, a (local) registration procedure must be put in place, for example a spreadsheet.  

This means that if you can keep your critical, confidential or sensitive information stored in the centrally offered solutions, they are secured by Aarhus University.  

If you have other needs based on your risk assessment, they must be secured locally.

User responsibilities (A.9.3) 

Users shall be required to follow the organization’s practices in the use of secret authentication information. (A.9.3.1)

System and application access control (A.9.4)

Particularly with regard to to privileged access and controlling access to operating systems, Aarhus University’s procedures for access control shall ensure that:

  • Access to information and application system function shall be restricted. (A.9.4.1)
  • Access to systems and applications shall be controlled by a secure log-on procedure. (A.9.4.2)
  • Password management systems shall be interactive and ensure good quality passwords. (A.9.4.3)
  • The use of utility programs that might be capable of overriding system and application controls shall be restricted and tightly controlled. (A.9.4.4)
  • Access to program source code shall be restricted. (A.9.4.5)

Access to source code for development projects shall be restricted and controlled, and source code may not be stored in the development environment.

Additional requirements

AU’s Information security policy:

https://medarbejdere.au.dk/en/informationsecurity/informationsecuritypolicy

Physical access control: See A.11 Policy for physical and environmental security

https://medarbejdere.au.dk/en/informationsecurity/physical_security

QUESTION GUIDE

Consider the question guide as a tool to navigate the requirements of the policy:

  • Who has access to the system?
  • Do they have a work-related need for accessing the system?
  • What access rights (if any) should be changed/deleted?
  • How are access rights to the system granted/altered/deleted? (procedure)
  • How often are access rights reviewed?
  • Has privileged access been granted?
  • Does the management team have a comprehensive overview of who has been granted which access?
  • How is it ensured and documented that contractual arrangements are in place? (e.g. collaboration agreement/non-disclosure agreement)
  • How is adequate control of access rights ensured and documented on the basis of a risk assessment and data classification?  

Access control at Aarhus University refers to gaining access to necesary systems and applications - based on work-related needs.