Policies and Guidelines

Data and Software Access Control

Purpose

To ensure that only authorized individuals are allowed access to data residing on computer systems.

Scope

University of Houston corporate computer systems that access confidential, sensitive, or critical data.

Standard

Software controls must ensure that data are available as needed only to authorized users, that legitimate users of the computer cannot access stored information unless they are authorized to do so, and that unauthorized individuals (whether inside or outside University of Houston) are prevented from accessing any data.

Users of the University of Houston corporate computers should be granted those access privileges to data and software to accomplish their authorized responsibilities.

Guidelines
  1. An audit trail of all accesses to sensitive information should be maintained. This record should indicate who changed the information as well as the nature and date of the change.
  2. If the available software is inadequate in controlling access to the information within the computer, access to the entire computer system should be restricted to those with permission to access the information.
  3. On an annual basis, departments should review their employee's access to University information systems and applications and verify that each has the appropriate level of access to corporate data. Verified reports must be sent to and reviewed by the Information Security Officer.