...

Purpose

This document specifies the procedures for granting, revoking and auditing access control to systems processing or storing CUI (Controlled Unclassified Information).

Scope

These processes applies to all CUI users apply only to staff in the NCSA Staff with ACHE Access. NCSA customers are responsible for authorization decisions of their own staff and can manage their access control groups directly. A Principal Investigator (PI) is responsible for authorization decisions for their project teams and can modify group credentials directly. Regardless of the approval process, NCSA will record the access changes made by customers or PIs to ACHE resources through its authorization framework.

...

Alerts are sent to the Security Office and CISO HIPAA Liaison anytime there are direct modifications to the group management system that were not triggered by the approval workflow engine. Such legitimate changes are checked for by automated systems at least daily.

...

1. Staff member submits request for access with the stated reason for the request. This request contains the requested access group name. 
2. Staff member's manager approves or rejects the request.
3. Approved request proceeds to the CISO who HIPAA Liaison who considers the staff member's role and reason for the request.
4. The HIPAA Liaison verifies They also verify that the person has taken approved CUI training (N.b., CUI training requirements are still TBD)..
5. User verifies device encryption
   1. NCSA employees must use the WorkspaceOne tool to have their machine encryption verified
   2. Other users will provide a screen shot of their encryption and attest to the continued use of encryption for connection to Nightingale.
6. If approved and they are in the NCSA Staff with ACHE Access group, they are added to the requested group(s).
7. Emails are sent to the staff member, their manager and the CISO HIPAA Liaison.

Deauthorization

Deauthorization can happen automatically or by request. For example, being removed from the staff group upon leaving the NCSA will automatically remove one from the NCSA Staff with ACHE Access and by consequence from any access group for systems with CUI. Therefore, even if a person leaves NCSA and has another legitimate reason for access in another unit, they will have to be reapproved by a PI in that unit to be added to the necessary group(s) for their project. The security office can also disable credentials and remove anyone from any group at anytime, though an alert will be sent to them and the CISO HIPAA Liaison.

Employees, their managers, and the CISO can Lead of Trust, Compliance and Risk Management can request de-authorization as well via the following workflow.

1. Employee requests removal with justification and the access control groups they need to be removed from. (Optional: Can start with their manager)
2. Request is received by (or starts with) the employee's manager who approves the request or fills in the same details if they start the request. (Optional: Can start with the CISO HIPAA Liaison).
3. The CISO HIPAA Liaison either receives the request or starts a new one specifying the person and which groups they are to be removed from.
4. If approved, the person is removed from the access control groups.
5. Emails are sent to the staff member, their manager and the CISO HIPAA Liaison.

Audits

All NCSA group owners are required to review group membership annually and approve or modify it. This includes customers and their point of contact and PIs at the University. Access control groups that provide access to systems with CUI are owned by the CISO who Lead of Trust, Compliance and Risk Management who must do the same, or the group is suspended automatically.