Document Name: NCSA CUI Access Control Standard Approved: Dec 14, 2023 by IIB |
This document specifies the procedures for granting, revoking and auditing access control to systems processing or storing CUI (Controlled Unclassified Information).
These processes applies to all CUI users apply only to staff in the NCSA Staff with ACHE Access. NCSA customers are responsible for authorization decisions of their own staff and can manage their access control groups directly. A Principal Investigator (PI) is responsible for authorization decisions for their project teams and can modify group credentials directly. Regardless of the approval process, NCSA will record the access changes made by customers or PIs to ACHE resources through its authorization framework.
NCSA will track approvals and changes made to access groups, keeping records for 6 years or from the inception of the program. Each step of the following workflows is approved by a member of the NCSA Staff with ACHE Access while logged in with their personal credentials, and each approval sends emails to the approver and other relevant parties.
Alerts are sent to the Security Office and HIPAA Liaison anytime there are direct modifications to the group management system that were not triggered by the approval workflow engine. Such legitimate changes are checked for by automated systems at least daily.
NCSA staff must be within the NCSA Staff with ACHE Access to make a valid request to be added to a system access group for system processing or storing CUI. Being in the NCSA Staff with ACHE Access itself does NOT grant any access, which must instead be requested by the staff member via the following process.
Deauthorization can happen automatically or by request. For example, being removed from the staff group upon leaving the NCSA will automatically remove one from the NCSA Staff with ACHE Access and by consequence from any access group for systems with CUI. Therefore, even if a person leaves NCSA and has another legitimate reason for access in another unit, they will have to be reapproved by a PI in that unit to be added to the necessary group(s) for their project. The security office can also disable credentials and remove anyone from any group at anytime, though an alert will be sent to them and the HIPAA Liaison.
Employees, their managers, and the Lead of Trust, Compliance and Risk Management can request de-authorization as well via the following workflow.
All NCSA group owners are required to review group membership annually and approve or modify it. This includes customers and their point of contact and PIs at the University. Access control groups that provide access to systems with CUI are owned by the Lead of Trust, Compliance and Risk Management who must do the same, or the group is suspended automatically.