Summary of the University’s Physical Access Controls

Summary of the University’s Physical Access Controls

The University of Chichester is committed to providing a safe and secure environment, where students, staff, agents, partners, visitors and contractors can use technology to support their study/work and development, whilst being free from harassment, radicalisation, bullying or discrimination.

This document is an overview of the University’s approach to access controls applied in relation to its computing facilities and information. The document supports the physical and logical controls that in turn underpin the code of practice set out in the Electronic Information Security Policy.  

Public Presentation: PUBLIC

Access Controls

Access controls are applied, for all University systems, devices, data and infrastructure to;

• internal and external processes used to process University information, 
• all individuals who have access to University information and technologies,
• external parties that provide information processing services to the University,
• on-premises, and cloud systems,
• all facilities, technologies and services that are used to process University information, and;
• all information processed, accessed, manipulated or stored, in any format, by the University pursuant to its operational activities, including that;
  • There are no restrictions on access to ‘Public’ information.
  • Access to ‘Private’ and ‘Confidential’ data/information must be managed to ensure that it is accessed only by authorised individuals, for its stated and legitimate purpose.
  • However, the Electronic Information Security Policy also seeks to help you avoid inadvertently or unwittingly accessing ‘Unauthorised’ information.

Objectives of Access Controls

The University’s objectives for access controls are to:

• Enable all employees, students and contracted third parties with access to the information they need to carry out their responsibilities in an effective and efficient manner,
• safeguard the University’s information from security threats that could have an adverse effect on its operations or reputation,
• fulfil the University’s legal and ethical duties toward the information with which it has been entrusted, and:
• protect the confidentiality, integrity, availability and value of information through the optimal use of controls.

Controls for Access Privileges

Access (identifiers and passwords) to University services belong to the University, and are enabled and maintained on the basis of your compliance with the Electronic Information Security Policy.  Controls include and involve that;

• Access rights are accorded following the principles of least privilege and need-to-know,
• Access rights are role based, and may change if for example your role changes,
• Generic identities will never be used to access confidential data or personally identifiable data,
• The allocation of privilege rights (for example, local administrator, domain administrator, super-user, root access) is restricted and controlled,
• User accounts can only be created through the HR (ITrent), Student Information (SITS) and the Emeritus/other (3^rdDb) identity provider systems,  
• Access to IT resources and services is made through a unique user account and complex password, and that; 
• Multi-factor authentication (MFA) is mandatory for all staff (including part-time, and associate lecturers) and all students.

Controls by Password Complexity

Passwords used to access University information systems are a critical part of the University’s identity management and must not be shared, or disclosed to anyone, under any circumstances. As the custodian of a University identifier, and password, you are expected to

• create a complex password which has a minimum of 8 characters and contains 3 of the following: capital letter, lowercase letter, numbers and symbols,
• be aware that although the password will not expire until after graduation, it is none the less good practice to change your passwords frequently (see https://help.chi.ac.uk/password),  
• be aware that the account will be locked for 1 hour following 3 unsuccessful login attempts,
• be solely responsible for all actions taken under the account,
• keep the details of the account confidential and secure at all times, and; 
• not use your University account identity and password(s) for any other services you use (for example, Facebook, Zoom Twitter).

The University  will never ask you to reveal your password by email, in person, or on the phone.

Any user knowing or believing that they may have disclosed their account details, or who knows or suspects that their identity or password has been compromised, must contact the University’s Support and Information Zone (SIZ) immediately.

Access Management Controls

Access to ‘Private’ and ‘Confidential’ internal information is limited to authorised persons whose job or study responsibilities require it, as determined by law, contractual agreement, and applicable University policies and regulations.

Role-based access control (RBAC) is used as the method to secure access to all resources.

Access rights are reviewed automatically if (for example) your role changes.

For ex employees and students, when the status of a user record (in SITS or ITrent) changes to a value other than ‘Active’ or ‘Current’, the related identifier and password is automatically deactivated.

Controls for Third Party Access Management

Third parties are provided with restricted accounts that are limited to the systems and/or data they are contracted to handle, in accordance with least privilege and need-to-know principles.

Unless operationally necessary (and explicitly recorded in the system documentation as such) third party accounts will be disabled when not in use and deleted when no longer required.

Temporary access by University partners, in for example the event of a supported, on-premise, application being updated, is managed on a case by case basis, under supervision by IT Services.  

Access to cloud systems is managed through the provider’s access controls, set out in each system’s hosting and support contracts.

Controls for Authentication Credentials

Identity and password issuing, strength requirements and control are managed through formal processes and standards.

The University’s network access processes are automated, initiated through the identity provider systems, which auto configure Microsoft Active Directory. The user network account lifecycle is governed by (Fastpass Identity Governance and Access – IGA) and Azure Active Directory Connector (AADC) products.

Password length, complexity, and expiration times is controlled through Windows Active Directory Group Document Objects.

Ping Multi Factor Authentication (MFA) is applied to all staff, (permanent, part time or temporary) and for example Governors. Microsoft 365 MFA is applied to all students.

Controls for Devices, (University and non University)

Whether the device (PC/Mobile/Tablet, irrespective of manufacturer or operating system ) you use to access University information is provided by the University, or belongs to you personally, it’s integrity is assessed each time you begin to log in to the University.

The University will deny the device access, irrespective of whether the you have a legitimate authenticator (ID Password / MFA) if the device you are using does not have sufficient security characteristics, - for example; individual accounts, strong authentication, boot lock, encryption and suitable anti-virus facility.