University Policies and Procedures Manual (previously Business Policies and Procedures Manual)

Access Control and Authorization

UPPM 87.05

For more information contact:
Information Technology Services

1.0 Overview and Purpose
- 1.1 Information Assurance Policies Generally
- 1.2 Specific Policy Overview and Purpose
2.0 Applicability
3.0 Roles and Responsibilities
4.0 Requirements
5.0 Training

1.0 Overview and Purpose

1.1 Information Assurance Policies Generally

The purposes of the information assurance policies in UPPM Chapter 87: Information Technology and Security are to:

Set requirements to ensure the privacy, confidentiality, integrity, and availability of Washington State University (WSU) data;
Support institutional goals and strategies with appropriate methods for administratively, technically, and operationally protecting data; and
Define the criteria WSU follows to meet requirements for protecting data, which are determined by Information Owners.

The policies in this chapter comply with Federal Information Processing Standards (FIPS 199), which are intended to help organizations achieve a common level of quality and interoperability in information technology (IT) by requiring categorization of systems as low-impact, moderate-impact, or high-impact for the stated security objectives of confidentiality, integrity, and availability. To determine the potential consequence of a loss event, the Federal Information Processing Standards:

Define WSU Information Owners’ impact categorization rating (Low, Moderate, or High);
Dictate which security controls are mandatory based upon the categorization level;
Define the strength, frequency, and formalization of those controls; and
Influence audit burden and continuous monitoring rigor.

See UPPM 87.01 for definitions, general information, and violations related to this policy, as well as additional information regarding roles and responsibilities.

1.2 Specific Policy Overview and Purpose

Robust access control and authorization serve as critical safeguards for WSU’s information systems by ensuring that only authorized individuals can access specific data, applications, devices, and systems. This policy reduces the risk of unauthorized access to information systems and institutional data by establishing criteria related to access control and authorization, including specific requirements for moderate- and high-impact systems.

2.0 Applicability

This policy applies to all WSU system users who have contact with, or potentially may have contact with, WSU data, applications, and computing resources.

Security control exceptions to policy statements in UPPM Chapter 87 are managed and maintained in accordance with UPPM 87.23.

3.0 Roles and Responsibilities

3.1 Chief Information Officer

The Chief Information Officer (CIO) of WSU, or designee, is responsible for administering this policy and reviewing it on an annual basis.

3.2 Information System Owners

WSU Information System Owners, or their delegates, are responsible and accountable for developing appropriate Standard Operating Procedures (SOPs) for this policy’s implementation.

3.3 Office of Information Security and Assurance (OISA)

WSU’s Office of Information Security and Assurance (OISA) shall maintain the standard (PDF) associated with this policy and provide guidance for the associated procedures for the implementation of this policy (see examples (PDF)).

Note: While all units are required to adhere to the standard established by OISA (NIST SP 800-53), procedural examples for implementation are optional.

4.0 Requirements

4.1 General Requirements

Information System Owners, or their delegates, must:

Define and maintain a list of WSU employees who are authorized to access each information system within their purview; and
Define and document the types of accounts allowed for use within the system.

Access to institutional information systems and services must be based on:

A valid access authorization request;
The intended system usage; and
Other attributes as required by the Information System Owner, based on the institutional or business unit mission and business need.

Information System Owners and/or data custodians must specify the following, as appropriate for each information system within their responsibility:

Authorized users;
Group/role membership; and
Access authorizations.

User accounts are to be provided with access to data based on defined roles in accordance with UPPM 87.03.

Information Owners, or their delegates, are to provide written or systemically logged and approved authorization for user accounts to access data in accordance with UPPM 87.53.

Account managers are to be notified when accounts are no longer required, when users are terminated or transferred, and when system usage or need-to-know changes for an individual.

A process is required for changing shared or group account authenticators (if deployed) when individuals are removed from the group.

Authorizations for logical access to information and system resources must be enforced in accordance with access control policies.

WSU must enforce a limit on consecutive invalid logon attempts and implement response actions when the maximum number of unsuccessful logon attempts is exceeded.

When technically feasible, WSU information systems must display a message or banner to employees before granting system access that provides applicable privacy and security notices that the employee must acknowledge before being granted access to the information system.

Information System Owners, or their delegates, must identify user actions that can be performed on information systems without identification or authentication and provide supporting rationale in the system security plan.

Access for remote users must be approved by the Information System Owner, or their delegate, before such connections are allowed. All requests must be documented in accordance with UPPM 87.51.

The Information System Owner, or their delegate, must approve the wireless devices that are authorized to use WSU System wireless networks in accordance with UPPM 87.35.

Configuration requirements, connection requirements, and implementation guidance for each type of wireless access must be established. Each type of wireless access is to be authorized prior to allowing a connection to the system.

Information System Owners, or their delegates, must establish connections requirements and authorize the connection of WSU-controlled mobile devices.

Information System Owners, or their delegates, must establish terms and conditions for the use of external systems connecting to WSU information systems prior to allowing external systems to process, store, or transmit WSU data.

Information System Owners, or their delegates, must restrict the use of WSU- controlled portable storage devices used by authorized individuals on external systems.

Information System Owners, or their delegates, must ensure that nonpublic information is not included with publicly accessible information.

WSU system users are to be uniquely identified and authenticated. Replay-resistant multi-factor authentication mechanisms are to be implemented to access privileged and non-privileged accounts.

4.2 Moderate- and High-Impact Systems

In addition to the above, the following requirements apply to all moderate- and high-impact systems.

Moderate- and high-impact systems must use automated mechanisms to support the management of system accounts.

Temporary and emergency accounts with access to moderate- and high-impact systems must be automatically removed or disabled after a defined period.

Accounts with access to moderate- and high-impact systems must be disabled when the accounts:

Have expired;
Are no longer associated with a user or individual;
Are in violation of policy; or
Have been inactive for a defined period.

Account creation, modification, enabling, disabling, and removal actions on moderate- and high-impact systems must be automatically audited in accordance with UPPM 87.50.

Moderate- and high-impact systems are to be configured to automatically terminate user sessions according to defined conditions or events.

Users that access moderate- and high-impact systems must log out after a defined period of inactivity.

High-risk individuals who have access to moderate- and high-impact systems are to have their accounts disabled upon discovery of significant risk.

Moderate- and high-impact systems must employ the principle of least privilege.

Information System Owners, or their delegates, are to enforce approved authorizations for controlling the flow of information within moderate- and high-impact systems and between connected systems.

For moderate- and high-impact systems, Information System Owners, or their delegates, shall identify and document critical business functions that require separation of duties.

Access to perform security-based functions on moderate- and high-impact systems must be restricted to authorized personnel. Personnel must use non-privileged accounts or roles when accessing non-security-based functions.

For moderate- and high-impact systems, access to privileged accounts must be restricted to specific personnel or roles. Non-privileged users are to be prevented from executing privileged functions. Assigned privileges to roles or users must be reviewed regularly to determine if the rationale for assigning such privileges remains valid.

The execution of privileged functions on moderate- and high-impact systems must be logged in accordance with UPPM 87.50.

Moderate- and high-impact systems must require a device lock before leaving the system unattended to prevent further access until the user reauthenticates. The device lock must conceal the information previously visible on the display.

Moderate- and high-impact systems must:

Employ automated mechanisms to monitor and control remote access;
Implement cryptographic mechanisms to protect the confidentiality and integrity of remote access sessions;
Route remote accesses through authorized and managed network access control points; and
Restrict remote access execution of privileged commands and access to security-relevant information. Assessable evidence of command execution and access is to be maintained. The rationale for access is to be documented in the security plan for the system.

Moderate- and high-impact systems must protect wireless access to the system using authentication and encryption.

On moderate- and high-impact systems, wireless networking capabilities embedded within the system are to be disabled when not intended for use and prior to component deployment.

The use of external moderate- and high-impact systems is to be limited to authorized individuals after the implementation of external system controls has been verified.

For moderate- and high-impact systems, Information System Owners, or their delegates, must employ automated mechanisms to help employees ensure that information-sharing partners’ access to WSU information does not exceed the access and use restrictions of the WSU information being shared.

Devices accessing moderate- and high-impact systems are to be uniquely Identified and authenticated prior to establishing a connection.

4.3 High-Impact Systems

In addition to the above, the following requirements apply to high-impact systems.

High-impact systems must enforce the principle of least privilege for usage and enable monitoring of atypical account usage.

High-impact systems must prevent encrypted information from bypassing information flow control mechanisms.

Network access to privileged commands on high-impact systems must be based on operational needs and include a documented rationale for access.

For high-impact systems, Information System Owners, or their delegates, must limit the number of concurrent sessions for system accounts.

Users permitted to configure wireless networking capabilities on high-impact systems are to be identified and explicitly authorized.

When shared accounts or authenticators are employed, high-impact systems must require users to be individually authenticated before granting access to the shared accounts or resources.

5.0 Training

See UPPM 87.21 for training requirements related to UPPM Chapter 87.

In addition to the requirements in UPPM 87.21, Information System Owners are responsible for ensuring that users receive appropriate information security and privacy training commensurate with their roles, responsibilities, and authorized access to information systems under the Information System Owner’s authority.

_______________________
Revisions: Feb. 2026 (Rev. 651); Nov. 2024 (editorial); June 2020 – new policy (Rev. 549)