Policy 15 - Access Control Policy

1.0 Purpose

The purpose of this policy is to establish guidelines and procedures for implementing and periodically reviewing access controls to safeguard the confidentiality, integrity and availability of Murray State University’s information assets and private data. 

2.0 Scope

This policy applies to all employees, contractors, consultants, temporary workers and all other personnel or individuals who have access to Murray State’s information systems and private data. This policy will cover controls stemming from account permissions as well as physical security.

3.0 Policy

Murray State University will assign access to secure data and systems based on roles and responsibilities and will periodically audit permissions and revoke access as necessary. Security controls including account membership assignments, groups, application account permissions and physical access will all be utilized to restrict/allow access as necessary. Changes in job duties/title or reported alterations in necessary access will prompt a review of user permissions.  

3.1 Access Control Implementation:

  • Access to information systems and data will be granted based on the principle of least privilege, ensuring that individuals have access only to the resources necessary for their assigned roles and responsibilities.
  • User access will be granted, modified or revoked promptly upon changes in job responsibilities, termination or other relevant events.
  • Strong authentication mechanisms, such as passwords, secondary accounts and layers of multi-factor authentication (MFA) will be enforced to verify the identity of users.
  • All access to sensitive information must include multi-factor authentication as part of the authentication process.
  • Access controls will be implemented at both the logical and physical levels, including network access controls, file and directory permissions and physical security measures. 
  • Active monitoring and passive logging through multiple systems will be reviewed to detect unauthorized access.

3.2 Periodic Review of Access Controls:

  • Access controls will be reviewed annually to ensure they continue to be effective and appropriate. Additional access controls will be added as needed.
  • Access rights will be reviewed annually, when prompted by a position change or more frequently as necessary, to verify that users have only the access required for their roles.
  • Static accounts such as Service Accounts will be reviewed annually and set to a schedule for updating.
  • Audits and assessments may be conducted to identify and remediate any vulnerabilities or weaknesses in current access controls.
  • Access control policies and procedures will be updated as needed to reflect changes in technology, regulations or business requirements.

3.3 Access Control Roles:

  • The resource owner is responsible for any decision regarding access controls and is similarly responsible for implementing and maintaining access controls in accordance with this policy. 
  • Murray State University Information Systems and academic technicians will provide assistance with implementation and will audit systems and controls as needed.
  • Conflicts with access level controls will be brought forth and addressed by system stakeholders or the owner of the access level resource. 
  • Specific access may need to be granted for the sole purpose of maintaining and monitoring the MSU network, computers and software.

4.0 Enforcement:

Anyone found to have violated this policy may be subject to disciplinary action according to personnel policies and procedures. A violation of this policy by a temporary worker, contractor or vendor may result in the termination of their contract or assignment with Murray State University.

5.0 Definitions:

Multi-factor Authentication (MFA)

A multi-step account login process that requires users to enter more information than just a password. For example, along with the password, users might be asked to enter a code sent to their email, answer a secret question, etc. MFA always includes at least two different factors containing something you know (password), something you have (phone), something you are (biometrics).



Policy adopted:  08-21-2024
Revision adopted:  08-21-2024
Policy approval and adoption: Murray State University President's Office and Information Systems Security

Take the next step

© Murray State University Department of Web ManagementWe are Racers.