Managing data access
Data access is the process of sharing and accessing data as appropriate.
In order to use—and manage—data, you must have access to it. In many ways, controlling access to data is one of the best means of protecting that data from exposure, misuse, or destruction. Units and employees have a responsibility for managing data access in accordance with the University's missions and with a mindfulness of the risks of excessive access.
Consider the following when managing data access:
- Why data is shared
- Which data is shared
- When and for how long data is shared
- With whom data is shared
- How access is authorized, reviewed, and deprovisioned when no longer necessary
- How roles and privileges are separated (e.g., making sure that someone can't both submit and approve a form)
Guidelines for data access
When managing data access, follow these guidelines:
- Authorize access to data only as necessary.
By restricting access to data, you help minimize the risk of data exposure or misuse. Access must be
- based on a legitimate interest in or a "need to know" the data
- consistent with the recipient's authorization to access the data
- granted to fulfill an operational requirement
- limited to only necessary data
- granted only for as long as it is needed
- compliant with laws, regulations, policies, contracts, and other governing requirements.
- Review access regularly.
Routinely review access to ensure that those who still have it still need it. Revoke access promptly when it's no longer necessary for an individual or group to perform their University-related duties.
- Do not share passwords.
Share access to data, not to accounts or devices. Sharing a UDelNet password is a violation of policy, and sharing any kind of password puts your account or device at greater risk of compromise and misuse.