Application Access Control
Standard and Process
Application access controls include:
- secure logon procedures;
- minimize disclosure of access information about applications;
- disable/remove or limit system utilities that are capable of overriding application controls;
- session timeouts;
- manage outputs from application systems handling private data to ensure that they contain only the information relevant to the use of the output and are sent only to authorized systems or users; and,
- control system access rights of other applications.
For information on type of authentication to use (e.g., single-factor or multi-factor) see the Authentication Standard.
Use a dedicated (isolated) computing environment for systems with private data. When an application with private data is run in a shared environment, the data owners need to identify and accept the risk of using shared resources.
Document the application access control settings used.
IT staff are responsible for working with users, data owners and service directors on establishing application access controls.
Users, data owners and service directors are responsible for working with IT staff to properly use the application access controls in the roles they perform supporting or using the system or application.
- This standard is based on the principles of ISO/IEC 27002:2005.
Document Owner: University Information Security
Document Approvers: Brian Dahlin, Chief Information Security Officer; Patton Fast, University Enterprise Architect
Effective Date: August 2014
Last Reviewed Date: November 2014