UCL Research Data Information Security Management System Access Control Policy #
Document Name: RISM03-Access_Control_Policy.md
Author: Tim Machin
Classification: Public
Version: 4.1
Last Review: 08/04/2025
Last Reviewed by: Finley Bacon
Approved by: OMG
Approved date: 12/03/2025
Review Period: 3 years
Sources: SLMS-IG36
1. Document Overview #
This Access Control Policy establishes the requirements to ensure the protection of Trusted Research Environments within the scope of the UCL Research Data ISMS by managing access rights. This policy supports compliance with ISO 27001, ensuring that access to information is based on business needs and aligned with security requirements.
This document covers:
- Access Control Principles
- User Access Management
- Authentication Principles
- Privileged Access Management
- Physical Access
- Network Access
- Operating System Access
- Information System Access
- Monitoring and Logging
2. Document Scope #
This policy applies to all employees, contractors, consultants, temporary staff, service accounts and any other individuals with access to trusted research environments. The scope of this policy includes infrastructure, applications and services that support the trusted research environments, referred to in this document as the “information systems”.
3. Conventions used in this Document #
| Term | Definition |
|---|---|
| Shall | A mandatory requirement of this policy |
| Should | A recommended requirement of this policy |
| May | An optional requirement of this policy |
4. Access Control Principles #
Access to information systems shall be managed according to the following principles:
- Need to Know: Access shall be granted based on the specific tasks a user must perform or a system account is designated for.
- Least Privilege: Accounts shall be granted the minimum permissions necessary to perform their roles.
- Role-Based Access Control (RBAC): Access rights shall be assigned according to defined roles within the organization.
- Segregation of Duties: No individual shall have control over all aspects of any critical system or process.
5. User Access Management #
All user access shall be managed by an appropriate role as described in the roles and responsibilities document.
- User registration, de-registration and access authorisation: Formal procedures for adding, changing, or removing user access shall be implemented.
- New users or a change to user access shall be approved by:
- The Information Asset Owner or an Information Asset Administrator (for a study): For information assets stored within a trusted research environment project.
- Environment Owner: For user access to infrastructure and code managing a trusted research environment including non-human (service accounts).
- Supporting Service Owner or their delegate: For access to any supporting IT service.
- New users or a change to user access shall be approved by:
- Removal of access rights: Removal shall occur promptly upon termination or role change.
- Review of access rights: Periodic reviews of user access rights should be conducted at least once per term to ensure appropriateness.
6. Authentication Principles #
All users and information systems shall comply with UCL’s authentication principles.
7. Privileged Access Management #
Administrative or privileged accounts shall be tightly controlled and limited to authorized personnel. Privileged accounts should only be used for administrative activities. Privileged access management shall be controlled through a formal process and only the minimum privileges will be granted to carry out the role or task. A formal record of all privileges allocated will be maintained.
8. Physical Access #
Physical access shall only be granted on the authority of the Service Owner of a facility. All physical information systems shall be protected in accordance with their value and classification according to the UCL Information Management Policy and the data classification and tiering policy. Approved Researchers shall be responsible for physical security measures in offices and other shared spaces to prevent unauthorised access to data via an end point device as detailed in the Approved Researcher Agreement.
9. Network Access #
Diagnostic and configuration ports shall only be enabled for specified business reasons. All unused ports shall be disabled or removed. Changes to network configuration affecting trusted research environment networks will be risk assessed and recorded. Segregation of networks should be implemented as determined by the results of the risk assessment.
10. Operating System Access #
- All users shall be required to confirm they are an authorised user at log-on.
- All users shall be required to change their passwords periodically and in accordance with the UCL Password Policy.
- All user sessions shall be configured to lock automatically after a period of inactivity in order to reduce the risk of unauthorised access.
- Where technically possible, all standard accounts that are delivered with operating systems shall be disabled, deleted or have their ‘default’ passwords changed on system installation.
11. Information System Access #
- Where adequate assurance is absent, account access shall be disabled such that re-enablement shall only follow evidence of adequate assurance.
- Removal of accounts shall also include the removal of any associated access rights.
Environment Owners shall group together information assets as appropriate to achieve the required segregation on networks.
12. Monitoring and Logging #
Access to trusted research environments shall be logged and monitored for the purpose of investigating security incidents. Logs should include ‘date/time/name/reason’ and should be reviewed periodically to detect any unauthorised access attempts. Anomalous activity or violations shall be assessed and, where unauthorised access is judged to have occurred, will be reported as an information security incident.