Need to Know Access Control Guideline

On This Page

UC Berkeley security policy mandates compliance with Minimum Security Standard for Electronic Information for devices handling covered data.  The recommendations below are provided as optional guidance for controlled access based on need-to-know requirements.

Requirement

Resource Proprietors must control access to covered data and regularly review access permissions to allow use of and access to covered data only where strictly necessary for legitimate business processes.

Description of Risk

When access to covered data is broader than what is required for legitimate purposes, there is unnecessary risk of an attacker gaining access to the data.

Recommendations

To protect covered data from falling into the wrong hands, it’s important that resource proprietors and resource custodians understand which users have access and why these users need access to covered systems and data.  The decision process for users to gain access to covered systems and data must be based on the need-to-know principle, which is that access to covered data must be necessary for the conduct of the users’ job functions. Such decision process must be applied to a user’s covered account at all stages of the account’s life cycle, including initial request/provisioning, and any time the account holder’s employment/enrollment status is updated thereafter (e.g. account holder changes position, moves to different departments/groups, leaves campus, etc).

Processes that help to enforce access control based on need-to-know principle include:

  • Employ a process for resource proprietor to grant access to covered systems based on legitimate business need.  All application access requests should be reviewed by the resource proprietor or his/her designated delegate.  Any decisions to approve or reject access requests by the resource proprietor or delegate should be documented.

  • Employ a process for resource proprietor or his/her delegate to review access to systems when a user changes job function and update access to reflect user’s new job function.  

  • Develop a process to immediately revoke access to accounts after a user leaves the campus unless documented business requirements permit an extended grace period in which departed users are allow access to covered systems.

*Wherever possible, resource proprietors and resource custodians should use CAS authentication for web-based covered systems.  CAS provides a single sign-on functionality that allows application users to use CalNet credentials to login to covered systems.  When implemented correctly, it also frees resource proprietors and resource custodians from the complexity of managing a separate credential database.  Details about how to use CAS authentication can be found on the CalNet website.