University of Notre Dame > OIT

Office of Information Technologies

services banner

IT Policies
IT Standards
OIT Policies & Procedures
Copyright Information

>IT Policies Home

security banner

RSS Feed
Subscribe to the OIT Security Alerts RSS Feed

OIT Home > Policies > IT Standards > Application & Database Access Standards

Application and Database Access Standards

July 18, 2008, amended October 23, 2008

1. Purpose and Scope

The purpose of these standards is to properly segregate duties and strengthen access controls and oversight for production environments. These standards apply to database staff, developers, application administrators, and functional users of OIT-hosted or operated applications and databases.

2. Standards for Any Access

Each application will have a designated Application Security Administrator, who will maintain access security and privileges. Separation of duties of the Application Administrator and Application Security Administrator must be observed wherever practical or required by regulatory or contractual obligation. Each application also will be subject to periodic reviews of access rights.

Any individual with authorized access must:

  • Never share access or access tokens (e.g., passwords) with any other person.
  • Ensure that any system used for access is maintained to the current standard applicable to the most sensitive data in the target database.
  • Report any change in job responsibilities that changes the need for access.
  • Comply with applicable information handling standards.

Discretionary access controls will be used in a manner consistent with these standards.

The functional owner or Data Steward will review access rights as frequently as required by applicable laws, or at minimum once a year, and for applications, upon termination of any employee who has access to that application.

3. Standards for Access Via an Application

  • The security layer of each application will manage security and privileges to objects.
  • The application’s designated Security Administrator will manage access rights.

4. Standards for Direct Database Access

  • Access to objects will be by roles, except for privileged accounts in special cases.
  • The OIT creates role types, based on the level of access required.
  • The Database Administrator enables authorized access to individuals by roles.
  • Individuals with direct database access must use a system that is maintained to the current standard applicable to the most sensitive data contained in the target databases.
  • The Data Steward or designee will conduct a periodic review of direct database access, as frequently as required by applicable laws, or at minimum once a year, with the support of Enterprise Systems and the appropriate Application Security Administrator.

5. Direct Database Privileges

Group:

5.1 Developers & Application Administrators

  • Will have only query privileges in all environments except development
  • May have update privileges in development environment, upon request
  • Must not connect using privileged accounts in any environment except development
  • May have direct access (not via roles) in special cases

5.2 Functional Users

  • Will have only query privileges, except by special request
  • Must not connect using privileged accounts
  • Direct updates using tools like PL/SQL developer, TOAD, etc. are not permitted
  • Must perform updates only by using an intermediate application, and in the case of financially significant or sensitive data, changes must be logged and reviewed by the appropriate data steward or designee

5.3 Privileged Accounts (Special Purpose, Vendor, Third Party)

  • Will have privileges as needed to support the function
  • May have direct access (not via roles) in special cases
  • Privileged accounts that own objects must not log in unless the Vendor or Third Party application requires it
  • Privileged account passwords whose complexity is not enforced by an external system such as Active Directory, LDAP, etc., are not subject to password aging requirements, and must be more complex than is specified by the Strong Password Standard.

6. Definitions

Discretionary Access Control
A means of restricting access based on the identity of subjects and/or groups to which they belong. The controls are discretionary in the sense that a subject with an access permission is capable of passing that permission (perhaps indirectly) on to any other subject.

Environment
Instance of the database created for development, testing, production

Privileged Accounts
Special purpose accounts assigned for in-house developed applications and interfaces, and for vendor or third party applications

Role
A type of access based on activities performed; for example, student team query role, finance team query role

7. Reference Documents

Application Security Administrator Authorization Form PDF
Information Management Policy
Information Security Policy (link)
Highly Sensitive Information Handling Standards (link)
NetID Access to University Information Technology Resources Policy (link)
Request for Application Access Form PDF
Strong Password Standard (link)

8. Responsibilities

8.1 Application Owner

  • Appoints the Application Security Administrator
  • Reviews access rights as frequently as required by applicable laws, or at minimum once a year

8.2 Application Administrator

  • Assists the Application Security Administrator in generating the audit reports according to a predetermined schedule
  • Implements procedures authorized by the Application Owner or Data Steward (or their designees)

8.3 Application Security Administrator

  • Establishes a process for receiving application access requests
  • Ensures that the appropriate Data Steward or designee has authorized the access
  • Manages access rights; disables access if an employee changes status or permission or employment is terminated
  • Maintains access security and privileges
  • Participates with the Data Steward and/or Application Owner in reviewing access rights as frequently as required by applicable laws, or at minimum once a year
  • Maintains an audit trail of requests and authorizations

8.4 CIO or designee

  • In consultation with Data Steward, authorizes exceptions to these standards

8.5 Data Steward or designee

  • Regularly reviews changes to database (using PL-SQL developer, TOAD etc) by functional users
  • Authorizes access to applications and databases
  • Appoints the Application Security Administrator
  • Reviews database access rights as frequently as required by applicable laws, or at minimum once a year, and upon termination of any employee with access to the relevant application
  • In consultation with the CIO or designee, authorizes exceptions to these standards
  • In consultation with the OIT, authorizes privileged accounts

8.6 Database Administrator

  • Creates role types based on level of access required
  • Enables access based on authorization, to individuals by role
  • Implements procedures authorized by the Application Owner or Data Steward or their designees
  • Creates privileged accounts as required
  • Creates audit (exception) reports for privileged accounts direct database logins
  • Notifies designated OIT personnel annually when audit reviews are due

8.7 Designated OIT Personnel (e.g., Relevant Managers, Director of Information Security or designee)

  • In consultation with the Data Steward or designee, authorizes privileged accounts
  • Review audit (exception) report of privileged accounts direct database logins

9. Procedures

9.1 Assigning or Removing an Application Security Administrator

  • The Application Owner or Data Steward(s) will appoint the Application Security Administrator by completing and signing an Application Security Administrator Authorization form and sending it to the OIT.
  • The OIT maintains a file of signed authorization forms in the IT Administration Business Office.
  • The OIT triggers yearly audit review cycles for Data Stewards.
  • The relevant Data Stewards review Application Security Administrator authorizations as frequently as required by applicable laws or at minimum once a year.

9.2 Requesting Access or Privileges

Employees needing access to an application must work through their campus unit’s designated coordinator (for example, the Business Manager)

  • Complete Request for Application Access form, including the following information:
    • a description of the access/privileges needed
    • a signed approval from the appropriate University official and Data Steward or designee
  • Submit the signed form to Application Security Administrator
  • The ASA reviews the application and makes the required entries to the application’s authorization mechanisms

10. Contacts

For clarification of these standards, contact the Chief Information Officer via e-mail or by phone at (574) 631-9700.

11. Exceptions

Exceptions to these standards require the approval of the University’s Chief Information Officer.

 

 
 

Need answers?
Contact the OIT Help Desk at oithelp@nd.edu or 574-631-8111.