Access Control Policy

Policy Volume: RD
Chapter: AC‐1
Responsible Executive: CISER Secure Data Services Manager
Responsible Office: Cornell Institute for Social and Economic Research

Originally Issued: 2015-12-01
Revised: 2016-09-30, 2018-12-18, 2020-10-06

POLICY STATEMENT

In order to comply with the terms set forth in Data Use Agreements, Cornell Restricted Access Data Center (CRADC) must limit system and network access only to authorized users.

This policy covers all stages in the life‐cycle of user access, including authorizing access, granting initial access, updating access as user roles change, and removing users who no longer require access.

REASON FOR POLICY

CRADC recognizes that protecting information technology and data requires authorized users to act responsibly when using these resources. CRADC researchers, system administrators, and data custodians must strictly control access to information resources under their direction or ownership.

POLICY REQUIREMENTS

These guidelines address the establishment of procedures prior to account provisioning and the effective implementation of authorization of access, account provisioning, change in status, unsuccessful logon attempts, session lockout, account expiration, account re‐enabling, record keeping, and account de‐provisioning.

Prior to Account Provisioning

Institutional Review Board (IRB) Authorization: Unless determined otherwise by Cornell Institutional Review Board for Human Participants (IRB), all researchers allowed on the CRADC servers are required to complete the CITI training course on Social & Behavioral Research Basic, Stage 1 satisfactorily. CRADC relies on the confirmation from the Office of Sponsored Programs (OSP) that approved researchers have satisfactorily passed the CITI training course on Social & Behavioral Research Basic, Stage 1, in addition to their Conflict of Interest (COI) statement.

In instances where Cornell’s IRB states that an IRB review is not necessary for a project, such as business data which contain no human identifying characteristics, researchers will not be expected to complete the CITI training course on Social & Behavioral Research Basic, Stage 1. CRADC relies on confirmation from the Office of Sponsored Programs that these data do not require IRB review for Cornell’s processing approval.

Office of Sponsored Programs (OSP) Data Use Agreement (DUA): CRADC accepts projects and provisions unique user accounts for faculty/staff/students once the Data Use Agreement between Cornell University’s Office of Sponsored Programs and the Data Provider has been executed. Any project with an internal agreement from Cornell University for Cornell data is exempt from approval by OSP, but must retain approval of IRB and the CRADC User Agreement.

CRADC User Agreement: Each researcher is required to complete a user agreement with CRADC covering the usage of the CRADC servers. CRADC User Agreements are only sent to a researcher for signature once CRADC has final approval from OSP or internal agreement from Cornell University for Cornell data.

Authorization of Access

Access to CRADC infrastructure systems may only be granted by the CRADC staff after all appropriate processes and paperwork have been filed. In all cases, access must comply with applicable legal requirements.

No independent authorization is required for information technology personnel to conduct routine system protection, maintenance, or management purposes in accord with internal protocols and processes. Likewise, requests for access in connection with litigation, legal processes, or law enforcement investigations, or to preserve user electronic information for possible subsequent access in accordance with this policy, need no independent authorization if made by Cornell University’s Office of the General Counsel.

Provisioning / De‐provisioning

Account Provisioning: Upon receiving a signed CRADC User Agreement, the CRADC staff proceeds with account creation. Once the account has been created, the researcher is notified via an email of their unique account user name and provided a secure link to their temporary password. All temporary passwords, by Active Directory Group Policy, must be changed upon initial login to any CRADC server. [Noted exception: Specific projects require a 24‐hour delay after initial login in order to create new password.]

Account De‐provisioning: Account de‐provisioning is based upon notification via an OSP communication. De‐provisioning occurs within three business days.

CISER Secure Data Services Staff De‐provisioning: Any change in the CISER Secure Data Services staff will be communicated via email to the Data Provider through OSP. The staff account will be disabled on the last day of employment within CISER Secure Data Services and the account terminated shortly thereafter.

Change in Researcher Status

It is the responsibility of the Principal Investigator to inform the CRADC staff within ten business days of any changes in project staffing such that a researcher is no longer permitted to access the restricted data. CRADC staff will disable the researcher’s access to the project files within two business days and notify the Office of Sponsored Programs. The Office of Sponsored Programs will then notify the Data Provider of said project staff changes. CRADC will re‐enable or de‐provision the user account based on the final decision as communicated by OSP on behalf of Cornell University and the Data Provider.

Unsuccessful Logon Attempts / Session Lockouts

Unsuccessful Logon Attempts: A policy is defined on the Domain Controller that locks all accounts after three unsuccessful logon attempts. A lockout period is enforced before the researcher can attempt to logon again.

Session Lockouts: Dependent upon the Data Provider’s Data Use Agreement, a screensaver session lockout will occur after 10‐minutes of non‐activity. If the Data Provider agreement establishes criteria requiring idle sessions be suspended after less than 10‐minutes of non‐activity, special requests can be accommodated.

Account Expiration

User account access remains dependent on the existing project requirements, as stipulated within the Data Provider’s Data Use Agreement and approved by OSP, IRB, and the CRADC User Agreement. At the expiration of any existing project requirement, the user account will be disabled. When the requirement has been approved and all existing project requirements are complete, the user account will be re‐enabled.

Record Keeping

The CRADC staff oversees the management of CRADC projects and user accounts through a contract management system, and implements the unique project and user accounts within Active Directory Users and Computers on the CRADC domain controller. User accounts are created by the CRADC staff upon notification of completion of all required University and Data Provider signatures (i.e. Data Use Agreement, internal Cornell data, and/or Institutional Review Board). During any status update, the CRADC staff ensures that both the management system and the CRADC domain controller are synchronized on researcher status and forthcoming expiration dates.

Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.

Contacts

If you have questions about specific issues regarding this Sharing, Transmission and Distribution of Restricted Data Policy, call the following offices:

NAMEEMAILTITLEPHONE
William BlockCISER Director607‐255‐4801
Elena GoloborodokoCISER Secure Data Services Manager607‐255‐4801
Jonathan BohanCRADC Secure Data Specialist607‐255‐4801
Resa ReynoldsCAC Assistant Director, Systems607‐254‐8686
Kim BurlingameSystem Administrator607‐254‐8686
Lucia WalleSystems Analyst/Programmer607‐254‐8686
Brenda LappTechnical Consultant607‐254‐8686
Cornell University
Security Office
607-255-6664