Dakota State University students walking around campus

Rise with us

DSU is a place where innovation meets opportunity. We are a nationally recognized leader in technology-driven education, constantly pushing the boundaries of what’s possible. With hands-on learning experiences, expert faculty, and cutting-edge facilities, we prepare you for modern careers. Choose from a wide range of affordable, forward-thinking programs that allow you to shape your own path. Your future begins today.

Majors & Degrees

Search

Popular searches

smiling woman

Rise with us

DSU is a place where innovation meets opportunity. We are a nationally recognized leader in technology-driven education, constantly pushing the boundaries of what’s possible. With hands-on learning experiences, expert faculty, and cutting-edge facilities, we prepare you for modern careers. Choose from a wide range of affordable, forward-thinking programs that allow you to shape your own path. Your future begins today.

Visit DSU

Home Access Control

Access Control

Policy 14.5
Approved by: President
Responsible Officer: CHIEF INFORMATION OFFICER
Responsible Office: INFORMATION TECHNOLOGY SERVICES
Originally Issued: 06/30/2025
Last Revision: NEW
Category: TECHNOLOGY
Related Policy
SD BOR 7.1 Acceptable Use of Information Technology Systems
SD BOR 7.4 Security of Information Technology Systems
DSU User Account Creation & Retention
DSU Password Policy

  1. Reason for Policy

    This policy ensures secure and controlled access to DSU's information and technology resources. It establishes roles, responsibilities, and procedures for granting, reviewing, and revoking access, applying to all individuals with logical access to the university's systems, including staff, faculty, students, contractors, and affiliates. It covers digital and physical systems managed by the University, such as devices, data storage, and network equipment.

  2. Definitions

    1. CIO (Chief Information Officer). Campus Chief Information Officer is the department head for the DSU (Dakota State University) technology department.
    2. Data Steward. The Data Steward is authorized to grant, modify, and revoke access privileges for PII within their purview as assigned by the Data Trustee.
    3. Information Resources. Information resources cover all assets utilized to store, process, and transmit information within an organization. This includes hardware such as servers and computers, software applications, databases, and the networks that connect them.
    4. Least Privilege. Providing each user, task, and process with only the minimal privileges and access necessary to perform the users assigned role or function, including access to information systems and facilities.
    5. Service Account. A non-human account used by applications, services, or automated processes to authenticate and interact with systems securely, typically with restricted permissions and no interactive login.
    6. Data Trustee. The Data Trustee is authorized to grant, modify, and revoke access privileges for PII within their purview as assigned by the Data Trustee.
    7. Users. Employees, students, Emeriti, and third-Party vendor or affiliates, volunteers, agents, and authorized users accessing University information technology systems and applications.

  3. Statement of Policy

    1. Principle of Least Privilege: DSU shall control user access to information systems by enforcing the principle of least privilege.
    2. Access Control:
      1. Access to information resources must be limited to authorized users and safeguarded through appropriate physical, administrative, and logical authentication and authorization controls.
      2. All users of DSU information systems must be accurately identified, a positive identification must be maintained throughout the login session, and actions must be linked to specific users.
      3. Generic or group IDs shall not be permitted as means of access to the university’s information resources.
      4. All requests for access must include proper justification and will not be granted without the approval of the appropriate data trustee.
    3. Access Request: Data trustees and data stewards are responsible for determining the access control of information systems within their unit/department and information domain. They are required to specify authorized users of the information system, group and role membership, and access authorizations (i.e., privileges) and other attributes (as required) for each account.
      1.  The Dean, department head, direct supervisor shall request access privileges of the user based on the user's role.
      2. Access requests shall specify the user’s role.
    4. Authentication: Authentication is the means of ensuring the validity of the user identification and all user access must be authenticated.
      1.  User identity must be validated with a username and password. Please refer to Password Policy.
        1. Exceptions for password-less sign-ins are permitted only if a compensation control verifies the user’s identity with a combination of factors: something the user is, something the user knows, and something the user has.
      2. Multi-factor authentication (MFA) shall be implemented and required for accessing sensitive systems, applications, and data repositories, as determined by the CIO.
    5. Privilege Management:
      1. The University shall implement a Role-based Access Control (RBAC) model to set minimum standards for access privileges, ensuring efficient management of user permissions. This model assigns access based on user roles, which are defined by job functions, and permissions that align with role responsibilities.
    6. Account Management:
      1. Data trustees and supervisors shall regularly audit access privileges to validate they are appropriate and necessary, including a review to ensure that all user access is still required and suitable.
    7. Remote Access: Remote access to the University ’s information systems is governed by the BOR Remote Work Policy.
    8. Service Accounts: Service accounts created specifically for services and applications shall be restricted solely for system services use. The use of standard user accounts to operate system services is strictly forbidden. Systems and devices shall be configured to block remote logins via service accounts.
    9. Compliance: Non-compliance with this policy may result in disciplinary actions, in accordance with established protocols for students, faculty, and staff as outlined in relevant policies such as the student regulations, faculty handbook, or staff handbook. Consequences may include suspension of access privileges, and/ or legal proceedings, depending on the severity of the violation.

    Exclusions

    N/A

    Exceptions

    Exception requests must be submitted through an ITS ticket request and must include appropriate justification and any supporting documentation.

  4. Procedures (Major)

    1. Access Identification.  ITS shall complete the following procedures prior to employee access:
      1. Determine the specific systems, applications, or resources the employee would need access to.
      2. Ensure access requested aligns with the employee’s job responsibilities and duties.
      3. Complete the Access Request Form.
      4. Approval and Confirmation.
      5. Upon approval, ITS will set up the necessary access or facilitate additional requests for systems not managed by DSU (i.e., Banner, D2l, etc.).
      6. The requestor will receive during this process a confirmation email once the access is granted or denied.
      7. Inform employees that their access has been set up and provide any necessary instructions for the first time login or use.
    2. Access Review
      1. Data trustees and supervisors shall periodically review the access privileges of their employees to ensure appropriateness.
        1. The supervisor shall submit an Access Request Form to revoke or modify as required.
      2. ITS shall periodically review the access of all end-users and verify justification for continued access.

  5. Related Documents, Forms, and Tools

    Supervisor-Staff Access Request Form

    ITS Request Form

    NIST SP 800-171

    NIST SP 800-53 (Rev. 5)

  6. Policy History

    Adopted: 06/30/2025

Policies

Policy Request Form