University of Florida Homepage
College of Liberal Arts and Sciences

CLAS IT

Access Verification Policy

Policy on Regular Audits to Verify Appropriate Access to Digital Resources

Purpose

The purpose of this policy is to ensure that CLAS digital resources, including file shares, web sites, email lists, SharePoint sites, and Teams sites, are accessed only by authorized individuals. Regular audits will be conducted by CLAS IT system administrators to maintain the integrity, confidentiality, and security of these resources.

Scope

This policy applies to all departments and individuals within CLAS who have access to CLAS digital resources. It encompasses the procedures for conducting audits and the responsibilities assigned to CLAS IT system administrators and department administrators/staff.

Policy Statement

CLAS IT system administrators shall perform an audit at least once every 24 months to verify that only appropriate individuals have access to CLAS digital resources. CLAS digital resources include, but are not limited to, file shares, web sites, email lists, and SharePoint/Teams sites. These audits are critical to ensuring that access controls are maintained and adhered to, thereby protecting sensitive information and CLAS assets.

Responsibilities

CLAS System Administrators

CLAS IT system administrators are responsible for:

  • Conducting access audits at least once every 24 months.
  • Maintaining accurate records of access permissions for all digital resources. This may be done through the use of security groups.
  • Identifying and revoking inappropriate access permissions.
  • Reporting audit findings to relevant stakeholders.

Department Administrators

Department administrators are responsible for:

  • Ensuring their team’s compliance with access control policies.
  • Cooperating with CLAS IT system administrators during the audit process.
  • Reviewing and approving access permissions as necessary.
  • Notifying CLAS IT system administrators when an individual leaves their unit and their access should be removed.

Individual Users

Individual users, including faculty and staff, lab managers, and workgroup managers are responsible for:

  • Adhering to the organization’s access control policies.
  • Reporting any unauthorized access or security breaches to the system administrators.
  • Notifying their department administration when an individual departs their workgroup. If you are unsure of who to notify, ask your office manager or unit chair/director.

Audit Procedures

The audit procedures shall include but are not limited to the following steps:

  • Preparation: CLAS IT system administrators shall prepare for the audit by gathering necessary documentation. This may include access logs and group membership lists.
  • Review: CLAS IT system administrators shall review the current access permissions for file shares, web sites, email lists, SharePoint/Teams sites, and other digital resources.
  • Verification: CLAS IT system administrators shall verify with Department Administrators that all access permissions are appropriate.
  • Revocation: Inappropriate access permissions shall be revoked immediately.
  • Reporting: A detailed report of the audit findings shall be prepared and submitted to relevant stakeholders.

Frequency of Audits

Audits shall be conducted at a minimum frequency of once every 24 months. Additional audits may be performed as deemed necessary by CLAS IT or department leadership.

Record Keeping

CLAS IT system administrators shall maintain records of all audit activities, findings, and actions taken. These records shall be retained in accordance with the UF Record Retention Schedule, https://records.uflib.ufl.edu/record-retention/retention-schedules/.

Review and Updates

This policy shall be reviewed and updated as necessary. Any changes to the policy shall be communicated to all employees.

Approval and Effective Date

This policy has been reviewed by the CLAS leadership and is effective as of January 1, 2025.

Additional reading: UF Policy for terminated and transferred employees, https://policy.ufl.edu/policy/management-for-terminated-transferred-employees-policy/

Last updated: 03 Dec 2024