Revoking Information Technology Resource Privileges Standard

Table of Contents

1.  Purpose and Background
2.  Standards
     a) Access Revocation and Reinstatement
3.  Definitions
4.  Related Links
5.  Exceptions

[Return to Library]

1. Purpose and Background

When the University of Virginia information technology (IT) resources or privileges are impacted or could be impacted by an issue caused by a network-connected device or account, Information Technology Services (ITS), University Information Security (InfoSec), or Health Information and Technology (Health IT) representatives acting on behalf of the University will make a risk-based decision whether or not to revoke the offending device or account’s access to information technology (IT) resources.  Privileges will also be revoked in response to certain University policy, legal, contractual, or regulatory violations or requirements.   IT resources from which privileges may be revoked may include, but are not limited to, University networks, hardware, applications, or data.  Specific procedures followed during the revocation and subsequent reinstatement of IT resource privileges are presented in Revoking Information Technology Resource Privileges Procedures.  This standard highlights circumstances during which an account or a device may be disabled or disconnected from the network by ITS or Health IT.  (Information Security of University Technology Resources Policy) This standard applies to all devices and users attached directly or indirectly to the UVA network, regardless of location or affiliation.

[Table of Contents]

2. Standards

Access Revocation and Reinstatement

Revoking Privileges

Issues caused by devices or accounts will not normally result in the revocation of IT resource privileges.  However, certain circumstances will result in revoking IT resource access from an account or device.  Scenarios include, but are not limited to:

  1. Corrective procedures fail or are not followed
  2. Risk to IT resources posed by the device or account is deemed too great as determined by ITS, Health IT, or InfoSec
  3. Repeated low and medium risks to IT resources are caused by one device or account
  4. The user associated with the account or device is violating a University policy or applicable law

Some specific examples of events that may ultimately result in the revocation of access to IT resources include, but are not limited to:

  • Vulnerability that exposes sensitive data or highly sensitive data
  • Unauthorized network devices
  • Compromised user accounts
  • Digital Millennium Copyright Act (DMCA) violations
  • Compromised system attacking other networked systems
  • Network resource conflicts
  • Critical device file integrity issues
  • Critical vulnerabilities for which no security patch exists
  • By request from Human Resources, Student Affairs, or other University representatives with the requisite authority

Before taking action, and where applicable, ITS, InfoSec, or Health IT, as relevant, will attempt to resolve the problem in collaboration with the device owner or overseer, unless the situation is so urgent that immediate action is required, and there is no time for collaboration, following the procedures highlighted in Revoking Information Technology Resource Privileges Procedures.  Where possible, privilege removals will persist until the device or account issue(s) have been resolved or sufficient compensating controls have been implemented as the basis for an appeal (see below).

Reinstatement of Privileges and Appeals

Reinstatement of Privileges

Where applicable, when the owner or overseer of an impacted device or account has taken corrective steps, following the procedures outlined in Revoking Information Technology Resource Privileges, ITS, InfoSec, or Health IT, as applicable, will restore the connection as soon as possible.

Appeals

The user associated with an impacted device or account who believes that the threat that the system posed is outweighed by the impact of the revoking of IT resource privileges may appeal the decision by providing justification, along with suggested compensating controls to minimize risk, in writing to the UVA Chief Information Security Officer (CISO). The CISO or his designee will balance the value of restoring the device connection(s) against the associated risks and act accordingly.

Permanent Revocation of Privileges

Circumstances resulting in permanent revocation of access for a device or account may include, but are not limited to, violations of law or University policy, employee offboarding, devices and/or operating systems for which vendor support reached end of life, and other scenarios involving permanent security vulnerabilities

[Table of Contents]

3. Definitions

See the list of definitions for the Acceptable Use, Data Protection, Information Security, and Privacy & Confidentiality policies.

[Table of Contents]

4. Related Links

[Table of Contents]

5. Exceptions

If you think you need to request an exception to these requirements, please refer to the Exceptions Process.

[Table of Contents]

APPROVER: Chief Information Officer