Data Management Policy - Part 1: Information Access Control Policy

Part 1: Information Access Control Policy

Objectives

1. To provide a clear practice framework to ensure information security in controlling access to the University’s information systems.

2. To ensure all users, system administrators, and relevant personnel understand and strictly comply with user account management procedures.

Responsible Units

1. Computer and Information Center

2. Assigned system administrators

3. Designated officers

Reference Standards

• Standards for Information Security in Electronic Transactions

Guidelines

1. Information Access Control

1.1 Maintain an inventory or registry of information assets, categorized by resource groups or tasks, and define user groups and their access rights.

1.2 Define levels of access rights to University data and information as follows:

• No access

• Read-only

• Create

• Input

• Edit

• Delete

• Approve usage

1.3 Classify University information into six primary types:

• Student information

• Personnel information

• Financial and accounting information

• Academic information

• Administrative information

• Computer traffic data

1.4 Define four levels of data confidentiality:

• Confidential: Access only by owners or directly responsible persons

• Internal Use Only: Communicated within subgroups or departments

• Personal: Used solely by designated individuals or units

• Public: Openly accessible within and outside the University

1.5 Criteria for classifying data confidentiality levels:

• Confidential: Only owners or assigned personnel may access

• Internal Use Only: Shared within teams or departments only

• Personal: Individual or assigned staff use only

• Public: Open for public or institutional distribution

1.6 Define access levels as follows:

• Executive-level access

• Operational-level access based on job function

• System administrator access

• Individual-level access

• General user access

1.7 Criteria for access level classification:

• Executives: Access granted based on authority and command level

• Operational Staff: Access based on assigned responsibilities

• System Administrators: Access and control as assigned within their roles

1.7 Delegation of Access Rights

1.7.4 Individuals may access only their own personal data and other information they have been authorized to access.

1.7.5 General users may access only authorized data and may view, input, edit, or delete data they themselves created.

1.7.6 Special access privileges can only be granted upon approval by the authorized person or data owner.

1.7.7 Delegation of access rights must be approved by the data owner or responsible department.

1.8 Primary Responsible Units for Data Access Authorization

Each type of University data shall be assigned to a primary responsible unit as follows:

1.8.1 Student Data – Office of Academic Promotion and Registration

1.8.2 Personnel Data – Personnel Division

1.8.3 Financial and Accounting Data – Finance Division

1.8.4 Academic Data – Office of Academic Promotion and Registration

1.8.5 Administrative Data – Assigned administrative departments

1.8.6 Computer Traffic Data – Computer and Information Center

The access permission, privilege settings, and delegation of access must comply with University policies.

1.9 Change Management

1.9.1 For any changes affecting current data and information systems:

(1) Develop a change implementation plan, including necessary budgeting.

(2) Notify relevant personnel in advance to allow adequate preparation.

(3) Verify the integrity of data after the change.

1.9.2 Source codes and libraries for all information systems must be stored securely, including both current and previous versions, for restoration if needed.

1.10 Role-Based Access Rights

1.10.1 Access to the University’s information systems must be granted as follows:

(1) Students gain access upon enrollment and lose access 90 days after graduation or withdrawal.

(2) Personnel receive access based on their assigned duties, which is revoked upon termination.

(3) Executives receive access based on assigned responsibilities and lose access upon leaving their roles.

(4) External parties are granted temporary access within a defined scope and duration.

1.10.2 Access restrictions by role:

(1) Students – limited to permitted systems only.

(2) Personnel – based on standard rights and assigned duties.

(3) Executives – based on responsibilities and roles.

(4) External parties – as specifically authorized.

1.11 Time-Based Access Control

1.11.1 System access may occur during:

(1) Official hours: 08:30–17:00

(2) After-hours: Post 17:00

(3) Public holidays and weekends

1.11.2 For high-risk or sensitive systems, stricter session timeouts must be enforced to prevent unauthorized access.

1.12 Revocation of Access Rights

Access rights shall be revoked under the following conditions:

1.12.1 Expired user account

1.12.2 Changes in assigned access level

1.12.3 Suspension due to disciplinary or security concerns

1.13 Annual Review of Access Rights

1.13.1 System administrators must print a list of users by department and submit it annually to the access-requesting units for review. The review will confirm whether any names should be removed or revised.

1.13.2 Departments must report necessary changes back to system administrators.

1.13.3 System owners must routinely verify user qualifications and access rights. Any updates must be applied promptly to reflect appropriate levels of system access.

1.14 Access Channels

Access to systems and data may occur via:

1.14.1 Internal University network

1.14.2 External network (e.g., VPN, remote login)

1.14.3 Designated secured platforms provided by the University