The university identifies, documents, and provides supporting rationale in the security plan for any actions that may be performed on an information resource without identification or authentication.


  • The information resource owner, or designee, is responsible for ensuring that the measures described in this Control are implemented. The intended audience for this Control includes, but is not limited to, all information resources owners and custodians.


  • 1

    The information resource owner or custodian is responsible for:

    • 1.1

      Identifying activities that can be performed on the information resource without identification or authentication consistent with university missions or business functions; and

    • 1.2

      Documenting and providing supporting rationale in the unit’s annual risk assessment for the information resource user actions not requiring identification or authentication.

  • 2

    Public university websites and public kiosks are excluded from these requirements.