This Control addresses how access to information resources is controlled and documented, particularly related to changes to those resources. Changes to information resource configurations should only be completed by authorized staff.


  • The information resource owner, or designee, is responsible for ensuring that the risk mitigation measures described in this Control are implemented. The intended audience is information resource owners and custodians of high or moderate impact University information resources.


  • 1

    Information resource owners shall define, document, approve, and enforce physical and logical access restrictions associated with changes to information resources, complying with existing University Standard Administrative Procedures, Rules, and Security Controls.