The information resource owner, or designee, is responsible for ensuring that the risk mitigation measures described in this Control are implemented. The intended audience is information resource owners and custodians of high or moderate impact University information resources.

Information resource owners shall define, document, approve, and enforce physical and logical access restrictions associated with changes to information resources, complying with existing University Standard Administrative Procedures, Rules, and Security Controls.