Skip to main content.
Information Technologies Security Program
IT Security Program Home > Information Technologies Security Program Home Page > Personnel Security

Personnel Security

Personnel Security refers to those practices, technologies and/or services used to ensure that personnel security safeguards are applied appropriately to personnel working for, or on behalf, of the University.

Personnel Security begins during the staffing process. Early in defining a position, the responsible supervisor determines the type of computer access that is needed for person filling the position and the sensitivity of the information with which the person will deal. Two general principles should be followed: separation of duties and least privilege. Separation of duties refers to dividing roles and responsibilities so that a single individual cannot subvert a critical process. For example, separate responsibility should be given for requesting a personal identification number and for authorizing one. Least privilege refers to granting a user only those accesses that they need to perform their official duties. For example, a data entry clerk may not need to run analysis reports against the entire business system database. As part of the process to fill a position, hiring officers should use careful evaluation and background screening to help validate candidate's qualifications, past performance and appropriateness for a particular position and the system privileges associated with it.

Once personnel are in place, the University applies security safeguards via user account management.  User account management involves:

  • establishing the procedures for requesting, issuing, and closing user accounts over the life-cycle events of personnel (e.g., initial hire, transfers, position promotion, retirement, resignation, etc.),
  • tracking users and their respective access authorizations, and
  • managing these functions on an on-going basis.

[Adapted from materials provided by the Virginia Alliance for Secure Computing
and Networking (VA SCAN -- see http://www.vascan.org )]

University IT Standards for Personnel Security

  • Access must be explicitly granted to personnel by the relevant Data Steward (i.e., not allowed by default).
  • Access granted to personnel must be based on least privilege (i.e., only up to the level needed to perform one's duties and contribute to pursuit of the University's mission).
  • Access must be terminated concurrent with when the requirement for access no longer exists (e.g., as result of transfer, termination , and change of duties).
  • Note: Criminal and financial background checks in the hiring process are conducted in accord with policy overseen by the University's Department of Human Resources.