Boston University – Data Lifecycle Management Policy
3.1 3.1.3 Access Control
https://www.bu.edu/policies/data-lifecycle-management-policy/
This Boston University guidance defines the requirements for handling and protecting information, including CUI. The document links to other useful sites (e.g. Data Classification Policy, Data Access Management Policies) that expand on the control of CUI and authorizations to access CUI.
https://www.bu.edu/policies/identity-and-access-management/
A sample identity and access management policy for Boston University.
Carnegie Mellon University Information Security Office – Guidelines for Data Classification
3.1 3.1.22 3.1.3 Access Control
https://www.cmu.edu/data/guidelines/data-classification.html
This guideline provides an example of Data Classification framework that defines categories for data.
Information Security Oversight Office – CUI Presentation
3.1 3.1.3 Access Control
https://www.nist.gov/system/files/documents/2018/10/18/cui18oct2018-0930-1030-cui_overview-casey.pdf
This ISOO presentation describes CUI program and what it is that needs to be protected.
The State of North Carolina – Access Control Policy
3.1 3.1.3 Access Control
https://files.nc.gov/ncdit/documents/Statewide_Policies/SCIO_Access_Control.pdf
The NC policy describes common security controls (e.g., proxies, gateways, routers, firewalls, guards, encrypted tunnels, web content filters, data loss prevention) and their application in controlling information flows. (See Section AC-4 – Information Flow Enforcement, p. 6)