Appendix
Sidebar
Table of Contents
Governing Policy
Questions?
Please use the contact section in the governing policy.
- Authentication
- Multifactor Authentication
- Access
- Account Management
- Shared and Group Accounts
- System and Service Accounts
- Vendor Accounts
Objective
To prevent and record unauthorized access to University IT resources, including data, systems, and applications, by using the appropriate level of authentication, authorization, and account lifecycle management controls.
Security Controls
The controls are grouped by Authentication, Multi/Two-Factor Authentication, Access, and Account Management (including shared, group, system, service, and vendor accounts).
Authentication
The following table defines baseline security controls for authenticating access to data, application, operating system, or systems (e.g., workstation, device, server, network infrastructure), including user, organization/department account, system or service account, administrative/privileged account.
| Control | Security Level | |||
|---|---|---|---|---|
| ID | Description | High | Medium | Low |
| AAAM.A.01 | Use authenticated access | Required | Required | Required |
| AAAM.A.02 | Use a complex password or passphrase | Required | Required | Recommended |
| AAAM.A.03 | Uniquely associate access with an account or system | Required | Required | Required 1 |
| AAAM.A.04 | Uniquely associate interactive sessions with an individual or automated sessions with a system account | Required | Required | Recommended |
| AAAM.A.05 | Do not use personal identifying information in passwords or passphrases (e.g., cannot contain user’s first name, last name, username, employee number/student ID, telephone number, SSN) | Recommended | Recommended | Recommended |
| AAAM.A.06 | Do not use repeating characters in passwords or passphrases (e.g., cannot repeat characters four or more times in a row) | Recommended | Recommended | Recommended |
| AAAM.A.07 | Do not allow commonly used passwords | Recommended | Recommended | Recommended |
| AAAM.A.08 | For operating systems: Set a password expiration for temporary/reset passwords (suggest: 1 day) | Required | Required | Recommended |
| AAAM.A.08 | For non-operating systems: Set a password expiration for temporary/reset passwords (suggest: 1 day) | Required Effective July 2019 |
Required Effective July 2019 |
Recommended |
| AAAM.A.09 | Expire passwords used with single-factor authentication at least annually2 | Required | Required | Recommended |
| AAAM.A.10 | Limit re-use of passwords to at least the last five passwords | Required | Required | Optional |
| AAAM.A.11 | Deter password guessing attempts (e.g., lockout access after 10 consecutive failed login attempts for a minimum of 15 minutes or until an administrator enables the account)2 | Required | Required | Recommended |
| AAAM.A.12 | Re-authenticate access after a period of inactivity, excluding service accounts (suggest: 15-30 minutes for operating system; 60 minutes or less for interactive applications)2 | Required | Required | Required 1 |
| AAAM.A.13 | Log successful and unsuccessful logon attempts | Required | Required | Required |
| AAAM.A.14 | Conceal password being entered | Required | Required | Recommended |
| AAAM.A.15 | Display only generic identifiers or messages until successful login | Required | Recommended | Recommended |
| AAAM.A.16 | Use industry-standard strong encryption and/or hashing to render the password unreadable during transmission on the network | Required | Required | Required |
| AAAM.A.17 | Use industry-standard strong encryption and/or hashing to store the password in applications or systems | Required Effective July 2019 |
Required Effective July 2019 |
Required Effective July 2019 |
| AAAM.A.18 | Periodically review authentication management procedure (suggest: annual) | Required | Required Effective July 2019 |
Optional |
1 Optional for view only access.
2 PCI DSS requires for all systems or applications that store, process, or transmit cardholder data, or support the credit card processing environment to:
- Expire all user passwords at least every 90 days
- Re-authenticate access after 15 minutes of inactivity
- Lockout access after 6 consecutive failed login attempts for a minimum of 30 minutes or until an administrator enables the account
Multifactor Authentication
The following table identifies use of multifactor authentication (also referred to as two-factor authentication) based on interactive logins to applications and multi-user systems.
| Control | Security Level | |||
|---|---|---|---|---|
| ID | Description | High | Medium | Low |
| AAAM.B.01 | Accounts with interactive administrator or privileged access | Required | Required | Recommended |
| AAAM.B.02 | Accounts with interactive non-privileged access | Required | Recommended | Recommended |
| AAAM.B.03 | Use when authenticating to University primary authentication management systems (e.g., shibboleth) | Required Effective July 2019 |
Required Effective July 2019 |
Required Effective July 2019 |
Access
The following table defines the baseline security controls for access based on the security level of the system or application.
| Control | Security Level | |||
|---|---|---|---|---|
| ID | Description | High | Medium | Low |
| AAAM.C.01 | Restrict direct remote administrative/privileged access to a server | Required Effective July 2019 |
Recommended | Recommended |
| AAAM.C.02 | Use privileged access only when required by the system or application | Required | Required | Recommended |
| AAAM.C.03 | Authenticate as an individual and then escalate | Required | Required | Recommended |
| AAAM.C.04 | Periodically review access controls used (suggest: annual) | Required | Recommended | Recommended |
Account Management
The following table defines the baseline security controls for account management for all types of accounts (including shared, group, system, service, and vendor accounts) based on the security level of the system or application.
| Control | Security Level | |||
|---|---|---|---|---|
| ID | Description | High | Medium | Low |
| AAAM.D.01 | Follow the principle of least privilege access (e.g., when assigning access) | Required | Required | Recommended |
| AAAM.D.02 | Establish auditable authorization of access requests and changes to access (written or electronic) | Required | Required | Recommended |
| AAAM.D.03 | Review user and role access permissions (suggest: annual) | Required | Required | Recommended |
| AAAM.D.04 | Inform user of their responsibilities for use of and management of their account (e.g., timely notification when access is no longer needed, use of administrative privileges) | Required | Required | Recommended |
| AAAM.D.05 | Limit knowledge of "root", "Administrator" or equivalent account credentials to a minimum number of individuals | Required | Required | Required Effective July 2019 |
| AAAM.D.06 | For operating systems: Change default passwords (e.g., vendor, guest, administrator) during the installation process or when identified as a default password | Required | Required | Required |
| AAAM.D.06 | For non-operating systems: Change default passwords (e.g., vendor, guest, administrator) during the installation process or when identified as a default password | Required | Required | Required Effective July 2019 |
| AAAM.D.07 | Reset authentication and/or password or suspend account after suspected or confirmed compromise or disclosure | Required | Required | Required |
| AAAM.D.08 | Disable unused guest and default accounts | Required | Required | Recommended |
| AAAM.D.09 | Disable or deprovision account or access promptly (suggest: involuntary separation within 1 day, voluntary separation within 1-10 days) | Required | Required | Recommended |
| AAAM.D.10 | Periodically review account management procedures (suggest: annual) | Required | Required Effective July 2019 |
Recommended |
Shared and Group Accounts
Shared and group accounts need to meet the Account Management controls for all types of accounts and the following controls for shared and group accounts based on the security level of the system or application.
| Control | Security Level | |||
|---|---|---|---|---|
| ID | Description | High | Medium | Low |
| AAAM.E.01 | Use for view only access with approval from the data owner or their designee1 | Required | Required | Required |
| AAAM.E.02 | Periodically review the specific need for the account (suggest: annual) | Required Effective July 2019 |
Required Effective July 2019 |
Recommended |
| AAAM.E.03 | Periodically review the individual(s) responsible for managing the account (suggest: annual) | Required Effective July 2019 |
Required Effective July 2019 |
Recommended |
| AAAM.E.04 | Change the password or shared secret when someone with knowledge of the password or secret changes job responsibilities or terminates employment, or the password or secret is compromised | Required Effective July 2019 |
Required Effective July 2019 |
Required Effective July 2019 |
| AAAM.E.05 | Apply secondary controls to limit how the account may be used (e.g., account only used on-campus, during specific hours) | Recommended | Recommended | Recommended |
1 Specific restrictions:
- PCI DSS does not allow the use of shared or group accounts for system administration and other critical functions (e.g., access to cardholder data), or to administer any system components, systems, or applications that store, process, or transmit cardholder data, or support the credit card processing environment.
- Health information, HIPAA or ePHI does not allow the use of shared or group accounts.
System and Service Accounts
System and service accounts need to meet the Account Management controls for all types of accounts and the following controls for system and service accounts based on the security level of the system or application.
| Control | Security Level | |||
|---|---|---|---|---|
| ID | Description | High | Medium | Low |
| AAAM.F.01 | Periodically review the specific need and access for the account1 (suggest: annual) | Required Effective July 2019 | Required Effective July 2019 | Required Effective July 2019 |
| AAAM.F.02 | Periodically review the individual(s) responsible for managing the account (suggest: annual) | Required Effective July 2019 | Required Effective July 2019 | Recommended |
| AAAM.F.03 | Change the password or shared secret when someone with knowledge of the password or secret changes job responsibilities or terminates employment, or the password or secret is compromised | Required Effective July 2019 | Required Effective July 2019 | Required Effective July 2019 |
| AAAM.F.04 | Apply secondary controls to limit how the account may be used (e.g., account only used on-campus, during specific hours) | Recommended | Recommended | Recommended |
1 PCI DSS does not allow the use of service accounts for system administration and other critical functions (e.g., access to cardholder data), or to administer any system components, systems, or applications that store, process, or transmit cardholder data, or support the credit card processing environment.
Vendor Accounts
Vendor accounts need to meet the Account Management controls for all accounts. Vendor accounts associated with SaaS or IaaS may be covered by the controls in the Vendor/Supplier Management standard. The following table defines additional controls for vendor accounts based on the security level of the system or application.
| Control | Security Level | |||
|---|---|---|---|---|
| ID | Description | High | Medium | Low |
| AAAM.G.01 | Periodically review the University individual(s) responsible for managing the vendor account (suggest: annual) | Required Effective July 2019 |
Required Effective July 2019 |
Required Effective July 2019 |
| AAAM.G.02 | Enable vendor access during time period needed | Required | Required | Recommended |
| AAAM.G.03 | Disable vendor access when not in use | Required Effective July 2019 |
Required Effective July 2019 |
Recommended |
| AAAM.G.04 | Monitor actions performed by the vendor account | Required Effective July 2019 |
Required Effective July 2019 |
Recommended |
Resources Covered
This applies to IT resources owned or contracted by the University. This also applies to personally owned devices accessing, or authorized to store, University data designated as private-highly restricted or private-restricted.
Individuals Covered
This standard applies to University community members who use or manage University IT resources.
Related Information
- More information on Authentication, Access, and Account Management including definition of a complex password
- See the Managing Access to University Information procedure
- How to use the information security standards
- See the Information Security policy appendices for additional information security standards that also apply to authentication, access, and account management.
Published Date
November 2014
Last Reviewed
April 2019