Access, Authorization, and Authorization Management- Standard

This Standard supports and supplements the University of Central Oklahoma’s (“University” or “UCO”) Information Security Policy.  The standard is mandatory and enforced in the same manner as policy.  It will be periodically reviewed and updated as necessary to meet changes in legal and regulatory requirements.

Access management and authentication protocols help to protect University systems and institutional data.  This Standard applies to processes and procedures implemented to protect data and access to devices, systems, services, and applications across the user lifecycle for any type of account, including accounts with privileged access, whether provisioned locally or at the enterprise-level.

Identity and Access Management (IAM) as a discipline is a foundational element of UCO’s Information Security program and the one that University users interact with the most. IAM establishes procedures for verifying the identity and eligibility of individuals seeking to access and use information technology resources.

Access, Authorization, and Authorization Management- Standard

Purpose

This Standard supports and supplements the University of Central Oklahoma’s (“University” or “UCO”) Information Security Policy. The standard is mandatory and enforced in the same manner as policy. It will be periodically reviewed and updated as necessary to meet changes in legal and regulatory requirements.

Access management and authentication protocols help to protect University systems and institutional data. This Standard applies to processes and procedures implemented to protect data and access to devices, systems, services, and applications across the user lifecycle for any type of account, including accounts with privileged access, whether provisioned locally or at the enterprise-level.

Identity and Access Management (IAM) as a discipline is a foundational element of UCO’s Information Security program and the one that University users interact with the most. IAM establishes procedures for verifying the identity and eligibility of individuals seeking to access and use information technology resources.

Scope

This Standard applies to:

  1. This standard applies to all divisions, colleges and units established by the University that exercise any information technology (IT) function relating to the mission of the University except for those specifically exempted in writing by the senior leadership (as defined in the information security policy) of the University.

  2. This standard applies to university computer and telecommunications systems; faculty, staff, and students; academic and administrative units; affiliated entities, agents, contractors, and volunteers of the University, members of the community who use and/or administer such systems, or any information asset (as defined in this policy) that connects directly or indirectly to any UCO owned, leased, contracted, or operated computer or telecommunication system.

Standard Details

Framework

This Standard establishes the framework for provisioning and deprovisioning access to systems and applications that process, maintain, transmit, or store institutional data. It is designed to provide protective measures for the University’s data from compromises or breaches due to inadequate access and authentication management practices, as well as capture information needed for compliance-related audit trails. Well-structured access management also results in university members having access to the right services at the right times based on their affiliation or role at the University and a boost to overall productivity.

Access Control and Authorization

Access control is the practice of determining the authorized transactions, functions, and activities of legitimate users with regard to information resources throughout an individual’s lifecycle at the University.

Access control to systems that process, maintain, transmit, or store institutional data must be role-based whenever supported by IT systems and applications. Affiliation with UCO determines an individual’s eligibility for standard computing services. Administrative and privileged access to enterprise systems, as well as access to locally provided services, are generally initiated by the individual’s department or unit. University units are responsible for ensuring that individual requests for access are limited to systems and access levels required for the individual’s responsibilities and role at the University.

Access control at UCO, whether managed at the enterprise - or unit-level, must adhere to the following requirements described in Table 1.

Table 1 Description of Access Control Requirements

Access Control Requirements

Description

User Identification & Credentials

The identification of authorized users of information systems and the specification of access privileges is fundamental to access control. Eligible University users are granted one enterprise-wide unique username and password for regular, day-to-day use to ensure accurate auditing of access and actions; individually assigned names may not be shared.

Principle of Least Privilege

Individuals must be granted the minimum access sufficient to complete their job responsibilities. Individuals with multiple accounts or that are granted privileged access must use the least privileged account for day-to-day activities; privileged accounts will only be used when the elevated privilege is required by the system or application.

Separation of Duties

A defined procedure must be in place for granting access that distinguishes between the person who has the authority to approve the access request and the person who fulfills the request. Audit functions must be performed by someone other than the person responsible for fulfilling the request.

Training

Prior to being granted access to any administrative system, staff members must complete the appropriate training per the Standard

- Information Assurance Awareness, Training, and Education and agree to abide by university polices including, but not limited to the Acceptable Use of Technology policy.

Additional Access Controls for Restricted or Confidential Data

In addition to enforcing authorized access at the information system level, additional access enforcement mechanisms must be employed anytime the data changes systems and at the application level for high and restricted data.

Access Lifecycle

Access may be authorized no earlier than a new employee’s first day of employment with the university.

 

Authorized access must be revoked as promptly as possible after notification of a status change has been received. Examples include the following:

service desk ticket.

Access Review

Access will be periodically reviewed to ensure access revocation is taking place and the principle of least privilege is being followed. This is particularly important for privileged access, which must be reviewed at least annually.

Session Termination

All users are required to logoff or lock their systems when they are finished with their current session or are expected to be away from their workstation.

Regulatory and Contractual Compliance

Some regulations and contractual obligations with which UCO must comply have mandated access and authentication

management requirements. A non-exhaustive set of requirements may include password expiration, lockout after failed attempts, and automatic logoff after a period of inactivity. Devices that fall under such compliance regimes must be specifically configured to meet those requirements or implement alternative compensating controls.

  • Permanently leaves/departs the University or when employment, student, or other status is terminated.

  • Transfers from one position to another with different responsibilities and levels of access required.

  • After 90 days of inactivity access will be disabled to user accounts. To reenable the user will need to submit a

Privileged Accounts and Access

Use of an additional account that is assigned elevated, administrative, or similar privileged access rights to systems or applications is necessary for some individuals to perform routine duties required by their position. At no time shall any privileged account or account with elevated permissions be used for purposes other than the intended use and scope. Activities that may require use of privileged accounts on a regular basis include digital key management, network and system administration, database administration, and application administration.

While no user may use an elevated account for day-to-day computing activity, users may be granted a method for temporary elevation/elevated access via OIT-approved methods that ensure the Principle of Least Privilege is followed (e.g., installing a printer while attending a conference).

Multi-factor Authentication (MFA) must be part of the process to access privileged accounts where technically feasible. For example, MFA may be required when accessing a password vault, to checkout a privileged credential, or a jump server.

Individuals granted privileged access need to be especially diligent to reduce the risk of threats to institutional data from misuse, including credential theft, inappropriate disclosure of data whether intentional or accidental, data tampering, and unauthorized access to administrative interfaces and configuration stores.

To help prevent the above threats, privileged credentials must be managed following the guidance provided in Table 2.

Table 2 Privileged Access Management

Tasks

Role

 

Requestor

 

IT Staff

Application Manager

Functional Owner

Request privileged account & access

Accountable, Responsible

Informed

Informed

Informed

Verify request with functional owner of the system or application

Informed

Responsible

Accountable

Consulted

* Approve Request

Informed

Informed

Consulted

Accountable, Responsible

Create account and assign privileged access

Informed

Responsible

Accountable

Consulted

Maintain security of privileged account

Accountable, Responsible

Informed

Informed

Informed

Monitor use of privileged accounts

Informed

Responsible

Accountable

Informed

Inform IT staff, or other appropriate parties, when privileged access is no longer

required, for any reason

Accountable, Responsible

 

Informed

 

Informed

 

Informed

Deactivate, suspend, or terminate privileged account or access

Informed

Responsible

Accountable

Informed

* Information Security must review and approve all privileged-level access requests.

Shared Accounts and Credentials

A shared account or similar credential (including digital certificates and authentication tokens) allows for access to systems independent of any individually assigned access rights, which may be required for application integration or to manage devices, systems, services, or applications that do not support use of multiple, individually assigned credentials.

Shared credentials must only be used when necessary to carry out institutionally assigned responsibilities. Shared credentials must have a designated owner and co-owner that, in addition to all the above requirements for privileged account owners, are jointly accountable for the security of the data, system, or application for which they have been provided access.

Shared account credentials will be stored in the UCO provided credential / password management system, and managed by the owner and co-owner.

Authentication

Authentication is a process by which users, processes, or services provide proof of their identity. Authentication confirms that a person or device really is who or what it is claiming to be and through which access to the requested resource is then authorized.

All University systems, applications, and services must use authentication protocols that feature strong encryption and must use encrypted channels when transmitting authentication data.

UCO has established the following rules for creating and securing passwords based on the guidance provided by the National Institution of Standards and Technology (NIST). The objective is to provide adequate security while not placing undue burden on people accessing University resources.

l (including digital certificates and authentication tokens) allows for access to systems independent of any individually assigned access rights, which may be required for application integration or to manage devices, systems, services, or applications that do not support use of multiple, individually assigned credentials.

Shared credentials must only be used when necessary to carry out institutionally assigned responsibilities. Shared credentials must have a designated owner and co-owner that, in addition to all the above requirements for privileged account owners, are jointly accountable for the security of the data, system, or application for which they have been provided access.

Shared account credentials will be stored in the UCO provided credential / password management system, and managed by the owner and co-owner.

User Account

A user account is defined as an identity created for a person in a computer or computing system. A user account will have limited access to the system as per the permissions based on policy.

Password Management: (Passwords shall be kept secure and confidential, and not shared with or used by anyone other than the person to whom they are assigned)

  1. Password masking must be used whenever technically feasible for all UCO authentication to ensure passwords are not visible as they are entered.

  2. Systems accepting password input may provide an option to display the password as it is entered. The system may also permit the user’s device to display individual entered characters for a short time after each character is typed to verify correct entry.

  3. Under circumstances requiring that multiple people have access to a credential, such as software developers accessing an Application Programming Interface, the credential must be changed whenever anyone with knowledge of it no longer has job-related responsibilities requiring access granted via the credential.

Choosing a Password: (The University's minimum factors for selecting passwords must be followed by individuals when selecting and setting a password and must be enforced by IT systems whenever technically feasible)

  1. It must be between 10 and 64 characters in length.

  2. It may contain the space character.

  3. It should contain upper-case letters, lower-case letters, numbers and special characters.

  4. It cannot be made up of more than three (3) repetitive or sequential characters.

  5. It cannot be a dictionary word.

  6. It cannot be found in a list of known compromised passwords.

  7. It cannot contain the username / ID.

  8. It cannot contain your first, middle, and/or your last name.

  9. It cannot be based on the name of a service, system or derivatives thereof.

  10. It should not be information easily obtainable about you. This includes license plate, social security, telephone numbers, or street address.

Password Security Controls: (IT systems that verify credentials must enforce the following security controls whenever technically feasible)

  1. Password creation: If a password does not meet the criteria listed in “Choosing a Password” above, the system must advise the person that they need to select a different password, provide the reason for rejection, and require the person to choose a different password.

  2. Password compromise: If a password has been improperly disclosed, accessed, or used by an unauthorized person, it must be immediately changed.

  3. Password reset / change / expiration: Reset passwords shall be securely communicated to the requestor. Users shall change their password upon initial logon, after a password change request, password expiration, or upon receiving evidence of a compromise or if a reasonable belief exists that the password has been subject to compromise, or otherwise required by regulation or law (e.g., HIPAA, PCI). UCO’s Information Security Department (ISD) or OIT Service Desk personnel will immediately change any password upon receiving evidence of a compromise or if a reasonable belief exists that a password has been subject to compromise.

Password expires 180 days after each change and must be changed before expiration.

  1. Password reuse: The previous twelve (12) passwords used to authenticate to any UCO information system (as defined by the information security policy) shall not be reused and must not be the same as passwords used for non-university accounts (e.g., Netflix, Chegg).

  2. Password storage: Although not required for user accounts, ISD recommends that user account credentials be stored in a credential / password management solution. Examples include Pleasant Password or LastPass.

Privileged Account Authentication

Privileged user accounts are high value targets for cyber criminals. That’s because they have elevated permissions in systems, allowing them to access highly confidential information and/or make administrative-level changes to business-critical applications and systems.

Service Accounts 

A Service Account is defined as a user account that has been created to run a particular piece of software or service.

Password Management: (Passwords shall be kept secure and confidential, and not shared with or used by anyone other than the person to whom they are assigned)

  1. Password masking must be used whenever technically feasible for all UCO authentication to ensure passwords are not visible as they are entered.

  2. Systems accepting password input may provide an option to display the password as it is entered. The system may also permit the user’s device to display individual entered characters for a short time after each character is typed to verify correct entry.

Under circumstances requiring that multiple people have access to a credential, such as software developers accessing an Application Programming Interface, the credential must be changed whenever anyone with knowledge of it no longer has job-related responsibilities requiring access granted via the credential.

Choosing a Password: (The University's minimum factors for selecting passwords must be followed by individuals when selecting and setting a privileged account password and must be enforced by IT systems whenever technically feasible)

  1. It must be between 32 – 64 characters in length.

  2. Should include special characters if allowed.

  3. Must be randomly generated.

  4. Notify the Information Security team if the maximum supported character length by the app is less than 32 characters for exception to policy.

Password Security Controls: 

  1. (IT systems that verify credentials must enforce the following security controls whenever technically feasible)

     

    1. Password creation: Users shall adhere to the requirements set forth in this Standard when choosing a password. Exceptions to this Standard may be requested if a system limitation exists which prevents the user from selecting a password that adheres to this Standard.

    2. Password compromise: If a password has been improperly disclosed, accessed, or used by an unauthorized person, it must be immediately changed.

    3. Password reset / change / expiration:

      1. Service accounts are subject to annual password changes.

      2. Must be changed immediately when an employee with access to the account is terminated (regardless of circumstances).

      3. If not feasible to change immediately due to downtime required, the password must be changed during the next scheduled maintenance.

      4. May be necessary to schedule additional special maintenance or extended scheduled maintenance if a large number of password changes are needed.

    4. Password reuse: The previous twelve (12) passwords used to authenticate to any UCO information system (as defined by the information security policy) shall not be the same password used for other services or environments.

    5. Password storage: Service account login credentials will be stored in the UCO provided credential / password management system. ISD must provide approval if system limitations require the use of a password which does not adhere to the requirements as defined by this Standard or the Information Security policy. Approval must be noted in the credential / password management system.

      1. Interactive Logon: Users are not permitted to log into service accounts interactively.

      2. Exceptions to this Standard may be requested and must be approved by ISD in advance.

      3. Interactive logon exceptions are subject to review by ISD and may be disallowed at any time.

Administrator Accounts

Administrator Accounts are used to carry out tasks that require special permissions, such as installing software or renaming a computer.

Password Management: (Passwords shall be kept secure and confidential, and not shared with or used by anyone other than the person to whom they are assigned)

  1. Password masking must be used whenever technically feasible for all UCO authentication to ensure passwords are not visible as they are entered.

  2. Systems accepting password input may provide an option to display the password as it is entered. The system may also permit the user’s device to display individual entered characters for a short time after each character is typed to verify correct entry.

  3. Under circumstances requiring that multiple people have access to a credential, such as software developers accessing an Application Programming Interface, the credential must be changed whenever anyone with knowledge of it no longer has job-related responsibilities requiring access granted via the credential.

Choosing a Password: 

(The University's minimum factors for selecting passwords must be followed by individuals when selecting and setting a privileged account password and must be enforced by IT systems whenever technically feasible)

  1. It must be between 15 – 64 characters in length.

  2. Should include special characters if allowed.

  3. Notify the Information Security team if the maximum supported character length by the app is less than 15 characters for exception to policy.

  4. Choose a new unique password at every change, not a slight modification of an existing password. Don’t rotate passwords.

  5. Password must be unique and cannot be the same as any previously used or existing passwords associated with any account used to interact with University information systems.

Password Security Controls: 

(IT systems that verify credentials must enforce the following security controls whenever technically feasible)

  1. Password creation: When choosing a password, it is the responsibility of the user to follow the guidance in this standard. If the system does not allow the password to meet the requirements of the standard, the user will contact the Information Security team to seek an exception to the standard.

  2. Password compromise: If a password has been improperly disclosed, accessed, or used by an unauthorized person, it must be immediately changed.

    1. Do not type your admin account password on an untrusted end-user or shared computer. This includes any end-user computer not used exclusively by you as well as conference room and other shared computers. Only your regular account should be used on such computers.

  3. Password reset / change / expiration:

    1. Password expires 90 days after each change and must be changed before expiration.

    2. This applies not only to Active Directory accounts, but to local RHEL and Windows accounts as well as applications.

    3. This expiration should be enforced via policy wherever possible.

    4. Reasonable steps should be taken to separate admin accounts from regular accounts, such as avoiding typing an admin account password to connect to an admin VM while logged in as your regular account. Consult Information Security Team for guidance if needed.

    5. Must be disabled immediately when an employee with access to the account is terminated (regardless of circumstances).

  4. Password reuse: The previous twelve (12) passwords used to authenticate to any UCO information system (as defined by the information security policy) shall not be reused and must not be the same as passwords used for non-university accounts (e.g., Netflix, Chegg).

  5. Password storage: Login credentials will be stored in the UCO provided credential / password management system. ISD must provide approval if system limitations require the use of a password which does not adhere to the requirements as defined by this Standard or the Information Security policy. Approval must be noted in the credential / password management system.

  6. Password Security Controls: (IT systems that verify credentials must enforce the following security controls whenever technically feasible)

  7. It must be between 32 – 64 characters in length.

  8. Should include special characters if allowed.

  9. Must be randomly generated.

  10. Notify the Information Security team if the maximum supported character length by the app is less than 32 characters for exception to policy.

Password creation: Users shall adhere to the requirements set forth in this Standard when choosing a password. Exceptions to this Standard may be requested if a system limitation exists which prevents the user from selecting a password that adheres to this Standard.

  1. Password compromise: If a password has been improperly disclosed, accessed, or used by an unauthorized person, it must be immediately changed.

    1. Service accounts are subject to annual password changes.

    2. Must be changed immediately when an employee with access to the account is terminated (regardless of circumstances).

    3. If not feasible to change immediately due to downtime required, the password must be changed during the next scheduled maintenance.

    4. May be necessary to schedule additional special maintenance or extended scheduled maintenance if a large number of password changes are needed.

  3. Password reuse: The previous twelve (12) passwords used to authenticate to any UCO information system (as defined by the information security policy) shall not be the same password used for other services or environments.

  4. Password storage: Service account login credentials will be stored in the UCO provided credential / password management system. ISD must provide approval if system limitations require the use of a password which does not adhere to the requirements as defined by this Standard or the Information Security policy. Approval must be noted in the credential / password management system.

 

References

NIST SP 800-53 Revision 3

NIST SP 800-63 Revision 4

Related NIST Controls

NIST SP 800-53 Revision 4

AC-01 Access Control Policy and Procedures AC-02 Account Management

AC-03 Access Enforcement

AC-04 Information Flow Enforcement AC-05 Separation of Duties

AC-06 Least Privilege

AC-07 Unsuccessful Logon Attempts AC-08 System Use Notification

AC-09 Previous Logon (access) Notification AC-11 Session Lock

AC-12 Session Termination

AC-14 Permitted Actions Without Identification or Authentication AC-16 Security Attributes

AC-17 Remote Access AC-18 Wireless Access

AC-19 Access Control for Mobile Devices AC-20 Use of External Information Systems AC-21 Information Sharing

Standard Violations

  1. Failure to comply with this standard or other University policies will result in disciplinary action, up to and including termination of employment and/or enrollment. All persons to whom these policies, standards, and guidelines are applicable, as stated above, are responsible for adhering to these rules.

  2. All supervisory personnel are responsible for ensuring that these policies, standards, and guidelines are adhered to within their respective areas of responsibility. Any user may report University policy or law violations to their immediate supervisor, representative faculty or school personnel or using UCOMMENT.

 

Print Article