GDL-3000.07B: Authentication and Access Security Controls

GUIDELINE SUMMARY

Intended Audience: Information Technology Services (ITS) personnel responsible for configuring authentication
Guideline Owner: Director of Information Security

This guideline covers requirements for controlling access to data, programs, and applications and the systems on which they reside such as workstations, servers, or network-attached devices (e.g., routers, switches, controllers). It applies to all ITS-managed data and information systems. Upon consultation with Western’s Director of Information Security, the following may be considered for exemption from this guideline: academic or research networks, or information systems that are not interconnected with covered Western networks or information systems.

General Access Requirements

Adequate security controls must be in place to prevent unauthorized access to University computers and data. Business owners and technicians are responsible for implementing the controls and provisions in this guideline. Business owners must:

  1. Develop procedures for granting, revoking, and changing access to systems and data under their oversight.
  2. Consider the sensitivity of the data and classify data. Statutory or other standards [e.g., The Family Educational Rights and Privacy Act (FERPA)] must also be considered.
  3. Implement any additional ITS standards or guidelines related to secure data management for contractors, vendors, and other state entities (e.g., other state universities and state agencies).
  4. Grant access to confidential data following the principal of least privilege by grouping systems, data, and users into security domains such as Roles.
  5.  Ensure that the approval and granting of access (such as who approved access, when, and why) is documented.
  6. Work with technicians and business owners to implement technical controls to meet access requirements consistently.
  7. Ensure that the use of programs or utilities capable of overriding system and application controls is restricted.
  8. Annually review if each user/group has authorized access to confidential or sensitive information necessary to meet their job requirements, and whether the level of access is appropriate for the job needs, making corrections where needed.
  9. Document and maintain their procedures for meeting the requirements of this guideline.

Authentication

Authentication is used to validate the identity of users performing functions on systems. Selecting the appropriate authentication method is based on risks to data. The University has the following external and internal authentication requirements:

Authentication – External

If authentication is used to access Category 1 (public), Category 2 (sensitive), or one’s own personal information from outside of the University network, the following controls are required:

  1. User IDs and passwords should follow the non-privileged password guideline defined in GDL-3000.07A: Account Types and Passwords.
  2. Successful authentication requires that the individual prove through a secure authentication protocol that the individual controls the password.

If authentication is used to access Category 3 (confidential) or Category 4 (confidential data requiring special handling) information from outside of the University that is not a single record belonging to the individual, the following controls are required:

  1. User IDs and passwords should follow the non-privileged password guideline defined in defined in GDL-3000.07A: Account Types and Passwords.    
  2. Successful authentication requires that the individual prove through a secure authentication protocol that the individual controls the password.
  3. Authentication should require a second factor utilizing something a person has (e.g., a phone, hard token, soft token, or certificate).

Authentication – Internal

Internal University access to all categories of data requires authentication with the following controls:

  1. User IDs and hardened passwords as defined in GDL-3000.07A: Account Types and Passwords.
  2. Where possible, users should use their Western Universal logon for data access.
  3. Local Administrator or root accounts should not be used specifically for data access.

Access to system administration functions by a technician requires the following controls:

  1. A discrete account not used by a user for ordinary business functions. This should be an account separate from a user’s WWU Universal Login.
  2. Where passwords are employed as an authentication factor, the passwords must meet the criteria defined as Privileged and Service Accounts in GDL-3000.07A: Account Types and Passwords.
  3. The principle of least privilege must be employed when determining access requirements for the account.
  4. For the Windows local Administrator accounts, the account should be renamed, and the password managed by the Microsoft LAPS (Local Administrator Password Solution) utility.

Accounts used for system service, daemon, or application execution (service accounts); or accounts used for auto-login on systems such as kiosks, require the following controls:

  1. Uses a discrete account used only for the defined privileged functions, and never used by an individual.
  2. Where passwords are employed as an authentication factor, the passwords must meet the criteria defined as Privileged and Service Accounts in GDL-3000.07A: Account Types and Passwords.
  3. The principle of least privilege must be employed when determining access requirements for the account.
  4. Where possible, service accounts in Active Directory shall be configured to “Deny logon locally” using a Group Policy setting.

Auditing

To ensure system controls are effectively enforcing access policies, the University must:

  1. Periodically review user access rights on systems housing sensitive and confidential data. This can be accomplished via a yearly permissions audit.
  2. Implement mechanisms to monitor the use of privileges such as collecting and reviewing logs.

 

For the complete guideline, click "Full Document" tab at top of page.

FULL DOCUMENT

Intended Audience: Information Technology Services (ITS) personnel responsible for configuring authentication.
Guideline Owner: Director of Information Security

1. Definitions

Administrative
Controls

 

Administrative Controls provide governance, rules, and expectations for protecting information. Administrative controls consist of approved written governance, policies, procedures, standards, and guidelines. Administrative controls form the framework for conducting business and managing people.

Data Steward

A Data Steward is an individual responsible for data business use, access, archiving, security, and destruction decisions. They may create and oversee enforcement of business rules. They will often arrange contracts such as data sharing agreements (DSAs) and memorandums of understanding (MOUs).

Data Custodian

Data Custodian is a broad term typically used for a technical person responsible for the secure custody, transport, and storage of data as well as proper implementation of business rules. They provide technical support to the Data Steward.

Physical Controls

Physical Controls are means and devices to control and monitor physical access to information. Examples include security guards, door access controls, and closed-circuit television (CCTV).

Security Controls

Security Controls are safeguards or countermeasures to avoid, detect, counteract, or minimize security risks to physical equipment, information, computer systems, or other assets.

System Steward

A System Steward is an individual responsible for management of a University-owned system such as a workstation, server, or networking piece of equipment. They may create and oversee management and access policies.

System Custodian

A System Custodian is an individual responsible for the technical management of a system such as a workstation, server, or networking piece of equipment. They implement the best practices defined by the System Steward and perform operational duties.

Technical Controls

Technical Controls (also called Logical Controls) consist of those hardware and software features provided in a system that helps to ensure the integrity and security of data, programs, and operating systems. Examples include passwords used to access a system, multi-factor authentication, session time-outs, user segmentation (role-based access control), and account lockouts.

2. Acronyms

EAS-PEAP

Protected Extensible Authentication Protocol

EAP-TLS

Extensible Authentication Protocol - Transport Layer Security

LAPS

Local Administrator Password Solution

TACACS+

Terminal Access Controller Access-Control System Plus

3. Introduction

This guideline covers requirements for controlling access to data, programs, and applications and the systems on which they reside such as workstations, servers, or network-attached devices (e.g., routers, switches, controllers).

4. Scope

This guideline applies to all ITS-managed data and information systems. Upon consultation with Western’s Director of Information Security, the following may be considered for exemption from this guideline: academic or research networks, or information systems that are not interconnected with covered Western networks or information systems.

5. General Access Requirements

OCIO 141.10: 4.1, 6.1.1

Adequate Administrative, Technical, and Physical Controls must be in place to prevent unauthorized access to University computers and data. Data Stewards and System Stewards are responsible for implementing the controls and provisions in this guideline. Stewards must:

  1. Develop procedures for granting, revoking, and changing access to systems and data under their oversight.
  2. Consider the sensitivity of the data and classify data using GDL-3000.07C Data Classification Guideline.
  3. Statutory or other standards [e.g., The Family Educational Rights and Privacy Act (FERPA)] must also be considered.
  4. Implement any additional ITS standards or guidelines related to secure data management for contractors, vendors, and other state entities (e.g., other state universities and state agencies).
  5. Grant access to confidential data following the principle of least privilege by grouping systems, data, and users into security domains such as Roles.
  6. Ascertain that the approval and granting of access (such as who approved access, when, and why) is documented.
  7. Work with Data Custodians and System Custodians to implement Technical Controls to meet access requirements consistently.
  8. Ensure that the use of programs or utilities capable of overriding system and application controls is restricted.
  9. Annually review if each user/group has authorized access to confidential or sensitive information necessary to meet their job requirements, and whether the level of access is appropriate for the job needs, making corrections where needed.
  10. Document and maintain their procedures for meeting the requirements of this guideline. 

6. Authentication

CIO 141.10: 6.3

Authentication is used to validate the identity of users performing functions on systems. Selecting the appropriate authentication method is based on risks to data. The University defines the following eight authentication types:

6.1 Type 1 – External

OCIO 141.10: 6.3.1.1, 6.3.1.2

If authentication is used to access Category 1 (Public) or Category 2 (Sensitive) information from outside of the University network, or a single Category 3 (Confidential) or Category 4 (Confidential Data Requiring Special Handling) record belonging to the individual, the following controls are required:

  1. User IDs and passwords should follow the non-privileged password guideline defined in GDL-3000.07A: Account Types and Passwords.
  2. Successful authentication requires that the individual prove through a secure authentication protocol (e.g., Kerberos, EAS-PEAP, EAP-TLS, TACACS+) that the individual controls the password.
  3. Type 2 authentication may be used in place of Type 1.

6.2 Type 2 – External

OCIO 141.10: 6.3.1.3, 6.3.1.4

If authentication is used to access Category 3 (Confidential) or Category 4 (Confidential Data Requiring Special Handling) information from outside of the University that is not a single record belonging to the individual, the following controls are required:

  1. User IDs and passwords should follow the non-privileged password guideline defined in GDL-3000.07A: Account Types and Passwords.
  2. Successful authentication requires that the individual prove through a secure authentication protocol (e.g., Kerberos, EAS-PEAP, EAP-TLS, TACACS+) that the individual controls the password.
  3. Authentication should require a second factor utilizing something a person has (e.g., a phone, hard token, soft token, or certificate) or something a person is (e.g., a fingerprint, retina scan, or facial identification).
  4. When using a token for a second factor, the individual must prove through a secure, encrypted authentication protocol that the individual controls the token by first unlocking the token with a password, PIN, or biometric (e.g., a fingerprint, retina pattern, or facial identification).

6.3 Type 3 – External

OCIO 141.10: 6.3.1.5

Employee, contractor, and vendor access to University resources via common remote access methods (e.g., VPN) requires two-factor authentication with the following controls:

  1. Password requirements should follow the guidelines as defined in GDL-3000.07A: Account Types and Passwords.
  2. Successful authentication requires that the individual prove through a secure authentication protocol (e.g., Kerberos, EAS-PEAP, EAP-TLS, TACACS+) that the individual controls the password.
  3. Authentication should require a second factor utilizing something a person has (e.g., a phone, hard token, soft token, or certificate) or something a person is (e.g., a fingerprint, retina pattern, or facial identification).
  4. When using a token for a second factor, the individual must prove through a secure, encrypted authentication protocol that the individual controls the token by first unlocking the token with a password, PIN, or biometric (e.g., a fingerprint, retina pattern, or facial identification).

6.4 Type 4 – External

OCIO 141.10: 6.3.1.6

External authenticated access that fails to meet the requirements outlined in Type 1, Type 2, or Type 3 requires the following minimum controls:

  1. A hardened password appropriate to the account type as defined in GDL-3000.07A: Account Types and Passwords.
  2. Password expiration not to exceed 120 days.
  3. Additional controls defined in the system documentation.

6.5 Type 5 – Internal

OCIO 141.10: 6.3.2.1

Internal University access to all categories of data requires authentication with the following controls:

  1. User IDs and hardened passwords as defined in GDL-3000.07A: Account Types and Passwords.
  2. Where possible, users should use their Western Universal logon for data access.
  3. Local Administrator or root accounts should not be used specifically for data access.

6.6 Type 6 – Internal

OCIO 141.10: 6.3.2.2

Access to system administration functions by a System Custodian requires the following controls:

  1. A discrete account not used by a user for ordinary business functions. This should be an account separate from a user’s WWU Universal Login.
  2. Where passwords are employed as an authentication factor, the passwords must meet the criteria defined as Privileged and Service Accounts in GDL-3000.07A: Account Types and Passwords.
  3. The principle of least privilege must be employed when determining access requirements for the account.
  4. For the Windows local Administrator accounts, the account should be renamed, and the password managed by the Microsoft LAPS utility.

6.7 Type 7 – Internal

OCIO 141.10: 6.3.2.3

Accounts used for system service, daemon, or application execution (service accounts); or accounts used for auto-login on systems such as kiosks, require the following controls:

  1. Use of a discrete account used only for the defined privileged functions, and never used by an individual.
  2. Where passwords are employed as an authentication factor, the passwords must meet the criteria defined as Privileged and Service Accounts in GDL-3000.07A: Account Types and Passwords.
  3. The principle of least privilege must be employed when determining access requirements for the account.
  4. Where possible, service accounts in Active Directory shall be configured to “Deny logon locally” using a Group Policy setting.

6.8 Type 8 – Internal

OCIO 141.10: 6.3.2.4

Internal authenticated access that does not meet the criteria outlined in Section 5.5, Type 5 – Internal or Section 5.6, Type 6 - Internal requires the following minimum controls:

  1. A hardened password appropriate to the account type as defined in GDL-3000.07A: Account Types and Passwords, or stronger authentication.
  2. Password expiration not to exceed 120 days.
  3. Additional controls defined in the system documentation.

7. Auditing

OCIO 141.10: 6.1.4

To ensure system controls are effectively enforcing access policies, the University must:

  1. Periodically review user access rights on systems housing sensitive and confidential data. This can be accomplished via a yearly permissions audit.
  2. Implement mechanisms to monitor the use of privileges. An example would be to send access failure and success messages to a logging system, then review the logs daily in a report or dashboard.

8. Authority

  1. University policy POL-U3000.07 - Securing Information Systems
  2. Washington State Office of the Chief Information Officer (OCIO) 141.10 – Securing Information Technology Assets Standards
  3. Federal Regulation Title 34, Part 99 – Family Educational Rights and Privacy Act (FERPA)
  4. Federal Regulation Title 45 CFR Part 164 – Security Standards for the Protection of Electronic Protected Health Information, Health Insurance Portability and Accountability Act (HIPAA)
  5. Federal Criminal Justice Information Systems (CJIS) Security Policy

9. References

  1. Information Technology Services (ITS) guideline GDL-3000.07A: Account Types and Passwords Guidelines
  2. ITS guideline GDL-3000.07C: Data Classification Guidelines

Change Log

Revised Version Author Approver Change
01/08/2021 1.0 Beth Albertson ITS Standards & Guidelines Committee Original Version