Standard number: DS-22
Date issued: 7/1/2018
Date last reviewed: 7/1/2018
Date of next review: 6/30/2024
Version: 1.0
Approval authority: Vice President for Information Technology and CIO
Responsible office: Information Assurance
This Standard supports and supplements the Information Security (SPG 601.27) policy. The Standard is mandatory and enforced in the same manner as the policy. It will be periodically reviewed and updated as necessary to meet emerging threats, changes in legal and regulatory requirements, and technological advances.
I. Overview
Access management and authentication protocols help to protect U-M systems and sensitive institutional data. This Standard applies to processes and procedures across the lifecycle of both user and system access and accounts.
Identity and access management (IAM) as a discipline is a foundational element of U-M’s information assurance program and the one that campus users interact with the most. IAM establishes procedures for verifying the identity and eligibility of individuals seeking to access and use the university’s information technology resources.
II. Scope
This standard applies to the Ann Arbor campus, Michigan Medicine, UM-Dearborn, UM-Flint, all affiliates, and all faculty, staff, workforce members, and sponsored affiliates. Specifically, it also applies to:
- All units, faculty, staff, and workforce members that create, process, maintain, transmit, or store sensitive institutional data on any university owned device, whether or not it is connected to the campus network and whether or not it is university or self-managed;
- All university computer and telecommunications systems, including externally hosted systems that are accessed via U-M authentication systems;
- Personally owned devices, in accordance with provisions of Security of Personally Owned Devices that Access or Maintain Sensitive Institutional Data (SPG 601.33);
- Any third-party provider with a contractual relationship with the university that maintains sensitive institutional data.
III. Standard
This Standard establishes the framework for provisioning and deprovisioning access by staff and workforce members to U-M systems and applications that create, process, maintain, transmit, or store sensitive institutional data. Its objective is to protect the university’s sensitive institutional data from compromises or breaches due to inadequate access and authentication management practices, as well as capture the information needed for compliance-related audit trails. Well-structured access management results in university personnel having access to the right services at the right times based on their current job responsibilities, a boost to overall productivity.
Access Control
Access control is the practice of determining throughout an individual’s university lifecycle the authorized transactions, functions, and activities of legitimate users with regard to campus information resources.
Access control at U-M to systems that create, process, maintain, transmit, or store sensitive institutional data should be primarily role-based as much as possible. Affiliation with U-M determines an individual’s eligibility for standard U-M computing services. Administrative and privileged access to U-M enterprise systems, as well as access to departmentally-provided services, are generally initiated by the individual’s department or unit. U-M departments are responsible for ensuring that individual requests for access to enterprise systems are limited to systems and access levels required for the individual’s work-related responsibilities.
Access control at U-M, whether managed at the central or unit level, must adhere to the following requirements described in Table 1:
| Access Control Requirements | Description |
|---|---|
| User Identification | The identification of authorized users of the information system and the specification of access privileges is fundamental to access control. Eligible university users are granted one unique user identification and password on the university network to ensure accurate auditing of access and actions; departments will not share individual user IDs for system access. Eligible non-U-M users must follow the established process for sponsored affiliates, guest/friend accounts, federated identities, social login, or documented trusted relationships. |
| Responsible Use Notification and User Acceptance Login Banner | Where technically feasible, U-M weblogin and active directory login must include notification of user requirement to abide by the Responsible Use of Information Resources (SPG 601.07) policy and provide for one-time user acknowledgement of such requirement. |
| Principle of Least Privilege | Individuals should be granted the minimum access sufficient to complete their day-to-work job responsibilities. Individuals that are granted privileged access should use the least privileged account for day-to-day activities; privileged accounts should only be used when the elevated privilege is required by the system or application. |
| Separation of Duties | No one person should have responsibility for more than one related function. For example, the person with the authority to grant access should not be the person who fulfills the request, or audit functions should not be performed by the personnel responsible for administering access. At no time should any person fulfill and grant access to themselves. |
| Training and Compliance | Prior to being granted access to any enterprise administrative or clinical system or U-M or unit-specific application or database, staff members must complete the appropriate required institutional or unit-specific training. In some instances, staff members may be required to formally attest to their agreement with terms and conditions before access is provided. See Information Assurance Awareness, Training, and Education (DS-16) for more specifics. |
| Additional Access Controls for Restricted and High Data | In addition to enforcing authorized access at the information system level, additional role-based access enforcement mechanisms should be employed wherever feasible at the application level for Restricted and High data. |
| Unauthorized Access | Users must not attempt to gain access to university information systems or databases for which they have not been given proper authorization. |
| Session Termination | All users are required to logoff or lock their systems when they are finished with their current session or are expected to be away from their workstation. |
| Access Revocation or Termination | Authorized access of U-M faculty, staff, and workforce members should be revoked within 72 hours (or as soon after as possible) for an individual:
|
| Access Review | User, privileged, and shared accounts should be periodically reviewed, at least annually. |
| Regulatory and Contractual Compliance | Some regulations and contractual obligations with which U-M must comply-have mandated access and authentication management requirements. A non-exhaustive set of requirements may include password expiration, lockout after failed attempts, and automatic logoff after a period of inactivity. Devices that fall under such compliance regimes must be specifically configured to meet those requirements or implement alternative compensating controls. |
Privileged Credentials
Role-based privileged user accounts are necessary for certain functions and systems. Privileged roles include, for example, key management, network and system administration, database administration, and web administration.
Owners of privileged accounts need to be especially diligent to reduce the risk of threats to institutional data from misuse, including credentials theft, inappropriate disclosure of sensitive data whether intentional or accidental, data tampering, and unauthorized access to administrative interfaces and configuration stores.
To help prevent the above threats, privileged accounts must have a designated owner that:
- Identifies a specific business need prior to establishing the accounts;
- Can grant administrator or other privileged access to other authorized users with a job-related need;
- Configures systems containing all levels of sensitive data to require two-factor authentication;
- Configures systems containing Restricted or High data to audit the actions of individuals;
- Deactivates, suspends or terminates access or administrator privileges after notification that authorized users have left their position or no longer have a job-related need for elevated access;
- Tracks and monitors privileged access accounts.
Shared Accounts
A shared account is an enterprise system account with access independent of any individual’s computing account. Shared accounts allow for privileged users responsible for specific systems or applications to have the access needed to carry out job-related responsibilities. Shared accounts must have a designated owner and co-owner that, in addition to all of the above requirements for privileged account owners:
- Are jointly accountable for the security of the data, system, or application for which they have been provided access.
Security of Enterprise Application Integration (DS-09) enumerates additional shared account requirements and owner responsibilities.
Authentication
Authentication is a process by which users, processes, or services provide proof of their identity.
Authentication confirms that a person or device really is who or what it is claiming to be and through which access to the requested resource is then authorized. All university IT systems and services must use only encrypted authentication and authorization mechanisms.
U-M has established the following rules for creating and securing passwords with the objective that passwords are complex enough to withstand attempts by unauthorized users to guess or decipher them.
- Password management: Passwords are to be kept secure and confidential, and not shared with or used by anyone other than the user to whom they are assigned;
- Password masking should be the default for all U-M authentication so that passwords are not visible to anyone standing nearby or visible on an unattended screen;
- Choosing a password: Where feasible, the University's minimum factors for selecting strong passwords should be followed.
- Password Security Controls
- Password Compromise: If a password has been improperly disclosed, accessed, or used by an unauthorized person, it should be immediately changed;
- Password expiration: The university highly recommends changing passwords at least once a year, unless otherwise required by regulation (e.g., HIPAA, PCI);
- Password lockout: Lockouts after a predetermined number of invalid login attempts should be used for U-M accounts wherever technically feasible.
- Password Reuse: The university recommends not reusing passwords when renewing or changing passwords for at least four password changes.
- Shared Account Password Changes: Passwords for shared accounts should be changed at least once a year and whenever anyone with knowledge of the password for whatever reason no longer has job-related responsibilities requiring access to the account.
- Two-factor authentication: Two-factor authentication (2FA) adds a second layer of security to protect U-M’s most sensitive data and computing resources. Privileged accounts should utilize two-factor authentication to the maximum extent feasible.
Table 2: Authentication Controls by Sensitive Data Classification Level
| Description of Control | Restricted | High | Moderate | Low |
|---|---|---|---|---|
| Strong Password Authentication | Required | Required | Required | Optional |
| Session Lock After Inactivity | Required | Required | Recommended | Optional |
| Two-factor Authentication | Required | Required | Recommended | Optional |
IV. Violations and Sanctions
Violations of this Standard may result in disciplinary action up to and including suspension or revocation of computer accounts and access to networks, non-reappointment, discharge, dismissal, and/or legal action. In addition, the connectivity of machines and servers to the U-M network that do not comply with this Standard may be limited or disconnected.
Violations of this Standard may result in disciplinary action up to and including suspension or revocation of computer accounts and access to networks, non-reappointment, discharge, dismissal, and/or legal action.
Discipline (SPG 201.12) provides for staff member disciplinary procedures and sanctions. Violations of this policy by faculty may result in appropriate sanction or disciplinary action consistent with applicable university procedures. If dismissal or demotion of qualified faculty is proposed, the matter will be addressed in accordance with the procedures set forth in Regents Bylaw 5.09. In addition to U-M disciplinary actions, individuals may be personally subject to criminal or civil prosecution and sanctions if they engage in unlawful behavior related to applicable federal and state laws.
Any U-M department or unit found to have violated this policy may be held accountable for the financial penalties, legal fees, and other remediation costs associated with a resulting information security incident and other regulatory non-compliance.
V. Implementation
Information Assurance is responsible for the implementation, maintenance and interpretation of this Standard.
VI. U-M Resources on Access, Authorization, and Authentication Management
- Choosing and Changing a Secure UMICH Password
- Getting Access
- Losing Access
- Identity and Access Management
- Two-Factor Authentication
VII. References
- Responsible Use of Information Resources (SPG 601.07)
- Information Security Policy (SPG 601.27)
- Institutional Data Resource Management Policy (SPG 601.12)
- Security of Personally Owned Devices That Access or Maintain Sensitive Institutional Data (SPG 601.33)
VIII. Related NIST Security Controls
- AC-01 Access Control Policy and Procedures
- AC-02 Account Management
- AC-03 Access Enforcement
- AC-04 Information Flow Enforcement
- AC-05 Separation of Duties
- AC-06 Least Privilege
- AC-07 Unsuccessful Logon Attempts
- AC-08 System Use Notification
- AC-09 Previous Logon (access) Notification
- AC-11 Session Lock
- AC-12 Session Termination
- AC-14 Permitted Actions Without Identification or Authentication
- AC-16 Security Attributes
- AC-17 Remote Access
- AC-18 Wireless Access
- AC-19 Access Control for Mobile Devices
- AC-20 Use of External Information Systems
- AC-21 Information Sharing
- IA-01 Information and Authentication Policy
- IA-02 Identification and Authentication
- IA-05 Authenticator Management
- IA-08 Identification and Authentication (Non-Organization Users)