URP: I.19.g Information Security Identification and Authentication

Tags techurp

This document establishes the information security identification and authentication regulations and procedures, for managing risks from user access and authentication into University information assets through the establishment of an effective identification and authentication program. The identification and authentication program helps Texas Woman's University (TWU) implement security best practices with regard to identification and authentication into information assets.
Authenticator is a coded signal transmitted within an information systems message as a proof of genuineness (i.e., passwords/passphrases).
Cryptographic Module Authentication is defined as any combination of hardware, firmware or software that implements cryptographic functions such as encryption, decryption, digital signatures, authentication techniques and random number generation.
The scope of these regulations and procedures are applicable to all information resources owned or operated by TWU. All users are responsible for adhering to this policy. If needed or appropriate, information regarding roles, responsibilities, management commitment, and coordination among organizational entities are embedded within these procedures.
The State of Texas has chosen to adopt the information security identification and authentication principles established in NIST SP 800-53 “Identification and Authentication,” Control Family guidelines. The following subsections outline the identification and authentication standards that constitute TWU’s regulations and procedures.
IA-1 Identification and Authentication:
 Regulations:
▪ TWU must develop, adopt or adhere to a formal, documented identification and authentication regulations and procedures that address purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance.
 Procedures:
▪ The Office of Technology (OOT) will maintain regulations and procedures for identification and authentication regulations and procedures that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance.
Page 2
IA-2 Identification and Authentication (Organizational Users):
 Regulations:
▪ TWU must require that organizational users uniquely identify and authenticate into University information systems.
 Procedures:
▪ OOT assigns each user a unique identifier (i.e., username) which when used with the user’s password makes up the user’s authentication credentials.
IA-4 Identifier Management:
 Regulations:
▪ TWU must manage information system identifiers for user and devices by:
• Receiving authorization from a designated organizational official to assign a user or device identifier.
• Selecting an identifier that uniquely identifies an individual or device.
• Assigning the user identifier to the intended party or the device identifier to the intended device.
• Preventing reuse of user or device identifiers for the period to which it is assigned to an active user or device.
 Procedures:
▪ OOT assigns each user a unique identifier and manages uniqueness of these accounts.
▪ OOT assigns each device a unique identifier, using the TWU inventory asset number and appending “twu” to the end (e.g., 1234567twu).
• Servers may be assigned a normalized name to aid in operational clarity (e.g., portal, phoenix, web1, etc.)
▪ TWU Facilities management controls inventory asset number to prevent re-use.
IA-5 Authenticator Management:
 Regulations:
▪ TWU must manage information system authenticators by:
• Verifying, as part of the initial authenticator distribution, the identity of the individual;
• Establishing initial information system authorizations;
• Ensuring that authenticators have sufficient strength of mechanism for their intended use;
• Establishing and implementing administrative procedures for initial authenticator distribution, for lost/compromised or damaged authenticators, and for revoking authenticators;
• Changing default content of authenticators prior to information system installation;
• Establishing minimum and maximum lifetime restrictions and reuse conditions for authenticators;
• Changing/refreshing authenticators every annually;
• Protecting authenticator content from unauthorized disclosure and modification;
• Requiring individuals to take, and having devices implement, specific security safeguards to protect authenticators; and
Page 3
• Changing authenticators for group/role accounts when membership to those accounts changes.
 Procedures:
▪ OOT manages an automated user account creation program that also assigns initial information system authorizations. This program verifies user information from official Human Resource or Student System record before an account is created.
▪ OOT manages an automated process for disabling user accounts, as necessary.
▪ TWU requires passwords to be refreshed annually. Reminders and disabling accounts that don’t refresh their password is automated by OOT.
▪ OOT manages an automated process that removes account access when membership changes.
▪ TWU user account or device identifiers have no minimum or maximum lifetime restriction.
▪ TWU user account passwords are automatically required to:
• Be at least ten characters in length
• Have at least one capital letter
• Have at least one lower case letter
• Have at least one number
• Have at least one special character
IA-6 Authenticator Feedback:
 Regulations:
▪ TWU must obscure feedback of authentication information during the authentication process to protect the information from possible exploitation/use by unauthorized individuals.
 Procedures:
▪ Information systems are configured to mask passwords by default.
▪ Information systems are configured to not indicate which part of the username/password combination is incorrect.
IA-7 Cryptographic Module Authentication:
 Regulations:
▪ TWU information systems containing information assets with cryptographic authentication modules must meet the requirements of applicable federal laws, directives, policies, regulations, standards, and guidance for such authentication.
 Procedures:
▪ Symmetric cryptosystem key lengths should be at least 128 bits for confidential data and other agency-sensitive information identified by Texas Woman's University. Asymmetric crypto-system keys must be of a length that yields equivalent strength. All encryption mechanisms implemented to comply with this policy support a minimum of, but not limited to, AES 256 -bit encryption.
▪ The use of proprietary encryption algorithms are not allowed for any purpose, unless reviewed by qualified experts outside of the vendor in question and approved by the TWU Information Resource Manager (IRM) or Information Security Officer (ISO).
▪ TWU’s key length requirements will be reviewed annually and upgraded as technology allows.
Page 4
IA-8 Identification and Authentication (Non-Organizational Users):
 Regulations:
▪ TWU must require that non-organizational users uniquely identify and authenticate into company information assets.
 Procedures:
▪ OOT account management system uniquely identities and authenticates all users.
• One exception is public access to wireless on TWU’s non-secure, public network.
APPLICABILITY TWU Students, Faculty, Staff, and Guest TWU Student TWU Faculty TWU Staff TWU Guest
Violation of this policy may result in disciplinary action, which may include termination for employees and temporaries; a termination of employment relations in the case of contractors or consultants; termination of access; legal action; termination for interns and volunteers; disciplinary review; suspension or expulsion (in the case of a student).
Department of Information Resources Security Standards Catalog http://publishingext.dir.texas.gov/portal/internal/resources/DocumentLibrary/Security%20Control%20Standards%20Catalog.pdf

Associate Provost for Technology


Article ID: 56375
Fri 6/22/18 10:45 AM
Tue 4/28/20 9:45 AM