University of Ulster Standard Cover Sheet

Transcription

1 University of Ulster Standard Cover Sheet Document Title AUTHENTICATION STANDARD 2.0 Custodian Approving Committee ISD Heads ISD Committee Policy approved date Policy effective from date Policy review date

2 INTRODUCTION AND BACKGROUND To help to ensure information security, authentication of individual users of the University s networks, systems and services is required. Authentication both allows access, and helps to enforce the privileges granted to each individual user while also protecting against unauthorised access and malicious activity. Further information on ISD policies, standards and guidelines is available at: RELEVANT LEGISLATION The University will comply with all legislation and statutory requirements relevant to information and information systems, including: Computer Misuse Act 1990; Data Protection Act 1998; Communications Act 2003; Copyright, Designs and Patents Act 1988; Freedom of Information Act 2000; Human Rights Act 2000; Regulation of Investigatory Powers Act 2000; Police and Justice Act 2006; The Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000 ( the Lawful Business Regulations ) PURPOSE The purpose of this document is to define University standards for Authentication of individuals when using or manipulating University Information Assets and/or Information Services, with a view to reducing Information Assurance and Un- Acceptable use risks. The aim of establishing such a standard is to: 1. Establish a coherent authentication process for users; 2. Define an approach to authentication which is consistent with the Information Assurance requirements of the University. 3. Support the implementation of other aspects of Information Assurance Policy and Strategy Page 1 of 5

3 SCOPE The scope of this standard is University wide and includes all Computer Users, all University owned computers and all data networks owned and/or operated by the University. DEFINITIONS User Account is used to refer to an established relationship between a user (individual) and a computer or information service. The User Account is normally identified by a Username or account identifier which is unique to the computer or information service. Password is used to refer to a secret word or string of characters that is used for authentication, to prove identity or gain access to a resource. With regard to Information Services a password is normally used in conjunction with a Username or other account identifier which uniquely identifies the person or user account. Authentication is used to refer to the process of verifying the identity of a person or owner of a computer account. University Information Service is used to refer to any information system or service that resides on a University of Ulster owned or operated data communications network. Associates is used to refer to all individuals who are not staff, students or visitors, and who are given a user account on one or more computer or information services. Associates include contractors, vendors and other third parties conducting business with the University. Enterprise class is used to refer to information systems and services which provide services which are consumed by a broad range of users across the University and which are deemed to be important to the operations and/or strategic aims and objectives of the University. IMPLEMENTATION Authentication End User Accounts 1. Each IT service will provide each user with an individual User Account; a. The User Account identifier for staff will be the user s staff number, commonly referred to as the e code; Page 2 of 5

4 b. The User Account identifier for students will be the user s student number, commonly referred to as the b code; c. The User Account identifier for associates will be the user s associate number, commonly referred to as the a code; d. The User Account identifier for visitors will be the user s visitor number, commonly referred to as the v code; 2. The authentication process must achieve attribution to an individual, therefore shared User Accounts are explicitly dis-allowed. Authentication System and Process Accounts Other accounts may exist for specific systems management, systems administration and/or engineering purposes, or for system processes to achieve process automation. E.g. Root, Administrator, Oracle etc. 1. It is policy that wherever technically possible a systems manager, systems administrator or engineer will authenticate with their individual user account and once authenticated as an individual will assume sufficient privileges to complete the necessary systems management, systems administration or engineering activities e.g. Software installation, Account Management, System Shutdown etc. In this way group accounts will not be required for these purposes. 2. System Processes which use authentication to achieve systems access during process automation will each have specific system process accounts which uniquely identify them. The Single Password Domain The University strategy shall have a Single Password Domain implemented by storing and managing an individual s authentication credentials in a single directory and authentication service. The Information Services Governance and Strategy Committee shall provide oversight and approve membership of the Single Password domain. The centrally managed, auditable authentication service (ISAS) shall be managed by the Information Services Directorate on behalf of the University and shall comprise the following elements: 1. A directory and authentication service based on Microsoft Active Directory with the following domains; a. The Staff, Associates and Visitors domain named AD ; b. The Student domain named SD ; 2. A Password Change/Reset Service, delivered through the Staff Web Portal, which will facilitate all users within the University, irrespective of the Client Operating System used, to manage their ISAS Password. Page 3 of 5

5 Computer Access Controls All University owned computers are required to implement access controls to authenticate users of the computer. Information Services Access Controls All Information Services shall implement Access Controls to authenticate the individual being granted access. Enterprise Class Information Systems and Services shall adopt use of the ISAS unless a deviation to use an alternative service is granted by Director, Information Services. Reasons for granting a deviation may include: 1. Technical infeasibility; 2. Information Assurance risk where it is infeasible to use a second factor. Internet Access Controls The Internet shall require authentication before access is granted. Single Sign On (SSO) There shall exist a SSO domain for Enterprise Class Information Systems and Services. For services within the SSO domain a user will be required to authenticate once. Thereafter the user will achieve access to other services within the SSO without being challenged to authenticate again. The SSO domain shall: 1. Be designed, implemented and operated by the Information Services Directorate; 2. Have an audit trail of authentications; 3. Shall use the ISAS, defined above, to authenticate users. Decision to Include/exclude any individual Enterprise Class Information System or Service in the SSO domain shall be the responsibility of the Chief Finance and Information Officer. Multiple Factors Some Information Systems/Services which are considered to be of high information assurance risk shall be required to use additional authentication factors, normally one additional factor. In multi-factor authentication the normal process is to use a) Something one knows and b) Something one has. The standard for 2 factor authentication shall be: 1. Something one knows: The users ISAS password; 2. Something one has: A registered Cryptocard authentication token. Decision to require 2 factor authentication shall be the decision of the Chief Finance and Information Officer. Page 4 of 5

6 Secure Transmission of Credentials Authentication credentials to and from University networks, systems and services shall not be transmitted across University networks in clear text except by express permission from the Director, Information Services. This is ordinarily only granted for unsophisticated low-level sensor equipment. Page 5 of 5