IT Governance Committee Review and Recommendation

Transcription

1 IT Governance Committee Review and Recommendation Desired Change: Approval of this policy will establish Security Standards for the UCLA Logon Identity for anyone assigned a UCLA Logon ID/password and for service providers furnishing services to someone assigned a UCLA Logon ID/password. Why: These standards serve to protect students, faculty, staff, and guests, the university s electronic resources, in addition to resources outside the UCLA campus. This policy identifies those with principal responsibility for compliance with the standards, and for the enforcement of this policy, including taking corrective action. Recommendation: Driving Forces (Those which currently exist & support or drive the desired change) For Students, Faculty, Staff, and Guests: Users must ensure their password remains a secret known only to them. If it is determined that a password has been shared the UCLA Logon ID will be considered compromised and may be suspended. For Service Providers: 1. Approval: Must be approved to offer electronic resources to someone with a UCLA Logon Identity. 2. Interfaces: Must use authentication interfaces, services, and processes only for their intended purposes. 3. Proxies: Must not function as an authentication proxy by collecting UCLA Logon Identities and passwords and forwarding them on to another authentication interface. 4. Storage: Must not save authentication information on permanent storage. 5. Retransmission: Must not retransmit authentication information. 6. Masquerading: Must not masquerade as an official authentication interface such that a user might confuse it with an official interface. 7. Degradation: Must not degrade the level of security once someone has identified themselves using a UCLA Logon Identity. Restraining Forces (Forces that may inhibit the implementation of the desired change.) Applications that use UCLA Logon IDs to authenticate users must install SSL certificates. (Mitigation: Certificates are free to any UCLA organization.) A few applications that currently cache UCLA Login ID credentials must be changed. (Mitigation: MyUCLA s use of credentials becomes unnecessary in moving to Google Apps Educational Edition.) A few applications need to be changed to allow for that 3 rd party access. (Note: The applications need to be identified.) Actions To Be Taken: 1) Define the desired change or action (agree on a simple statement). 2) Brainstorm the driving forces & restraining forces (identify the critical few) 3) Rank the driving forces & restraining forces based on the strength of the force (5 = strong, 1 = weak ) 4) List actions to be taken (focusing on the critical few driving & restraining forces)

2 UCLA Policy 403 Security Standards for UCLA Logon Identity Issuing Officer: Administrative Vice Chancellor Responsible Dept: Administrative Vice Chancellor s Office Effective Date: XXX XX, XXXX Supersedes: UCLA Policy 403, dated XX/XX/XX I. REFERENCES II. INTRODUCTION AND PURPOSE III. DEFINITIONS IV. STATEMENT V. ATTACHMENTS I. REFERENCES II. 1. UC Business & Finance Bulletin IS-3, Electronic Information Security; 2. UCLA Student Code of Conduct; 3. UCLA Policy 401, Minimum Security Standards for Network Devices; INTRODUCTION AND PURPOSE UCLA encourages the use of its electronic resources in support of the University s mission. However, these resources are limited and may be vulnerable to attack or improper use. It must be managed and protected, and UCLA reserves the right to deny access to its electronic resources that do not meet its standards for security. Students, faculty, staff, and guests may have a UCLA Logon Identity referred to as a UCLA Logon ID. The identity grants access to campus resources that are restricted to UCLA, for example, library resources web applications, and campus networks. A student s identity allows access to student records, class schedules and websites, billing information, electronic mail and resources restricted to students. A faculty member s identity allows access to class grade books in addition to resources restricted to faculty members. The UCLA Logon Identity also satisfies the standards of the InCommon Federation and the University of California s UCTrust, and can therefore be used to identify an individual to resources outside of UCLA. The purpose of this policy is to establish Security Standards for the UCLA Logon Identity. These standards serve to protect students, faculty, staff, and guests, the university s electronic resources, in addition to resources outside the UCLA campus. This policy also identifies those with principal responsibility for compliance with the standards, and for the enforcement of this policy, including taking corrective action. III. DEFINITIONS UCLA Logon ID: A string of letters, numbers and/or special characters that uniquely identifies a UCLA Logon Identity. Password: A string of letters, numbers and/or special characters, when associated with a UCLA Logon ID, authenticates the UCLA Logon ID to electronic services.

3 UCLA Policy 403 Page 2 of 3 Authentication: The process by which someone identifies themselves using a UCLA Logon ID and password. Service Provider: An application or system that furnishes electronic resources. IV. STATEMENT This policy is applicable: to anyone assigned a UCLA Logon ID and password; and to service providers that furnish services to anyone who has identified themselves using a UCLA Logon ID and password. Whenever anyone is using a UCLA Logon ID and password, as a student, faculty, staff, guest or service provider, they are required to comply with this policy. A. Compliance with Security Standards Students, faculty, staff, guests and service providers, whether physically located on campus property or not, must comply with the Security Standards for UCLA Logon Identity. A student, faculty, staff, guest or service provider that does not meet these standards is subject to suspension, disconnection and/or having their access blocked. B. Responsibilities for Compliance and Enforcement Students, faculty, staff, and guests must ensure their password remains a secret known only to them. Disclosure of a password to any other person is a violation of this policy, in addition to the University of California s Policy IS-3. If it is determined that a password has been shared, either intentionally or inadvertently, the UCLA Logon ID will be considered compromised and may be disabled. Students Disclosure of a password by a student is also a violation of the UCLA Student Conduct Code and subject to sanctions by the Office of the Dean of Students. Service Providers Service providers must be approved to offer electronic resources to someone who has identified themselves using a UCLA Logon ID and password. A service provider must use authentication interfaces, services, and processes only for their intended purposes. Additionally, service providers must not proxy, store or retransmit authentication information. C. Exceptions to the Security Standards All exceptions to the Security Standards for UCLA Logon Identity must be documented in writing, approved by the Administrative Vice Chancellor, and kept on file by the Director, IT Security. Such documentation shall be kept for as long as the exception exists. D. Recourse Appeals concerning decisions made or actions taken may be made to the Director, IT Security, who will consult with the Administrative Vice Chancellor and other campus officials, as appropriate, to make the final determination. V. ATTACHMENTS A. Security Standards for UCLA Logon Identity (Service Provider). B. Implementing Guidelines for Security Standards for UCLA Logon Identity (Service Provider).

4 UCLA Policy 403 Page 3 of 3 Issuing Officer /s/ Jack Powazek Administrative Vice Chancellor Questions concerning this policy or procedure should be referred to the Responsible Department listed at the top of this document.

5 UCLA Policy 403 Page 1 of 1 ATTACHMENT A Security Standards for UCLA Logon Identity (Service Provider) A service provider must abide by the following Security Standards for UCLA Logon Identities. 1. Approval A service provider must be approved to offer electronic resources to someone with a UCLA Logon Identity. 2. Interfaces A service provider must use authentication interfaces, services, and processes only for their intended purposes. 3. Proxies A service provider must not function as an authentication proxy by collecting UCLA Logon Identities and passwords and forwarding them on to another authentication interface. 4. Storage A service provider must not save authentication information on permanent storage. 5. Retransmission A service provider must not retransmit authentication information. 6. Masquerading A service provider must not masquerade as an official authentication interface such that a user might confuse it with an official interface. 7. Degradation A service provider must not degrade the level of security once someone has identified themselves using a UCLA Logon Identity. UCLA Policy 401 mandates that all authentications be encrypted, therefore, once a service provider has authenticated someone using a UCLA Logon Identity, they must maintain encrypted communications with that UCLA Logon Identity.

6 UCLA Policy 403 Page 1 of 1 ATTACHMENT B Implementing Guidelines Security Standards for UCLA Logon Identity (Service Provider) A service provider must abide by the following Implementation Guidelines for Security Standards for UCLA Logon Identities. 1. Approval To offer electronic resources protected by a UCLA Logon Identity, a UCLA department must sponsor the service provider. 2. Interfaces The official authentication interfaces are: Shibboleth - Shibboleth is UCLA's web single sign-on interfaces. Web applications leveraging UCLA Logon credentials must integrate with Shibboleth. RADIUS - RADIUS is available for departmental wireless applications in certain limited circumstances. Applications are evaluated at the time of request for compliance with UCLA Logon and wireless standards. Kerberos - Kerberos is a trusted third party authentication mechanism available in certain limited circumstances. Applications making use of the Kerberos framework are evaluated at the time of request for compliance with UCLA Logon and application security standards. Active Directory - Active Directory authentication services allow campus computing labs to leverage the UCLA Logon and provide a single sign-on environment. Applications making use of the Kerberos framework are evaluated at the time of request for compliance with UCLA Logon and application security standards. Institutional communications services may make use of the above and additional internal interfaces to meet technical requirements of certain communications protocols.