Credentials Policy. Document Summary

Similar documents
1.7 The Policy sets out the manner by which the University will respond to Subject Access Requests.

Information Security Controls Policy

Cloud Security Standards

Policy & Procedure. IT Password Policy. Policy Area. Version Number 2. Approving Committee SMT. Date of Approval 26 September 2017

GLOBAL PAYMENTS AND CASH MANAGEMENT. Security

University of Ulster Standard Cover Sheet

Subject: University Information Technology Resource Security Policy: OUTDATED

Liferay Security Features Overview. How Liferay Approaches Security

Integrated Access Management Solutions. Access Televentures

GDPR Processor Security Controls. GDPR Toolkit Version 1 Datagator Ltd

Bring Your Own Device Policy

GDPR Draft: Data Access Control and Password Policy

SOFTWARE DEMONSTRATION

Data protection. 3 April 2018

Access Control Policy

Data protection policy

Password Standard Version 2.0 October 2006

Cloud Security Standards and Guidelines

PS 176 Removable Media Policy

NEW DATA REGULATIONS: IS YOUR BUSINESS COMPLIANT?

Healing School - A Science Academy GDPR Policy (Exams) 2018/19

Canadian Access Federation: Trust Assertion Document (TAD)

Data Encryption Policy

eprost System Policies & Procedures

Acceptable Use Policy

Data Protection Policy

Bring Your Own Device (BYOD) Policy

UWC International Data Protection Policy

NEN The Education Network

2.4. Target Audience This document is intended to be read by technical staff involved in the procurement of externally hosted solutions for Diageo.

The purpose of this guidance is: To provide a comprehensive understanding to complying with the universities Acceptable Use Policy.

Mobile Working Policy

The Four A s of Access A practical guide to auditing an access process.

EHR SECURITY POLICIES & SECURITY SITE ASSESSMENT OVERVIEW WEBINAR. For Viewer Sites

Policy Document. PomSec-AllSitesBinder\Policy Docs, CompanyWide\Policy

Medical Sciences Division IT Services (MSD IT)

Cyber security tips and self-assessment for business

Solution Pack. Managed Services Virtual Private Cloud Security Features Selections and Prerequisites

UTAH VALLEY UNIVERSITY Policies and Procedures

INFORMATION ASSET MANAGEMENT POLICY

Information Security Policy

SECURITY & PRIVACY DOCUMENTATION

Canadian Access Federation: Trust Assertion Document (TAD)

ANNUAL SECURITY AWARENESS TRAINING 2012

Information Security Controls Policy

Acceptable Use Policy

"PPS" is Private Practice Software as developed and produced by Rushcliff Ltd.

Department of Public Health O F S A N F R A N C I S C O

KT-4 Keychain Token Welcome Guide

TARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS

Adobe Sign and 21 CFR Part 11

ISC10D026. Report Control Information

General Data Protection Regulation

INFORMATION SECURITY AND RISK POLICY

Acceptable Usage Policy (Student)

1. Federation Participant Information DRAFT

Date Approved: Board of Directors on 7 July 2016

CONNECTING TO THE COLLEGE NETWORK. Connecting to the College Network

STUDENT ACCEPTABLE USE OF IT SYSTEMS POLICY

Version 1/2018. GDPR Processor Security Controls

Acceptable Use Policy

3 rd Party Certification of Compliance with MA: 201 CMR 17.00

Security Standards for Electric Market Participants

POLICY 8200 NETWORK SECURITY

Remote Working Policy

Privacy Policy GENERAL

A company built on security

General Data Protection Regulation policy (exams) 2017/18

Sparta Systems Stratas Solution

Corporate Policy. Revision Change Date Originator Description Rev Erick Edstrom Initial

Enviro Technology Services Ltd Data Protection Policy

IAM Security & Privacy Policies Scott Bradner

Application for connection to YJS CUG and Hub (v6.0)

Information Security Policy

Employee Security Awareness Training Program

Canadian Access Federation: Trust Assertion Document (TAD)

OpenLAB ELN Supporting 21 CFR Part 11 Compliance

90% 191 Security Best Practices. Blades. 52 Regulatory Requirements. Compliance Report PCI DSS 2.0. related to this regulation

Welcome Guide for MP-1 Token for Microsoft Windows

TECHNICAL AND ORGANIZATIONAL DATA SECURITY MEASURES

Data Protection Policy

Red ALERT Apparent Breach of an Unidentified Pharmacy Related Database

IT Governance Committee Review and Recommendation

Integration of Agilent OpenLAB CDS EZChrom Edition with OpenLAB ECM Compliance with 21 CFR Part 11

The Honest Advantage

IoT & SCADA Cyber Security Services

DIRECTIVE ON INFORMATION TECHNOLOGY SECURITY FOR BANK PERSONNEL. June 14, 2018

Computer Classroom Security Standard

What is cloud computing? The enterprise is liable as data controller. Various forms of cloud computing. Data controller

TECHNICAL AND ORGANIZATIONAL DATA SECURITY MEASURES

Policy. London School of Economics & Political Science. Remote Access Policy. IT Services. Jethro Perkins. Information Security Manager.

Canadian Access Federation: Trust Assertion Document (TAD)

DATA PROTECTION POLICY

PCI Compliance. What is it? Who uses it? Why is it important?

INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES

Acceptable Use Policy

UT HEALTH SAN ANTONIO HANDBOOK OF OPERATING PROCEDURES

Understand & Prepare for EU GDPR Requirements

BASELINE GENERAL PRACTICE SECURITY CHECKLIST Guide

Trinity Multi Academy Trust

Transcription:

Credentials Policy Document Summary Document ID Credentials Policy Status Approved Information Classification Public Document Version 1.0 May 2017

1. Purpose and Scope The Royal Holloway Credentials Policy informs the University s staff, students, and other individuals entitled to use University facilities, of the regulations relating to the use of credentials to access IT Services. This policy supports the University s wider Information Security Policy. The term User refers to any person in receipt of a user ID and/or password issued by the University. These will be references as Royal Holloway Credentials. In addition authentication with hardware tokens, cookies and biometrics etc. may also be classed as credentials. The consequences of a malicious party gaining access to a computer system using the identity of another person are potentially dire. Everything so accessed including corporate application data, becomes vulnerable to publication, alteration, corruption or deletion. It is therefore important that all users exercise a duty of care over their user-id and password. This policy informs the users of computer systems what they should and should not do to protect the resources they have access to. This policy covers all authentication mechanisms for all IT services at Royal Holloway, regardless of whether they are hosted on premise or hosted in 3 rd party data centres. This policy also includes access to cloud based services where we may be buying software as a service (SaaS). This includes all systems owned and administered by IT Services Staff. 2. Credentials Policy Objectives 2.1 Define credentials standards for all end users and system administrators of College systems 2.2 Safeguard user data and data users hold responsibility for, ensuring College reputation is not unduly at risk 2.3 Maintain confidence of external organisations in our data safeguarding processes 2.4 Reduce the possibility and implications of identity theft 2.5 Avoid unnecessary or complex security procedures by considering the user experience 2.6 Employ best practise/industry standards to ensure audit compliance Credentials Policy Page 1 of 10

3. Credentials Policy Principles 3.1 Keep the number of different credentials required to conduct College business to a minimum. This is not meant to encourage reuse of the same credential in multiple systems/services. 3.2 Deploy Single Sign On services (SSO) where possible. 3.3 All new systems (from December 2015) should use Active Directory credentials and enable standard College credentials to be used to admit users into new services. 3.4 All legacy systems should be considered in scope for an authentication health check and reconfiguration during the application/service lifecycle of upgrades. 3.5 This policy will outline the mechanism for systems to be considered out of scope of this policy. 3.6 Blacklist the most common passwords form being set by users. 3.7 Dormant Accounts staff accounts that have never been logged onto should be disabled after 1 month and then deleted as per the normal cycle. 3.8 This policy introduces Multi Factor Authentication to Royal Holloway for clarity Multi Factor Authentication (MFA) enables College systems to prompt users to supply both a password when logging onto a service plus an additional authentication secret. Usually this is provided by the use of a token or token equivalent (such as a smartphone) to provide time sensitive numbers which only the user has access to at the time of logon. In the event of password theft, a criminal would need to have access to the second factor of authentication to gain access to a system and data. 3.9 A users role and what data they can access in College systems will determine the password ruleset that will applied to their account. There are 3 rulesets and are outlined below: Credentials Policy Page 2 of 10

User Type Access to: Ruleset Standard User Advanced User System Administrator or Super User Access to their own data, no access to College wide data covered by the Data Protection Act (DPA). Examples include students, academics or professional services staff with no access to sensitive information in Banner, Resource Link or Agresso. Access to data covered by DPA, or role for example, has access to key College processes such as finance approval, multiple examination papers or sensitive College information. Access to a majority of data in an individual or multiple College systems. Password must be at least 8 characters long Must not be single dictionary word Must include a mix of letters, numbers, special characters and capitalisation No requirement to change password on regular basis. Password must be at least 8 characters long Must not be single dictionary word Must include a mix of letters, numbers, special characters and capitalisation Users will use Multi-Factor Authentication with no password change. Password must be at least 8 characters long Must not be single dictionary word Must include a mix of letters, numbers, special characters and capitalisation Multi-Factor Authentication is mandatory Credentials Policy Page 3 of 10

4. User Credential Principles 4.1 Users must not share their credentials with anyone. IT services will never ask for your password to be revealed. 4.2 Users must not store Royal Holloway credentials in browser (save my password) or 3rd party password safes. 4.3 Users should protect their passwords and avoid loss of credentials by shoulder surfers. 4.4 Users should not write their password down. 4.5 Users should be aware of phishing emails and not provide their logon credentials to rogue systems/services. In the event that users feel they may have given away their credentials, please follow the advice for compromised accounts at the end of this document. The password should be changed as soon as possible. 5. Assumptions 5.1 Excessive changing of passwords can lead to reduced security as users suffer password overload and either use common or a single password on many systems, or write their passwords down, which is poor practice. 5.2 Password changing rules should be appropriate to the level of access associated with the user Account. 5.3 Increased password length provides improved security over complexity rules; a combination of the two provides improved protection. 5.4 2 factor authentication provides improved security above complexity, length and regular changes of user passwords. 5.5 IT services will implement systems that reduce the number of Royal Holloway username and password combinations a user is required to use. This will include implementing services that make use of a single Royal Holloway username and password and where possible drive a strategy of single sign-on to reduce the number of times a password needs to be used within the work day. In some cases users may be required to have multiple usernames depending on what access they require to undertake their job. 5.6 IT services will provide a simple, and easy to use mechanism for users to change their password from a majority of devices on the internet. 5.7 Royal Holloway will provide adequate training and communication around the password policy. There will be a focus on the need to reduce the most Credentials Policy Page 4 of 10

common threat vector of password sharing human behaviour and the ability for social engineering to access data illegally. 5.8 All default passwords on devices must be changed before connecting to the College data network. 5.9 Authentication passwords must be for named individuals not groups 5.10 Passwords in systems must be stored in an encrypted format (See Secure Build Policy) 5.11 College systems will be designed where possible to provide lockout mechanisms to protect users passwords from being guessed by rogue users and systems. 5.12 Account locking - If more than 20 attempts are made in the space of five minutes to access an account then a sixty minute lockout will ensue. The account can be reactivated by contacting the IT Service Desk or waiting for the lockout to expire. 5.13 If a user manages to lock themselves out of their account by forgetting the password, the IT Service Desk will only unlock the account once the user has proven their identity. 6. System and Application procurement and development standards When purchasing or developing systems that rely on password authentication there are a number of minimum standards that must be met: 6.1 System must integrate with standard user directories or federations at RHUL (e.g. Active Directory, LDAP, Shibboleth etc.) 6.2 Passwords must be stored in an encrypted format 6.3 Passwords should transit between systems and networks encrypted. 6.4 Provide the capability for role management so one user can subsume the responsibilities of another without their password 6.5 Authentication must be for individuals and not groups 6.6 User roles should be provisioned by the Royal Holloway Identity management engine and roles and valid user identities be audited in an automated way on a regular basis to always ensure the correct users have access to the correct information. (This element is detailed in the Data Credentials Policy Page 5 of 10

Access Control Policy). 6.7 Device authentication in conjunction with user authentication is acceptable. 6.8 The College will not use NIS (Network Information System) as an authentication source. A NTLM (NT Lan Manager) should be disabled so it cannot be used. 7. Enforcement Compliance is essential to avoid data theft and unauthorised system access. Failure to comply with this policy document may result in disciplinary action. 7.1 Audit logs of authentication should be stored securely in a SIEM solution. 7.2 Review of authentication logs should automated within a SIEM solution to detect unusual activity relating to accounts and the use of credentials, including geographic location, number of attempts etc. 8. Exemptions Whilst this policy is designed to affect all instances of passwords use at Royal Holloway, there are always exceptions. Users of applications that, for whatever reason, cannot conform to these guidelines will be issued with additional information as required. For systems that wish to be exempt or deviate from this policy - approval must be given by the Strategic IT Board (SIB). The decision and supporting material will by collated for audit purposes. Credentials Policy Page 6 of 10

9. Compliance Each part of this policy states a requirement to audit access and ensure compliance with the policy. A RACI model should be applied. Responsible: Technical Service Owner Accountable: Head of Information Services Consulted: Data Stewards Informed: All users Compliance with this policy will be checked on a regular basis. used: 3 main methods will be Password audits will be scheduled, checked and maintained, documented and a clear audit trail maintained of actions taken. Annual review of password policy compliance will be checked whilst access audits are undertaken for each service, these will be scheduled and reported. Spot checks of systems will be undertaken to ensure ongoing compliance between review dates. Proactive checks will be spot checked to ensure compliance with policy. Compromise If you think your password may have been compromised, change it as soon as possible. If in doubt please contact IT Service Desk, who will be able to assist you. Remember that under no circumstances (via email, phone or in person) will IT Services ask you to divulge your credentials. Questions: If you have any questions on this policy or its execution, please contact: IT Service Desk 01784 444321 itservicedesk@rhul.ac.uk itservicedesk.rhul.ac.uk Credentials Policy Page 7 of 10

Related Documents: Data Access Control Policy Secure Build Policy Credentials Policy Page 8 of 10

Document Control Sheet Revision History Date of this revision: May 2017 Date of next revision: May 2018 Revision date Summary of Changes Changes marked January 2017 Initial Draft No January 2017 Post TSO workshop updates No May 2017 SIB Version 0.5 No Approvals Ratified by PRC SIB Ratification Yes Yes Credentials Policy Page 9 of 10

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback