ITS Authentication Policy
Policy Statement
Access to University information and/or information resources must be done using identifier and authenticators that are unique to each individual and/or group. Authenticators used by users must meet minimum complexity requirements, be distributed to users in a secure manner and be known only to the intended user. All access granted through the use of identifier and authenticators must be revoked immediately upon separation from the University and/or the revocation of individual’s need to access such information.
Reason for Policy
It is important that the University develop controls over the manner in which user identifier and authenticators are established, distributed and revoked. Such controls allow the University to be reasonably assured that only the individual for whom the identifier was assigned has access to the information and information resources the identifier allows. In addition, the establishment of unique identifiers allows the University to track down suspicious and/or malicious activity to a specific individual or account.
Entities Affected By This Policy
All personnel of the Eastern Illinois University community to include but not limited to faculty, staff member, students, and annuitants.
Contacts
EIU Information Security 217-581-1939
Definitions
Information resources - Information Resources are defined as any items, including telecommunication equipment, computer systems, applications, network equipment, and other equipment, goods, and services related to the processing, storage, transmission and collection of University information.
Non-public Information - Non-public information is any information designed for internal University use and not for release to the public. This information includes, but is not limited to, memos, internal e-mails, reports, course work, etc. This information may be subject to open records laws, however the intent of the work is not public use.
Protected Information - Protected information is any information that is currently covered by local, State or Federal regulation or contractual obligations such as PIPA, FERPA, HIPAA, GLBA, and PCI DSS.
User identifier - A User Identifier is any unique object that is used to positivity identify one individual from another. User Identifiers can take the form of a user ID, a hardware token, etc.
User authenticator - A User Authenticator is an object (such as a password) that is used to ensure that the user identifier (such as a username) is used by the appropriate individual to which the identifier is assigned. User Authenticators can take the form of PINs, passwords, etc.
Group/service accounts - An account that is used to provide multiple users with the ability to access a service.
Principle
User Identification and Authentication
- All information resources allowing access to internal, protected and/or non-public information must have the ability to uniquely identify and authenticate users
- Any information resource allowing access to internal, protected and/or non-public information must utilize unique identifiers for each individual accessing the resource that meet, at minimum, the standards outlined below
- Any information resource utilizing unique identifiers to allow access to internal, protected and/or non-public information must also utilize unique authenticators that meet, at minimum, the standards outlined below
Device Identification and Authentication
- All information systems connecting to non-public sections of the University network must be uniquely identified and authenticated for such access
- Identification and authentication of information resources may be handled through:
- Media Access Control (MAC) address registration
- Network Access Control (NAC) technologies utilizing user authentication
Authenticator Management
- All authenticators used to grant access to information resources must meet the following complexity requirements:
- Must not be a previous password
- Minimum length should be at least 8 characters
- Cannot use the same password twice
- Cannot contain your first or last name
- Must start with a letterand have both upper- and lower-case characters
- Have at least 1 number
- Must not be a palindrome
- Must not contain restricted patters
- Have at least 1 non-alphanumeric character, limited to:
- Minus sign (-)
- Underscore (_)
- Asterisk (*)
- Exclamation point (!)
- Period (.)
- Backslash (\)
- All authenticators must be distributed in a secure manner
- Authenticators may not be distributed via e-mail or other non-encrypted, electronic methods.
- Authenticators may be distributed via telephone provided the caller’s identity has been verified prior to distribution
- Authenticators may be distributed via campus mail provided the mailing is done using an envelope sealed with glue (no tape or string allowed) and mailing is marked confidential
- Authenticators may be distributed via postal mail provided the mailing address used is from an official University source such as Banner
- First time authenticators are the only exception and may be distributed via email.
- Authenticator change requests may only be approved if the identity of the individual has been established via challenge-response mechanisms involving non-public information
- Authenticator changes must be uniquely generated
- Authenticator changes must force a change upon next logon
- Initial authenticators must
- Be uniquely generated
- May not knowingly contain, whole or in parts, information such as
- Dates of Birth
- Social Security numbers
- User identifiers
- User’s name
- All authenticators for staff, faculty, annuitants, students, and general person accounts must be changed no less than once every six (6) months
- All authenticators for service, group, and logon (labs and kiosks) accounts must be changed no less than once every three (3) years. Service accounts will require the following complexity requirements:
- Must not be a previous password
- Have between 14 and 15 characters
- Must start with a letter
- Have both upper and lower case characters
- Have at least 1 number
- Have at least 1 non-alphanumeric character, limited to:
- Minus sign (-)
- Underscore (_)
- Asterisk (*)
- Exclamation point (!)
- Period (.)
- Backslash (\)
Authenticator Security
- Authenticators may not be transmitted electronically over non-encrypted mediums
- Authenticators may only be known to the individual to whom the authenticator belongs
- Authenticators may not be shared with anyone or displayed in prominent locations Related Documents Federal Educational Rights and Privacy Act
Multi-Factor Authentication (MFA)
The addition of multifactor authentication adds a layer of security which helps deter the use compromised credentials, or the unauthorized use of another’s log-in information. “Multifactor Authentication (MFA)” is a method of computer access control in which a user is granted access only after successfully presenting multiple separate pieces of evidence to an authentication mechanism – typically at least two of the following categories: knowledge (something they know), possession (something they have), and inherence (something they are). EIU utilizes the Duo Security software application for MFA.
Related Documents:
Last Date Reviewed: 06/13/2024