8.2.1.11 Identity and Access Management Policy

Policy Statement

To provide appropriate access to data and systems and to prevent unauthorized access, the University of Oklahoma (OU) has established this Identity and Access Management Policy to define information security requirements for the identity and access management processes relevant to university data or systems.  The purpose of this policy is identity and access management including the process of setting up, changing, and removing access rights to users based on business needs.

Web Address For This Policy

TBD

Definitions

See Information Technology and Security Definitions.

Identification

The Office of Information Technology’s (OU IT) Account Management processes address the creation and maintenance of OU accounts that distinguish one individual from another.  OU accounts will be created, and labeled in accordance with the OU Active Directory Account Identification Standard, for individuals within the following categories:

 

Student Account

Staff or Faculty Account

Sponsored Account

Shared Account

Service Account

Privileged Account

Alumni Account

General Purpose

OU/OUHSC account for students.

OU/OUHSC account for staff or faculty.

OU/OUHSC account for other individuals (e.g., vendors, visiting faculty, collaborative research partners, contractors).

OU/OUHSC account for multiple users sharing the same identity.*

OU/OUHSC account for Information Systems to authenticate to other systems or applications without any association to an individual.

OU/OUHSC account for staff out of OU IT and University Department Information Technology staff, that require extra privileges related to the management of a device or application.

Alumni account for former students that have graduated or retired faculty or staff

Associated with a specific individual

Yes

Yes

Yes

No

No

Yes

Yes

Administrator permissions

No

No

No

No

No

Yes

No

Expires after

3 inactive enrollment periods

 

1 year

1 Year

1 Year

1 Year

If password is unchanged after 365 days

Disabled

 

1 week after termination

When no longer needed

When no longer needed

When no longer needed

When no longer needed

When account has been expired for 30 days or last password change occurred more then 395 days ago

Deleted

30 days after graduation

 

 

 

 

 

When account is disabled for 60 days or last password change occurred more than 455 days ago

*The creation of Shared accounts is prohibited for users accessing Category A, B, C, and D1 data.  See Information Classification Standard.  

Authentication

Ensuring that user activities can be associated to an individual and that their password is secure, is important for any identity and access management strategy.  Asset Administrators must configure Information Systems to authenticate users.  

  1. Authentication of users to data or systems must be conducted via an OU active directory identifier (ID) and associated password.  This can be achieved by implementing one of the following authentication methods:
    1. Single Sign-On is the preferred authentication method for applications within the OU network.
    2. Microsoft Active Directory (via Windows Server) for Microsoft servers, workstations, and laptops.
    3. Federated authentication is the preferred authentication method for applications that require non-OU user access.  Federated authentication allows members of non-OU organizations to use their institutional authentication credentials to access a web application at OU.
  2. Access to data or systems not capable of authenticating to the OU Active Directory service (i.e., local access control mechanism), must be capable of implementing the OU IT Password Policy, the controls set forth in this policy, and submitting an exception at the OU IT Exception Request Page.  OU IT GRC will work the requester to evaluate the access control measures to be implemented, and facilitate the risk acceptance process, if needed. 
  3. All systems must use only encrypted authentication mechanisms.
  4. OU credentials must not be coded into programs or queries unless they are encrypted, no other reasonable options exist, and must follow the OU Password Policy for password expiry.  An OU IT Exception Request must be submitted, if a user is coding authentication credentials into programs or queries and unencrypted. 

Multi-Factor Authentication

Multi-Factor Authentication (MFA) is achieved when multiple forms of authentication are used to increase the likelihood that the credentials are from the individual to whom they are assigned reducing the risk of impersonation or compromised credentials.  Multi-Factor authentication must be implemented in the following scenarios:

  1. An asset is providing remote access to the university network.
  2. An asset is greater than $75,000 in value.
  3. An asset is storing Category A, C, D1, or E records.  See see Information Classification Standard.
  4. An asset is unable to sustain an outage for greater than 48 hours.
  5. Accessing an asset with a privileged account (e.g., privileged access).

General Access Controls

Proper management and use of user accounts are basic requirements for protecting the OU's Information Systems.  Anyone who create access accounts for applications, networks, or systems are required to manage the accounts in accordance with these general access controls.  Anyone who create access accounts for applications, networks, or systems are required to manage the accounts in accordance with these general access controls.

  1. All access must be reviewed and approved by the Data Owner or Data Steward before being granted permissions to access a system or data. 
  2. Account passwords must meet the OU Password Policy’s complexity requirements.
  3. The password initialization and reset process must be a one-time use, auto-generated random password (sent separately from the username if sent in plain text) that may only be used for systems that require an immediate password change by the user.
  4. Accounts must lock after 10 failed login attempts.
  5. Sessions or applications must lock or logout after 4 hours of inactivity.
  6. Systems and applications must be configured to display an approved system use notification, banner, or warning.
  7. Access control permissions for all non-public data or systems must default to no access, which blocks access by unauthorized users. 
  8. Systems must log all successful and unsuccessful login attempts.
  9. Authentication logs must be sent to a central log repository that can be monitored by staff. System log monitoring must send alerts to system administrators if the maximum number of login attempts is reached.
  10. Passwords must be changed when there is an indication of possible system or account compromise. If an account owner is unresponsive the account may be disabled.

Third Party Access

Third parties may serve an important function through the development and/or support of services, hardware, and software and, in some cases, the operation of computer networks, Servers, and/or applications.  The Data Owner, OU purchasing officers and staff, and the OU Chief Information Security Officer are jointly and separately responsible for ensuring that all third parties are reviewed to determine whether the third-party will have access to, outsource, maintain or create OU data; and that all such access, outsourcing, or maintenance complies with OU IT Security Policies or Standards.  The Data Owner, OU purchasing officers and staff, and the OU Chief Information Security Officer must ensure:

  1. Any contact involving third-party access to, creation, or maintenance of Category A – Healthcare Information includes a Health Insurance Portability and Accountability Act (HIPAA) Business Associate Agreement (BAA), in a form approved by the Office of Legal Counsel.
  2. Any contract involving third party-provided credit card services must require that the third party provides assurances that all subcontractors who provide credit card services pursuant to the contract will comply with the requirements of the Payment Card Industry Data Security Standard (PCI DSS) in the provision of the services.
  3. Prior to access, maintenance, or creation of OU data by a third party, OU IT must perform an assessment to ensure that the third party safeguards data according to all commercially reasonable administrative, physical, and technical standards. 
  4. All contractors, consultants, third parties, or other non-employees must only be given Privileged Access to data or systems when the Data Steward or Asset Administrator, determines there is a legitimate business need.  These privileges must be enabled only for the time period required to accomplish approved tasks and then promptly disabled upon completion of the approved tasks.  Unattended access by contractors, consultants, third parties, or other non-employees requires an OU IT Exception Request be submitted. 
  5. All access by contractors, consultants, third parties, or other non-employees must be monitored and reviewed by the Office of Information Technology and Asset Administrators.

Access Control Procedures

Documentation of access control procedures and rights is necessary to provide appropriate access to data or systems, and must be based on business, security, and privacy requirements.  Data Data Stewards are responsible for authorizing access and monitoring appropriate use. 

  1. Access Control Policies and Procedures, for Category A data or systems, must be documented using the OU HIPAA HCC Program and Procedures – HCC Review of Access to ePHI Systems Procedures.
  2. Access Control Policies and Procedures, for all other data or systems, must be documented.  A template is available from OU IT Governance, Risk, and Compliance, if needed.  At a minimum, these procedures must include:
    • The levels of access to data or systems available.
    • Procedures for authorization and approval to grant  new access, modify access, and delete access requests, in accordance with the departmental Role-Based Access strategy or to only those with a “need to know”.
    • Procedures for tracking access requests of any type (new, modify, delete).
    • Procedures and assigned roles/responsibilities for reviewing access levels, at least annually, and more frequently, as necessary.

Access Reviews

Data Owners and Stewards must control and monitor access to data within their scope of responsibility and through the use of appropriate administrative, physical, and technical safeguards. 

  1. User access must be reviewed, at least annually, when major changes occur, and modified or revoked upon a change in status with OU.  These reviews must include access to all component of a system (e.g., application, database, operating system, etc.).
  2. Administrator privileges assigned to individuals must be reviewed, at least every 90 days, and modified or revoked upon a change in status with OU. 
  3. The results of user access reviews must be approved by the Data Owner or Steward.

References

  1. National Institute of Standards and Technology Cybersecurity Framework (CSF), PR.AC-1, PR.AC-4, PR.DS-5
  2. National Institute of Standards and Technology Special Publication 800-171, Controlled Unclassified Information, 3.1 Access Control, 3.9.2
  3. Health Insurance Portability and Accountability Act of 1996 (HIPAA), Security Rule, §164.308(a)(3), §164.308(a)(4), §164.308(a)(5)(ii)(C), §164.308(a)(5)(ii)(D), §164.312(a)(1), §164.312(d)
  4. General Data Protection Regulation (GDPR)
  5. Payment Card Industry (PCI) Data Security Standards
  6. Gramm-Leach-Bliley Act (GLBA)
  7. Family Education Rights and Protection Act (FERPA)
  8. National Institute of Standards and Technology Special Publication 800-61, Computer Security Incident Handling Guide

Revision, Review, and Approval History

  • April 2023: Internal Audit: Reviewed policy, comments submitted
  • April 2023: OU IT Governance, Risk, and Compliance: Multi-Factor Authentication criteria updated.
  • June 2023: Cybersecurity and Infrastructure Advisory Committee (CIAC): Reviewed policy, recommended for approval
  • February 2024: Office of Legal Counsel: Reviewed and revised policy.
  • May 2024: Policy approved and signed by University President.
100% helpful - 1 review