The Office of Information Technology’s (OU IT) Account Management processes address the creation and maintenance of OU accounts that distinguish one individual from another.  OU accounts will be created, and labeled in accordance with the OU Active Directory Account Identification Standard, for individuals within the following categories:

*The creation of Shared accounts is prohibited for users accessing Category A, B, C, and D1 data.  See Information Classification Standard.  

Authentication

Ensuring that user activities can be associated to an individual and that their password is secure, is important for any identity and access management strategy.  Asset Administrators must configure Information Systems to authenticate users.  

1. Authentication of users to data or systems must be conducted via an OU active directory identifier (ID) and associated password.  This can be achieved by implementing one of the following authentication methods:
   1. Single Sign-On is the preferred authentication method for applications within the OU network.
   2. Microsoft Active Directory (via Windows Server) for Microsoft servers, workstations, and laptops.
   3. Federated authentication is the preferred authentication method for applications that require non-OU user access.  Federated authentication allows members of non-OU organizations to use their institutional authentication credentials to access a web application at OU.
2. Access to data or systems not capable of authenticating to the OU Active Directory service (i.e., local access control mechanism), must be capable of implementing the OU IT Password Policy, the controls set forth in this policy, and submitting an exception at the OU IT Exception Request Page.  OU IT GRC will work the requester to evaluate the access control measures to be implemented, and facilitate the risk acceptance process, if needed. 
3. All systems must use only encrypted authentication mechanisms.
4. OU credentials must not be coded into programs or queries unless they are encrypted, no other reasonable options exist, and must follow the OU Password Policy for password expiry.  An OU IT Exception Request must be submitted, if a user is coding authentication credentials into programs or queries and unencrypted. 

Multi-Factor Authentication

Multi-Factor Authentication (MFA) is achieved when multiple forms of authentication are used to increase the likelihood that the credentials are from the individual to whom they are assigned reducing the risk of impersonation or compromised credentials.  Multi-Factor authentication must be implemented in the following scenarios:

1. An asset is providing remote access to the university network.
2. An asset is greater than $75,000 in value.
3. An asset is storing Category A, C, D1, or E records.  See see Information Classification Standard.
4. An asset is unable to sustain an outage for greater than 48 hours.
5. Accessing an asset with a privileged account (e.g., privileged access).

General Access Controls

Proper management and use of user accounts are basic requirements for protecting the OU's Information Systems.  Anyone who create access accounts for applications, networks, or systems are required to manage the accounts in accordance with these general access controls.  Anyone who create access accounts for applications, networks, or systems are required to manage the accounts in accordance with these general access controls.

1. All access must be reviewed and approved by the Data Owner or Data Steward before being granted permissions to access a system or data. 
2. Account passwords must meet the OU Password Policy’s complexity requirements.
3. The password initialization and reset process must be a one-time use, auto-generated random password (sent separately from the username if sent in plain text) that may only be used for systems that require an immediate password change by the user.
4. Accounts must lock after 10 failed login attempts.
5. Sessions or applications must lock or logout after 4 hours of inactivity.
6. Systems and applications must be configured to display an approved system use notification, banner, or warning.
7. Access control permissions for all non-public data or systems must default to no access, which blocks access by unauthorized users. 
8. Systems must log all successful and unsuccessful login attempts.
9. Authentication logs must be sent to a central log repository that can be monitored by staff. System log monitoring must send alerts to system administrators if the maximum number of login attempts is reached.
10. Passwords must be changed when there is an indication of possible system or account compromise. If an account owner is unresponsive the account may be disabled.

Third Party Access

Third parties may serve an important function through the development and/or support of services, hardware, and software and, in some cases, the operation of computer networks, Servers, and/or applications.  The Data Owner, OU purchasing officers and staff, and the OU Chief Information Security Officer are jointly and separately responsible for ensuring that all third parties are reviewed to determine whether the third-party will have access to, outsource, maintain or create OU data; and that all such access, outsourcing, or maintenance complies with OU IT Security Policies or Standards.  The Data Owner, OU purchasing officers and staff, and the OU Chief Information Security Officer must ensure:

1. Any contact involving third-party access to, creation, or maintenance of Category A – Healthcare Information includes a Health Insurance Portability and Accountability Act (HIPAA) Business Associate Agreement (BAA), in a form approved by the Office of Legal Counsel.
2. Any contract involving third party-provided credit card services must require that the third party provides assurances that all subcontractors who provide credit card services pursuant to the contract will comply with the requirements of the Payment Card Industry Data Security Standard (PCI DSS) in the provision of the services.
3. Prior to access, maintenance, or creation of OU data by a third party, OU IT must perform an assessment to ensure that the third party safeguards data according to all commercially reasonable administrative, physical, and technical standards. 
4. All contractors, consultants, third parties, or other non-employees must only be given Privileged Access to data or systems when the Data Steward or Asset Administrator, determines there is a legitimate business need.  These privileges must be enabled only for the time period required to accomplish approved tasks and then promptly disabled upon completion of the approved tasks.  Unattended access by contractors, consultants, third parties, or other non-employees requires an OU IT Exception Request be submitted. 
5. All access by contractors, consultants, third parties, or other non-employees must be monitored and reviewed by the Office of Information Technology and Asset Administrators.

Access Control Procedures

Documentation of access control procedures and rights is necessary to provide appropriate access to data or systems, and must be based on business, security, and privacy requirements.  Data Data Stewards are responsible for authorizing access and monitoring appropriate use. 

1. Access Control Policies and Procedures, for Category A data or systems, must be documented using the OU HIPAA HCC Program and Procedures – HCC Review of Access to ePHI Systems Procedures.
2. Access Control Policies and Procedures, for all other data or systems, must be documented.  A template is available from OU IT Governance, Risk, and Compliance, if needed.  At a minimum, these procedures must include:
   • The levels of access to data or systems available.
   • Procedures for authorization and approval to grant  new access, modify access, and delete access requests, in accordance with the departmental Role-Based Access strategy or to only those with a “need to know”.
   • Procedures for tracking access requests of any type (new, modify, delete).
   • Procedures and assigned roles/responsibilities for reviewing access levels, at least annually, and more frequently, as necessary.

Access Reviews