14.10 IT Authentication and Authorization
Purpose
The University of Northern Iowa acknowledges its obligation to ensure appropriate security for data, business systems, and Information Security (IT) resources in its domain of ownership and control.
The University of Northern Iowa develops, publishes, and enforces policies, procedures, and standards in order to achieve and maintain appropriate protection of university data and business systems. This document along with related security policies, procedures, and standards identifies key security issues for which individuals, colleges, departments, and units are responsible.
Scope
This policy applies to all faculty, staff, and students as well as any other individuals or entities who use data and business systems at the University of Northern Iowa. This policy applies to all university data, even if stored without the use of an IT resource. Further, this policy applies to all IT resources owned or leased by UNI; to any privately-owned equipment connected to the campus network and includes, but is not limited to, computer equipment, software, operating systems, tablets, phones, multimedia devices, storage media; and the campus network itself.
Policy Statement
Every member of the University community shall be assigned an authentication credential known as a CatID. Student employees shall be given an additional credential for their employment to separate work and educational data. Accounts shall be created as part of the enrollment and hiring processes.
Requests for authorization to access University data shall be documented and approved via the central Security Request System (SRS) or via an IT help ticket if the role is not configured in SRS. Authorization to remotely access UNI IT Resources must always be done via SRS. Authorization will always end at or around separation date in a manner prescribed and published by the Chief Information Officer (CIO) or designee in consultation with relevant University leadership.
Authorization to access level III data (UNI Policy 14.09 University Data Classification) must be approved by the employee’s department head, data custodian, and other appropriate individuals as designated by the CIO. Authorization will only be approved for individuals with a clear and demonstrated need for such access.
Every member of the University community is responsible for protecting the security of university data and business systems by adhering to the passphrase requirements published on the Information Technology website at https://it.uni.edu/catid-passphrase-requirements.
In order to protect the confidentiality, integrity, and availability of university data and IT resources, multi-factor authentication shall be required at the discretion of the CIO. The CIO or designee shall publish appropriate procedures and standards for authentication and authorization to protect the confidentiality, integrity, and availability of IT resources and university data. If multiple policy statements or security standards are relevant for a specific situation, the most restrictive security standards will apply.
Procedures
The official authentication for the University of Northern Iowa is the CatID. Whenever possible, IT resources shall be configured to use CatID. If CatID is not possible, usernames shall be configured to match CatID usernames whenever possible. Passphrases for IT Resources other than CatID must follow the minimum standards for CatID passphrases. If technical limitations on a system prevent passphrases meeting CatID standards for length, passwords using 3 of the 4 character types will be used instead (uppercase, lowercase, numbers, special characters).
Users are responsible to maintain the security of passphrases; personal identification numbers (PINs); authentication tokens, devices, and certificates under their control. Users must create unique passphrases for their UNI accounts. Users must not share their CatID passphrase or other private account authentication factors with other users.
Users forgetting their passphrase or losing other authentication factors must contact the Service Desk (319-273-5555) for assistance. Resets of passphrases and authentication factors will be done in a manner specified by the Chief Information Officer (CIO) with guidance from IT-Information Security.
The CIO has responsibility for setting the overall security posture of the University's IT resources. Implementation of security policies is assigned to Information Technology and may be delegated throughout the University at the CIO’s discretion. The CIO has the ability to make exceptions to access and authorization procedures when necessary and in support of the University’s mission.
Elevated Privilege System Accounts
Elevated privilege system accounts are those accounts that have the authorization required to maintain a system or application – such as operating system, application, or database administrator accounts, or to operate a scientific instrument. Administrators should not use their CatID account as an elevated privilege system account. Each systems administrator should be assigned their own elevated privilege system account that is not shared, and is used only when the elevated privileges are required. Where possible these accounts should use a managed authentication service such as Active Directory, LDAP or RADIUS. When elevated privilege system accounts are accessed remotely, it is recommended that they be protected as part of a multi-factor authentication service.
Local Workstation Administrator Accounts
Local administrator accounts are to be used for system administration purposes and only when a centrally-managed account (Active Directory, CatID, LDAP) is not accessible. The password for this account must be unique per computer.
Service Accounts
Service accounts are those accounts where the passphrase is managed within a group of employees, and include device and application passphrases. Service accounts also include any special accounts that do not fit well under other categories. Service accounts are subject to the same passphrase requirements as other accounts, but some accounts may be held to even higher standards by the CIO commensurate with their potential impact if compromised. Service accounts should be reviewed annually to ensure the account is still required for proper operation. All service accounts must have a designated owner that is a current employee. All service account passphrases must be changed when a group member with access or knowledge of the passphrase leaves the group.
Disciplinary Action
Violations of this policy may be referred for disciplinary action as indicated in Policy 14.04 Acceptable Use of Information Technology Resources.
Usage of Terms
AUTHENTICATION – Authentication is the verification of the identity of a user or system by various mechanisms, including usernames, passphrases, biometrics, tokens, soft tokens, certificates, etc.
AUTHORIZATION – Authorization is the process which grants or denies access to IT Resources based on the user’s identity.
AVAILABILITY – Availability is the ability to assure that systems work promptly and service is not denied to authorized users. A loss of availability is the disruption of access to or use of information or an information system.
CONFIDENTIALITY – Confidentiality ensures that confidential information is only disclosed to authorized individuals. A loss of confidentiality, for the purposes of this policy, is the unauthorized disclosure of information.
DATA CUSTODIAN – Data custodians are senior university officials who have planning, management, and policy-level responsibility for data within their functional areas. A data custodian has the authority to authorize or deny access to data. For example, the Registrar, Director of Human Resource Services, Director of Business Operations, and Director of Admissions, Department Heads, Deans, Vice Presidents, and the University President would all be data custodians. University administrators may act as data custodians for departments under their authority.
INTEGRITY – Integrity is the appropriate maintenance of information and systems. A loss of integrity is the unauthorized modification or destruction of information.
IT RESOURCE – IT resource may include computers, software, servers, network utilization, storage utilization, virtual machine capacity, tablets, phones, multimedia devices, storage devices, wireless spectrum, and any other in-demand resource managed by IT staff.
MULTI-FACTOR AUTHENTICATION – Multi-factor authentication is the use of more than one authentication factor in the process of authentication. The typical factors are something-you-know (passphrases), something-you-have (phone or token), or something-you-are (fingerprints). These are sometimes respectively known as knowledge, possession, and inherence. Multi-factor authentication is sometimes known as two-factor authentication when just two of the factors are used.
PASSPHRASE – Often synonymous with password. Passphrases are generally required to be longer than passwords and can contain many words up to entire sentences. Additional complexities, such as numbers or special characters, are typically optional.
POTENTIAL IMPACT – Potential impact is the level of adverse effect a loss of confidentiality, integrity, or availability could be expected to have on university operations, university assets, or individuals.
SERVER — Nearly all computers may function as a server. For this policy, a server is generally an IT resource that provides centralized services to other IT resources and has specialized hardware and/or software to ensure reliability and capacity.
UNIVERSITY DATA – University data are information that supports the mission and operation of the University. It is a vital asset and is owned by the University. Some university data are shared across multiple units of the University as well as outside entities.
USER – User includes any faculty, staff, student, developer, contractor, vendor, or visitor as well as any other individual or entity using information, university data, and/or IT resources of the University of Northern Iowa.
Information Technology, approved March 4, 2019
University Council, approved April 15, 2019
President and Executive Management Team, approved May 6, 2019