Account Management Standards

Transcription

1 Account Management Standards Overview These standards are intended to guide the establishment of effective account management procedures that promote the security and integrity of University information systems and the information they contain. Access to campus information systems and protected information may be provided only to those having a need for specific access in order to accomplish an authorized task and must be based on the principles of need-to-know and least privilege. Authentication controls must be implemented for access to campus information systems and protected data. System owners must have documented processes for provisioning approved additions, changes, and terminations of access rights and reviewing access of existing account holders that complies with these standards. Access to campus information systems and protected information must be denied until specifically authorized. Roles and Responsibilities Role Account Holder Responsibility The individual or group which is assigned the Account Account Administrator Data Authority System Administrators System Owner Those who support Accounts by adding, modifying, assigning passwords, or other account attributes. The data authority is responsible for establishing standards/guidelines for granting and revoking access privileges. Those who are members of an organization that supports enterprise, division, or department level IT services. System administrators within their area of responsibility facilitate end-user privilege management and implement operating procedures to conform to campus information security standards and guidelines. The system owner is ultimately responsible for providing the system s service/functionality to the campus. Often the system owner is a manager/director, department chair, or dean. The system owner is responsible for ensuring that operating procedures are developed which meet the standards/guidelines outlined by the Data Authority. Definitions Term Account Definition A combination of a unique username and password or other authentication combination, which allows access to a system or service. Information Security Office 1 4/9/2009 v1.0

2 Administrative Account Service Account Privileged access An account that has a purpose related to administration of a specific system. Typically has privileged access. An account that has a purpose related to administration or operation of a specific application. Privileged access enables an individual to take actions that may affect computing systems, networks communication, or the accounts, files, data or processes of other users. Privileged access is typically granted to system administrators, network administrators, or other such employees whose job duties require special privileges over a computing system, application, database, or network. Account Authorization Access to campus information systems and protected information must include a process for documenting appropriate authorization before access or privileges are granted. The Data Authorities of CSU, Chico s information shall make decisions regarding access to their respective data (e.g., the Registrar will determine who has access to registration data, and what kind of access each user has). CSU, Chico Data Authorities must identify and document individuals who are authorized to define and approve user access to campus information systems and protected information. Data Authorities must also document authorization procedures. Authorizations must be tracked and logged following defined procedures and must include information such as: Date of authorization Identification of individual approving access Description of access privileges granted Description of why access privileges granted Provisioning Accounts The following security precautions apply to all accounts: 1. Account Establishment and Duration: Each account should be for the individual use of an identified student, staff, faculty, or vendor with a business need for this access. Accounts remain valid for the duration the individual maintains their affiliation with the University or until the account is suspended by the University. 2. Least Required Access Principle: When establishing accounts, standard security principles of least required access to perform a function must always be used, where administratively feasible. For example, a root or administrative privileged account should not be used when a non-privileged account will suffice. 3. Passwords: All new account passwords must be unique and comply with the campus Password Policy. 4. User Account Setup: The identity of users must be authenticated before providing them with account and password details. If an automated process is used, then the account holder should be asked to provide several information items that in totality could only be known by the account Information Security Office 2 4/9/2009 v1.0

3 holder. In addition, it is highly recommended that stricter levels of authentication (such as face-toface) be used for those accounts with privileged access. 5. Audit Log: The date when the account was issued should be recorded in an audit log. 6. Confidentiality Agreement: All users with access to CSU, Chico confidential information (protected Level 1 or Level 2 information) must sign a Confidentiality Agreement that is kept on file with Human Resources. 7. Vendor Accounts: An account may be issued to a vendor under contract to the University that shall be valid for the length of the agreement between the University and the vendor. 8. Vendor Account Duration: The university representative who serves as primary contact with the vendor is responsible for ensuring vendor accounts are valid no longer than the duration of the relevant agreement between the vendor and the University, and notifying the appropriate account administrator regarding changes to the account. 9. Multiple Status Users: Individuals who have multiple roles with the University (e.g. student and employee) may be required to establish separate accounts to fulfill the requirements of each role, when additional controls are deemed necessary to prevent unauthorized access outside of working hours. Provisioning Administrator and Service Accounts Standards for issuing Administrator and Service Accounts are the same as other accounts with the following additions and changes: 1. Access Procedure for Administrator and Service Accounts: The system owner or designee must approve the establishment and use of an Administrative or Service Account that accesses systems or applications for which they are responsible. 2. Account Establishment and Duration: Administrator and Service accounts can be tied to an individual, department, or group. Accounts remain valid while there is a business need for the use of the account or until the account is suspended by the University. 3. Confidentiality: The account holder must agree to maintain strict confidentiality of the password for the privileged account and confidentiality of any data or information to which they have access while using the privileged account. 4. Segregation of Duties: The principles of segregation of duties should be followed when assigning job responsibilities relating to restricted or essential resources. System owners must maintain an appropriate level of segregation of duties when issuing credentials to individuals who have access to information systems and protected information. System owners must avoid issuing credentials that allow a user to have excessive authority over systems or protected information. 5. Account Usage: Administrator and Service Accounts are specifically for system or application use only and shall not be used for any purpose other than facilitating the operation of the system or application. a. Privileged access may be used to perform standard system related duties only on machines and networks whose responsibility is part of assigned job duties. Examples include: i. Installing, upgrading, or troubleshooting system or application software. ii. Relocating individual s files from critically overloaded locations. iii. Performing repairs required to return a system to normal functions, such as fixing files or file process, or killing runaway processes. iv. Running security checking programs. v. Monitoring the system to ensure reliability and security. Information Security Office 3 4/9/2009 v1.0

4 b. Privileged access may be used to grant, change, or deny resources, access, or privilege to another individual only for authorized account management activities or under exceptional circumstances. Such actions must follow any existing organizational procedures. Examples include i. Disabling an account allegedly responsible for serious misuse such as attempting to compromise root (UNIX) or the administrator account (Windows), using host to send harassing or threatening , using software to mount attacks on other hosts, or engaging in activities designed to disrupt the functioning of the host itself. ii. Disconnecting a host or subnet from the network when a security compromise is suspected. iii. Accessing files for law enforcement authorities with a valid subpoena. 6. Group Access: Administrator and Service Accounts may be shared by a group of individuals for the purpose of operation and administration of the application or system only. In these cases, when possible, access to system accounts shall be via methods that allow the individual to authenticate using a username and password. 7. Insecure Network Access Restriction: Administrator and Service Account authentication via methods in which account information is passed in "plain-text", such as telnet, ftp, or http, shall be denied unless no other more secure method is available. 8. Temporary Account Access: Temporary accounts for users with privileged access must be approved by the system owner, should only be available for a specified period of time, and will be revoked when the work is complete. Records of all temporary access should be kept by the system owner. 9. Default Passwords: Accounts and passwords that are part of the default setup of a system shall be disabled or changed. This includes passwords for configuration access, SNMP community strings, database accounts, etc. Managing Accounts The following security precautions apply to all accounts: 1. Account Modification: The organization responsible for a resource is responsible to ensure changes in access privileges are appropriate to the change in job function or location. All changes to accounts must be approved and formally documented. All changes to user access privileges must be tracked and logged. 2. Account Deactivation: The organization responsible for a resource is also responsible for the prompt deactivation of accounts when necessary, i.e., accounts for terminated individuals shall be removed/disabled/revoked from any computing system at the end of the individual's employment or when continued access is no longer required. 3. Annual Review: All accounts shall be reviewed at least annually to ensure that access and account privileges are commensurate with job function, need-to-know, and employment status. This review must be documented. The Information Security Office may also conduct periodic reviews for any system connected to the CSU, Chico network. 4. Sponsored Accounts: All sponsored accounts (for those who are not official members of the CSU, Chico campus community) with access to CSU, Chico computing resources shall contain an expiration date of no more than one year or the work completion date, whichever occurs first. The appropriate authorized member of the administrative entity managing the resource must approve all sponsored accounts. Information Security Office 4 4/9/2009 v1.0

5 5. Password Change Requirements: Account holders may change their password at any time in accordance with departmental procedures, but must follow the campus Password Policy. 6. Account Lockout: Campus information systems should disable user accounts after a set number of failed logon attempts. System owners should establish procedures for re-enabling or resetting user accounts once they have been disabled. User identity must be appropriately verified prior to reenabling or resetting user accounts. If automated, these processes must take into consideration potential risk to determine the lockout time. 7. Suspending Accounts: Account administrators may suspend accounts which have expired passwords, have violated these standards, or the CSU, Chico Policy on the Use of Computing and Communications Technologies (EM and EM 07-01), or where the account holder has ceased to have the relevant status with the University. Managing Administrator and Service Accounts Guidelines for managing Administrator and Service Accounts are the same as other accounts with the following additions and changes: 1. Account Deactivation: Staff whose job duties require special privileges over a computing system, application, database, or network upon notification of separation from the University or changing job duties will have their account access reviewed, and account access should be removed/disabled/revoked immediately following their departure. Service accounts managed by the departing staff members will be reassigned and passwords of the service accounts will be changed. If the staff member is being terminated, all account access will be revoked as soon as possible. 2. Annual Review: Administrator and Service Accounts shall be reviewed at least annually by the Data Authorities and the Information Security Office to ensure that access and account privileges are commensurate with job function, need-to-know, and employment status. This review must be documented. Shared Accounts Use of shared accounts is not allowed. However, in some situations, a provision to support the functionality of a process, system, device (such as servers, switches or routers) or application may be made (e.g., management of file shares). Such exceptions will require documentation and approval, which justifies the need for a shared account. The requesting department must be informed of the risks of such access. Each shared account must have a designated owner who is responsible for the management of access to that account. The owner is also responsible for the above-mentioned documentation, which should include a list of individuals who have access to the shared account. The documentation must be available upon request for an audit or a security assessment. Shared authentication privileges must be regularly reviewed and re-approved at least annually. Procedure Documentation All groups supporting Accounts must develop and document account management practices based on the principles set forth in these standards. Documented procedures must exist for account issuance, password changes, suspension and removal, and annual review. Information Security Office 5 4/9/2009 v1.0

6 Review/Approval History Date Audience Action Version 4/24/2009 Information Security Officer Approved v1.0 4/24/2009 Chief Information Officer Approved v1.0 Information Security Office 6 4/9/2009 v1.0