Remote Password Reset Standard

Transcription

1 Infrmatin Technlgy Remte Passwrd Reset Standard Identifier: Apprved Date: Octber 21, 2016 Revisin Date: Octber 21, 2016 Effective Date: December 1, 2016 Apprved by: Je Tlisan Standard Table f Cntents 1. Intrductin Purpse Scpe Definitins Rles and Respnsibilities Standards Training and Access Requirements Cmmunity Cllege Remte Passwrd Reset Prcess CSU and COSC Remte Passwrd Reset Prcess Cntrl Metrics Cntrl Tests Exceptins Related Publicatins Revisin Histry... 6

2 1. Intrductin A faculty member, staff member r student at ne f the Cnnecticut State Clleges and Universities (CSCU) may be unable t reset a passwrd using the autmated, self-service passwrd reset system because they d nt have the required data, data is nt available in the Infrmatin System t verify their identity r they are nt authrized t use the self-service system. In these cases, the individual will need t cntact their institutin t have their passwrd reset. The CSCU system needs t verify the individual s identity prir t the passwrd reset and cmply with the state and federal requirements n identity management. 2. Purpse Prvide a mechanism fr faculty, staff and students t have their passwrds reset via remte cmmunicatin, verifying the individual s identity, while maintaining the security cntrls and meeting ur federal and state regulatry requirements. 3. Scpe This applies t all CSCU cnstituent units. 4. Definitins Identity Data Identity data is any cmbinatin f infrmatin that will identify wh yu are. Typical identity data sets are first and last name, first initial and last name, first name and address. DCL3 Data DCL3 Previusly knwn as Class A Prtected at the CSUS Level 3 is prtected cnfidential data, which cmprises identity and financial data that, if imprperly disclsed, culd be used fr identity theft r t cause financial harm t an individual r the CSCU System. Security at this level is very high (highest pssible). Examples f DCL3 data are: Scial Security number & Identity Data Bank accunt r debit card infrmatin and Identity Data Credit card number & cardhlder infrmatin Student Lan Data DCL3 data must be prtected frm disclsure and maleficence. Remte Passwrd Reset Standard 2 f 6

3 DCL2 Data DCL2 Previusly knwn as Class A at the CSUS Level 2 is restricted data that is available fr disclsure, and may be disclsed under certain circumstances e.g. FOIA, legal request, etc. Such infrmatin is restricted due t federal and state law, ethical and privacy cnsideratins. An example f such restrictins wuld be the FERPA guidelines that gvern publicatin and disclsure f student infrmatin. Security at this level is high. Examples f DCL2 data are: Mther s maiden name Academic recrds Emplyee Medical Recrds Red Flag Rules In 2003, the U.S. Cngress enacted the Fair and Accurate Credit Transactin Act f 2003 (FACT Act) which required the Federal Trade Cmmissin (FTC) t issue regulatins requiring creditrs t adpt plicies and prcedures t prevent identify theft. In 2007, the Federal Trade Cmmissin (FTC) issued a regulatin knwn as the Red Flag Rule. The rule requires financial institutins and creditrs hlding cvered accunts t develp and implement a written identity theft preventin prgram designed t identify, detect and respnd t Red Flags, patterns, practices r specific activities that indicate the pssible existence f identity theft. Infrmatin Security User Educatin and Awareness Training A CSCU Infrmatin Security User Educatin and Awareness Training prgram that meets the minimum training requirements fr access t DCL3 data. CSCU Identity Management and Red Flags Training The CSCU curse n Identify Management, Infrmatin Security and the identificatin f Red Flags fr pssible identity theft. Assurance Functin Assurance is the respnsibility f the system wner and is the prcess the system wner uses t verify that bth technical and administrative cntrls are functining crrectly. Remte Passwrd Reset Standard 3 f 6

4 5. Rles and Respnsibilities CSCU Emplyee - CSCU emplyees with a minimum f DCL2 data access. Student Student in the CSCU system Faculty Faculty in the CSCU system Staff Staff in the CSCU system 6. Standards 6.1. Training and Access Requirements Only CSCU emplyees wh have DCL3 data access with the apprpriate training will be granted access t change passwrds fr faculty and staff. Only CSCU emplyees wh have DCL2 data access with the apprpriate training will be granted access t change passwrds fr students. All CSCU emplyees with access t change accunt passwrds remtely will need t have attended an Infrmatin Security User Educatin and Awareness Training class that meets the CSCU training standard Cmmunity Cllege Remte Passwrd Reset Prcess The authrized CSCU emplyee verifies the individual s identity by verbally requesting the first and last name f the individual, the CSCU faculty/staff/student identifier, e.g. CCC NetID, and last fur digits f the SSN with at least 1 f the fllwing identificatin elements cmparing it t the data in the verificatin system (e.g. Banner). Date f Birth Address n file Telephne number n file The passwrd will be reset t a randm passwrd that is verbally cmmunicated. The fllwing minimum infrmatin must be lgged by the reset prcess: wh perfrmed the reset, Banner ID f individual whse passwrd was reset, Date & Time reset ccurred. After a passwrd reset, the individual will be required t change their passwrd immediately upn a successful lgin r access t system resurces will be denied. Security questins and answers will be cleared and the individual will be required t establish a new security questin and answer immediately upn a successful lgin r access t system resurces will be denied. Any Red Flags during the passwrd reset will stp the prcess. Fr the passwrd t be reset ver the phne the individual needs t be transferred t a staff member with full Banner Access wh can verify the cmplete SSN and any additinal infrmatin required under Red Flags. Remte Passwrd Reset Standard 4 f 6

5 6.3. CSU and COSC Remte Passwrd Reset Prcess The authrized CSCU emplyee verifies the individual s identity by verbally requesting the first and last name f the individual, the CSCU faculty/staff/student identifier, e.g. CCSU BlueNet ID, SCSU - Ht Lt ID Card with at least 2 f the fllwing identificatin elements cmparing it t the data in the verificatin system (e.g. Banner). Last fur f SSN Date f Birth Address n file Telephne number n file The passwrd will be reset t a randm passwrd that is verbally cmmunicated. The fllwing minimum infrmatin must be lgged by the reset prcess: wh perfrmed the reset, Banner ID f individual whse passwrd was reset, Date & Time reset ccurred. After a passwrd reset, the individual will be required t change their passwrd immediately upn a successful lgin r access t system resurces will be denied. Security questins and answers will be cleared and the individual will be required t establish a new security questin and answer immediately upn a successful lgin r access t system resurces will be denied. Any Red Flags during the passwrd reset will stp the prcess. Fr the passwrd t be reset ver the phne the individual needs t be transferred t a staff member with full Banner Access wh can verify the cmplete SSN and any additinal infrmatin required under Red Flags. 7. Cntrl Metrics Quarterly reprts will be run t determine the number f passwrds resets perfrmed remtely, including the number unable t be reset during the Remte Passwrd Reset Prcess. A reprt n Red Flag events during each quarter will als be included. 8. Cntrl Tests Quarterly, an assurance functin will attempt 5 remte passwrd resets using Test Banner Accunts. Any deviatins frm the Student Remte Passwrd Reset Standard will be dcumented and reprted t management. 9. Exceptins T request an exceptin, please submit the Infrmatin Security Exceptin request t SecPrg@ct.edu The requestr and BOR Infrmatin Security Prgram Office will define the apprved alternative cnfiguratin if different than the riginal prpsal f the requestr. The exceptin prcess is NOT an alternative t the Change Cntrl Management prcess. Remte Passwrd Reset Standard 5 f 6

6 10. Related Publicatins Related Plicies BOR Infrmatin Security Plicy Related Prcedures Requesting r Revking Access t the GWANTID Frm User Guide fr the GWANTID frm Web Sites Supprt Services Website 11. Revisin Histry Previus versins f this standard September 16, 2014 Histry f Changes Nne Standards superseded by this standard Nne Remte Passwrd Reset Standard 6 f 6