Access Control Standard
- Purpose
All access rules and requirements to access Winston-Salem State University’s (WSSU) information resources should be developed, documented and maintained by their respective resource owners. Access to Winston-Salem State University’s information resources will be granted consistent with the concept of least privilege. All information processing systems owned by or operated on behalf of WSSU should have an appropriate role-based access control system that ensures legitimate users and/or systems have access to data resources that they are explicitly authorized to use. - Scope
This applies to University data in typed, printed, written, electronic, and/or verbal formats regardless of how data are communicated, how data are transmitted, and/or whether data are saved to storage media (hard drives, DVD/CDs, USB/Thumb drives, etc.). - User access management
- The Office of Information Technology shall ensure user access is managed by establishing procedures to include the generation, distribution, modification and deletion for access to resources, and reviewing of user accounts immediately upon change of employment status. The purpose of this process is to ensure that only authorized individuals or other entities have access to WSSU applications and information and that these users only have access to the resources required for authorized purposes.
- Individual users shall have unique login IDs and passwords. An access control system shall identify each user and prevent unauthorized users from entering or using information resources. Security requirements for user identification include:
- Each user shall be assigned a unique identifier.
- Users shall be responsible for the use and misuse of their individual login ID.
- The User Management Process should include the following sub-processes:
- Enrolling new users
- Removing user IDs
- Granting privileges to a user
- Removing privileges from a user
- Periodic reviewing of privileges of users
- Periodic reviewing of users enrolled in any system
- Assigning a new authentication token (e.g. password reset processing).
- The appropriate data owner or steward or other authorized officer will make requests for the registration, granting, and revocation of access rights for all authorized users.
- All user accounts and IDs are audited at least twice yearly, and all inactive login IDs are revoked. The Human Resources Department notifies the Information Security Office and appropriate OIT personnel upon the transfer or departure of all employees and contractors, at which time login IDs privileges are updated or are revoked.
- For applications that interact with individuals that are not employed, registered, or appointed by WSSU, the information owner is responsible for ensuring an appropriate user management process is implemented where the limitation of access is appropriate.
These sponsored or guest users must have a completed and signed Network Access and Confidentiality Forms. These forms must also be signed by the information owner and supervisor or department head of the requesting department or unit.
- User responsibilities
- Users are responsible and accountable for all activities that take place using their accounts.
- Users must keep their accounts and passwords secure.
- Users must keep unattended computing devices secure. This includes automatic password-protected screen savers after a set period of inactivity as well as securing office doors.
- System and application access control
- Network Access
Access to WSSU’s trusted internal network must require all authorized users to authenticate themselves through the use of an assigned user ID and an authentication mechanism, e.g., password, token or smart card, and/or digital certificate against an OIT managed authoritative access directory (LDAP, AD, Shibboleth, etc.). - Remote (External) Access
- Accessing from a remote location and logging into university information technology resources, such as servers, printers, routers, or computers, is only permitted through secure, authenticated and centrally managed access methods. Also, accessing university information that may be highly sensitive or restricted is only permitted through secure, authenticated and centrally managed access methods. Authorized users of the university’s computer systems, networks or databases are only permitted to remotely access these systems, networks or databases for conducting university-related business.
- Individual accountability is required and must be maintained when WSSU’s resources are being accessed remotely. Identification and authentication of the entity or person attempting access must be performed across an encrypted connection using such technology as HTTPS and/or a secure VPN tool. Users who need a password reset must be authenticated before the request is granted.
- For a vendor to access WSSU computers or software, individual accountability is also required. For those systems (hardware or software) for which there is a built-in user ID for the vendor to perform maintenance, the account must be disabled until vendor access is required. The activity performed while this vendor user ID is in use must be logged. When the vendor has completed their work, the vendor user ID should be disabled, or the password changed to prevent unauthorized use of this privileged account.
- Authentication of a user can be accomplished using three techniques: by providing something only the user knows; by providing something the user has; or by identifying the user by a physical characteristic of the user. “Strong authentication,” refers to the use of two out of three of these methods to authenticate a user (i.e. password or PIN plus a token card).
- To maintain information security, WSSU requires that individual accountability is maintained at all times, including during remote access where sensitive information is exchanged. For example, remote access to generally available web content on WSSU servers does not necessarily require individual accountability. For the purposes of this standard, “remote access” is defined as any access coming into WSSU’s network from off WSSU’s private, trusted network. This includes, but is not limited to:
- Connecting a third party network to the WSSU network
- VPN access
- VDI access
- Operating System Access
- Access to operating systems should be controlled by a secure log on procedure.
- Access to operating system code, services and commands must be restricted to only those individuals who need access to perform their University roles normally. Where possible, individuals will have a unique user ID for their use so that activities can be traced to the responsible person. Where avoidable, user IDs should not give any indication of the user’s privilege level, e.g., supervisor, manager, administrator. In the instances when systems classified as confidential must use a shared account in order to do business, strong mitigating controls must be documented and practiced. In these unique situations, the proposed controls need review by the Information Security Manager.
- Administrator accounts or accounts with expanded privileges should only be used for administration and management of information resources.
- In certain circumstances, where there is a clear business requirement or system limitation, the use of a shared user ID for a group of users or a specific job can be used. Approval by management should be documented in these cases. Additional compensatory controls must be implemented to ensure accountability is maintained.
- Log on banners specifying a user’s rights and responsibilities regarding system usage should be presented to users during the login process.
- Users may not employ tools or utilities capable of overriding system and application controls without permission.
- Inactive sessions should be terminated after a defined period of inactivity.
- Application Access
- Access to WSSU applications must be restricted to those individuals who have a business need to access those applications or systems in the performance of their job responsibilities. Access to the source code for applications and systems must be restricted. This access should be further restricted so that authorized WSSU staff and contractors can access only those applications and systems they directly support.
- Access to applications and application data should be restricted according to the principle of least privilege.
- Access to mission-critical applications and confidential application data should be logged or documented by other means.
- Network Access
- Monitoring System Access and Use
Confidential systems and applications are monitored to detect deviation from the access control standard and record events to provide evidence and reconstruct lost or damaged data. Depending on the nature of the events continuous and/or periodic monitoring may be appropriate. Audit logs recording exceptions and other security-relevant events that represent security incidents/deviations from the policy are produced and kept to assist in future investigations and access control monitoring. Audit logs will include where technically feasible:- User IDs
- Dates and times for login and logoff
- Terminal identity or location if possible
- Records of rejected system access attempts
- Records of rejected data and other resource access attempts
- Logical Access Control
The following principles are the main components of logical access that itemizes the standards to which all university information systems and applications must adhere.- All university systems and their applications will be classified by the System Owner with concurrence by the university’s Information Security Officer or designee.
- Once classified, the system’s or the application’s minimum authentication and authorization requirements must be determined by the System Owner and documented according to risk and sensitivity.
- All systems and applications will have documented policies and procedures for:
- Approving and terminating access
- Obtaining and disabling temporary accounts
- Consistent periodic review and assessment of all accounts for continued needs with documentation as evidence of the review
- Locking accounts after a period of inactivity, with the period of time appropriate to the sensitivity of the system and associated risks
- Logging configurations and review
- The organization responsible for an information system is responsible for the prompt deactivation or disabling of accounts when necessary including but not limited to accounts subject to the following circumstances:
- The accounts for terminated individuals shall be removed/disabled/revoked from any computing system at the end of the individual’s employment or when continued access is no longer required
- The accounts of transferred individuals may require removal/disabling to ensure changes in access privileges are appropriate to the change in job function or location
- The accounts for employees who are not working due to any sort of leave, disability or another authorized purpose, or when continued access is no longer required, shall be temporarily disabled for a period consistent with the employee’s personal usage needs and duration of absence
- The accounts for employees suspended for more than one day for disciplinary reasons shall be disabled
- There will be no anonymous “guest” accounts on any system classified as confidential. The organization responsible for an information system shall issue a unique account to each individual authorized to access that information resource.
- Accounts on all systems will use non-shared, unique passwords. In the instances when systems classified as sensitive must use a shared account in order to do business, strong mitigating controls must be documented and practiced. Those systems residing on a guest network are exempt from this requirement.
- Physical and logical access to any system will be granted based on least privilege. When establishing accounts, standard security principles of “least privilege” to perform a function must always be used, where administratively feasible. Access privileges should be limited to those that the user has a genuine need for to complete job responsibilities and functions. For example, a root or privileged administrative account must not be used when a non-privileged account will do. Privileges must never be granted “in case” a user might need them.
- Access security designs for all systems will be group or role based and privileges assigned to groups or roles will be based on least privilege.
- Access privileges granted to each individual user will adhere to the principles of separation of duties. Technical or administrative users, such as programmers, System Administrators, Data Base Administrators, security administrators of systems and applications must have an additional, separate end-user account to access the system as an end-user to conduct their personal business.
- Passwords or PINs are required on all University issued mobile devices such as PDA’s and smartphones.
- No passwords for any system may be stored or transmitted in clear text.