102 Information Security Authentication, Authorization, and Audit
The following table shows who is responsible for ensuring compliance with the policy requirements listed below.
| Requirement | All Users | Users with Privileged access | System Custodians/ Administrators | WashU IT / IT @ WashU |
|---|---|---|---|---|
| WashU 2FA is required for remote access to the WashU network (p. 5). | ✔ | |||
| WashU community members working remotely will adhere to all OIS policies, standards, and guidelines while working in remote settings (p. 3). | ✔ | |||
| WashU community members will not use the same password for personal accounts and WashU accounts (p. 5). | ✔ | |||
| WashU 2FA may be required for all connections to the WashU network based upon job roles and requirements (p. 5). | ✔ | |||
| WashU 2FA is required for systems containing proprietary, Confidential, sensitive, and Protected Data and Information (p. 5). | ✔ | |||
| WashU community members will not share login credentials or authentication factors (p. 5). | ✔ | |||
| WashU community members will not write passwords down or save them in an unencrypted digital file (p. 5). | ✔ | |||
| WashU Community members will not circumvent authentication with auto logon, application remembering, embedded scripts, or hard-coded authentication credentials in client software, except as approved by the OIS (p. 5). | ✔ | |||
| WashU community members will contact the WashU IT support group to reset passwords if a compromise is suspected (p. 5). | ✔ | ✔ | ||
| IT Support Groups will only reset passwords after successfully verifying WashU community member identify (p. 5). | ✔ | |||
| IT Support Groups will not ask for a community member’s password via email, chat, text, or other forms of electronic communication (p. 5). | ✔ | |||
| WashU systems, applications, and devices will not store or remember passwords, especially on shared devices and workstations (p. 5) | ✔ | ✔ | ||
| Users with privileged access will use individual accounts with unique usernames and passwords (p. 7). | ✔ |
| Requirement | All Users | Users with Privileged Access | System Custodians/ Administrators | WashU IT / IT @ WashU | Department, Schools, and Units |
|---|---|---|---|---|---|
| Access controls are documented (p. 3) | ✔ | ✔ | |||
| Departments and schools will develop and maintain processes to ensure access to Protected and Confidential Data and Information is assigned and managed according to role (p. 3). | ✔ | ||||
| Physical areas containing WashU IT infrastructure will have physical controls to prevent unauthorized access and use of information resources (p. 3). | ✔ | ✔ | |||
| Access is granted according to the principle of least privilege and to maintain separation of duties where possible (p. 4). | ✔ | ✔ | |||
| Access processes are developed and documented according to information classification (p. 4) | ✔ | ✔ | |||
| Access levels are promptly modified to accommodate role and personnel changes, inactivity, and/or separation from the university (p. 4). | ✔ | ✔ | ✔ | ||
| Users with privileged access will use WashU IT-managed devices or devices that comply with Policy 103: Device Management (p. 7). | ✔ | ||||
| Users with privileged access will participate in security training as deemed appropriate by the OIS (p. 7). | ✔ | ||||
| Users with privileged access comply with all applicable laws, policies, and regulations (p. 7). | ✔ | ||||
| Users with privileged access will protect the integrity of WashU systems, data, and physical information resources (p. 7). | ✔ | ||||
| Users with privileged access will protect the confidentiality and integrity of any information encountered while fulfilling specified roles and responsibilities (p. 7). | ✔ | ||||
| Users with privileged access will respect the rights and privacy of system users, accessing only that information necessary to resolve a situation in the performance of specific job duties (p. 7). | ✔ | ||||
| For just-in-time access rights: Once temporary need is over, supervisors will revoke privileged access or restore previous access levels (p. 8). | ✔ | ✔ | ✔ | ||
| Management approval is required for temporary just-in-time privileges and access rights (p. 8). | ✔ | ✔ |
| Requirement | All Users | Users with Privileged Access | System Custodians/ Administrators | Departments, Schools, and Units |
|---|---|---|---|---|
| The computing environment is monitored for unauthorized personnel, connections, devices, and software (p. 3). | ✔ | |||
| Authentication and access log are integrated with monitoring systems (p. 4) | ✔ | |||
| Accounts are regularly reviewed and managed (p. 4). | ✔ | ✔ | ||
| Privileged accounts with access to Protected and Confidential systems and control code are regularly reviewed and revised (p. 4). | ✔ | ✔ | ||
| Emergency access triggers an automatic review of who was granted access, the purpose of access, and the duration of access (p. 8). | ✔ | ✔ |
Summary of Policy
The policy outlines processes for granting, managing, and reviewing access to university systems and data based on user roles during normal and emergency operations. This policy includes information about the following topics:
- Managing access to Protected and Confidential data
- Managing physical access to WashU IT infrastructure
- Managing remote access to WashU networks and applications
- Identity authentication factors
- The responsibility of WashU Community members to manage authentication factors
- The responsibilities of IT support groups in resetting and handling passwords
- Password and two-factor authentication expectations for systems, applications, and devices
- Least privilege and functionality
- Managing access changes for WashU Community members who are joining the university, changing positions within the university, or separating from the university
- Privileged access management
Full Text of Policy
Policy 102 Information Security Authentication, Authorization, and Audit
This policy outlines processes for granting, managing, and reviewing access to university systems and data based on user roles during normal and emergency operations.
Related Information
100 Information Security Program
This policy is the foundation of the policy library and provides a rationale for the directives communicated in all other information security policies.
101 Information Security Status Monitoring, Reporting, and Review
This policy communicates logging requirements for academic, clinical, administrative, research, and technical information security activities at WashU.
103 Information Security Device Management
This policy outlines security expectations for all devices (e.g., laptops, mobile phones, thumb drives, external hard drives, etc.) that access the information resources of Washington University in St. Louis (WashU) and includes specific details for devices handling WashU Protected Data and Information.
106 Information Security Infrastructure Risk Management
This policy provides guidance and directives to the computing community at Washington University in St. Louis (WashU) to ensure the ongoing Confidentiality, Integrity, and Availability (CIA) of our information resources.
107 Information Technology Business Continuity and Disaster Recovery Planning
This policy communicates the expectations for developing, maintaining, and practicing risk-based plans for Information Technology Business Continuity (ITBC) and Information Technology Disaster Recovery (ITDR).
114 Information Security Exceptions
This policy clearly communicates how the OIS handles exception requests when compliance with published policies and standards is not possible.
200 Information Security Classification, Labeling, and Handling
This standard defines classification categories and control zones for data, information, and systems at Washington University in St. Louis (WashU).
202 Information Security Identity, Authentication, and Access Control
Review and revision of this standard is in progress. Please contact infosec@wustl.edu