Policy 102 Information Security Authentication, Authorization, and Audit

Purpose
Applicability and Audience
Information Security Roles and Responsibilities (100.01)
Policy
Policy Compliance
Related Policies, Standards, and Guidelines
References
Policy Review

Purpose

The Information Security Authentication, Authorization, and Audit Policy outlines the process for granting, managing, and reviewing access to university systems and data based on user roles during normal and emergency operations at Washington University in St. Louis (WashU). Access control is necessary to maintain compliance with regulatory requirements.

This policy establishes access controls and describes the following:

authentication factors
the purpose and implementation of least privilege and functionality
the use of and responsibilities associated with privileged accounts
the periodic review or audit of the privileges and permissions granted to individuals.

Applicability and Audience

This policy applies to all information resources that are owned, leased, vended, contracted, or operated by the university, including hardware, software, systems, and data.

This policy applies to all members of the WashU Community, including faculty, staff, students, and any agent of the university with access to WashU information and networks for contracted services. This includes, but is not limited to partners, affiliates, contractors, temporary employees, trainees, guests, and volunteers.

WashU community members with elevated privileges as systems administrators have additional responsibilities for ensuring compliance with this policy and associated standards.

Information Security Roles and Responsibilities (100.01)

Policy

102.00 Introduction

WashU authentication and authorization processes help protect the Confidentiality, Accessibility, and Integrity (CIA) of university information resources by reducing the risk of unauthorized access and use. Authentication verifies that an individual is who they claim to be based on something they know (e.g., password), something they have (e.g., smart phone), or something they are (e.g., biometrics). Authorization involves how access to institutional data and systems is controlled. Audit refers to the documentation and review of access.

The Information Security Authentication, Authorization, and Audit Policy describes processes for authenticating user identity, authorizing access to various university information resources, and the responsibility of managing access to WashU data and systems.

102.01 Managing Access

Securing WashU Protected and Confidential Data and Information

Controls to grant, modify, and review account access are necessary to secure WashU’s Protected and Confidential Data and Information, as defined in Policy 100: Information Security Program (see section 100.04 Data, Information, and System Classification). In addition to controls, WashU departments and schools will develop and maintain processes to ensure access to Protected and Confidential Data and Information is assigned and managed according to role.

The Office of Information Security (OIS) and other offices involved will regularly review and validate that appropriate controls are in place.

Managing Physical Access

Physical areas containing WashU IT infrastructure will have physical controls to prevent unauthorized access and use of information resources. Physical security controls are described in the Infrastructure Physical Security section of Policy 106: Information Security Infrastructure Risk Management.

Managing Remote Access

WashU Community members working remotely need access to the WashU network and applications to create, transmit, and store information related to university activities. All OIS policies, standards, and guidelines apply for WashU Community members working in remote settings. Remote access and computing guidance is available and regularly updated on the OIS website.

Controls

The OIS will review and identify applicable security frameworks (e.g., NIST CSF, NIST SP 800-53) and other industry standards that apply within WashU departments and schools. Control assignments are based on the classification of information created, hosted, or transmitted within the WashU infrastructure. Refer to Standard 200: Information Security Classification, Labeling, and Handling for more information about security frameworks, controls, and control zones.

To ensure compliance, departments and schools will document the implementation of controls identified by the OIS. Refer to Standard 202: Information Security Identity, Authentication, and Access Control for additional details.

Monitoring and Audit

Regular monitoring and auditing of access to WashU information resources allow the OIS to manage security risks more effectively. Management, supervisors, Data Owners, and System Custodians/System Administrators are responsible for coordinating the following:

Documenting access controls
Monitoring for unauthorized personnel, connections, devices, and software
Integrating authentication and access logs with monitoring systems
Regularly reviewing and managing accounts according to Standard 202: Information Security Identity, Authentication, and Access Control
- Ensuring access is granted according to the principle of least privilege and to maintain separation of duties where possible
- Reviewing and revising privileged accounts with access to systems containing Protected and Confidential Information or control code
- Promptly modifying access levels to accommodate role/personnel changes, inactivity, and separation from the university
Generating reports using an identity and access management tool

The OIS will review requests for exceptions to these requirements.

102.02 Information Access Controls

Access Processes

WashU departments and schools will develop and document access processes based on information classification. Standard 202: Information Security Identity, Authentication, and Access Control includes specific requirements for these processes.

Accessing Protected and Confidential Data and Information

Supervisors, managers, Data Owners, and/or System Custodian/System Administrators will coordinate to ensure separation of duties when reviewing privileged accounts, access to systems containing Confidential and Protected Data and Information, and access to control code. Refer to Standard 202: Information Security Identity, Authentication, and Access Control for additional information.

102.03 Identity Authentication Factors

Digital Identity and Authentication Factors

Digital identity refers to the unique representation of a user involved in an online transaction such as sending an email, using cloud storage, checking in or out of a web clock, or accessing other university resources.

Authentication is a way of establishing that the user is who they claim to be before granting access to university systems and data. This step is especially important for safeguarding Protected and Confidential Information and critical university systems. Authentication requires that the user has control over a device or information that can verify they are who they claim to be. To avoid the possibility of impersonation and reduce the risk of unauthorized access, WashU requires multiple authentication steps wherever possible.

Authentication factors fall into the categories of “something you know” (e.g., a password, pass phrase, pin, or answer to a secret question), “something you have” (e.g., a second device such as a mobile phone), or “something you are” (e.g., a biometric characteristic such as a fingerprint). WashU two-factor authentication (2FA) requires the use of two different factors to verify the identity of a user trying to access university data and systems from an off-campus location. Logging into the WUSTL ONE Single Sign On page (SSO) walks users through the 2FA process.

Whenever users attempt to log into university systems and access university resources, their identities will be proofed and bound to credentials. WUSTLKey is required wherever possible.

102.04 WashU Community Member Responsibilities

WashU Community members accept the following responsibilities for managing authentication factors to protect the CIA of WashU systems and data:

WashU Community Members

Will not share login credentials or other authentication factors.
Will not write passwords down or save them in an unencrypted digital file.
Will not send emails, text messages, or other communications containing WashU login information/credentials or personal access details.
Will not use the same password for personal accounts and WashU accounts.
Will not circumvent authentication with auto logon, application remembering, embedded scripts, or hard-coded authentication credentials in client software except as approved by the OIS.
Will contact the WashU IT Support group to reset passwords if a compromise is suspected.

Additional password requirements are detailed in Standard 202: Information Security Identity, Authentication, and Access Control.

WashU IT and IT @ WashU

Will only reset passwords after successfully verifying WashU Community member identity.
Will not ask for a WashU Community member’s password via email, chat, text, or other forms of electronic communication.

102.05 Expectations for Systems, Applications, and Devices

Passwords

WashU systems, applications, and devices will not store or remember passwords, especially on shared devices and workstations.

WashU 2FA

WashU 2FA is required for remote access to the WashU network.
WashU 2FA is required for systems containing proprietary, Confidential, sensitive, and Protected Data and Information.
WashU 2FA may be required for all connections to the WashU network based upon job roles and requirements.

The OIS will review exceptions to these expectations on a case-by-case basis. Refer to Policy 114: Information Security Exceptions for additional information.

102.06 Least Privilege and Functionality

Employees are granted access and authorization based on their role and in accordance with the principles of least privilege and least functionality (i.e., minimum system resources and authorizations needed to perform their role). Refer to Standard 202: Information Security Access Control for additional information.

Implementing Least Privilege and Functionality

Supervisors will determine which data and functions are necessary for users and information systems. Managers, Data Owners, and System Custodians/System Administrators will regularly review and modify access according to the principles of least privilege and functionality.

Upon Joining the University or Changing Positions or Status within the University

Supervisors will grant access to only those data and systems necessary for task completion. In the event of a role or status change within the university, supervisors will promptly contact the WashU IT Service Desk or System Owner to modify or revoke access to data, systems, files, or folders that are no longer required for task completion.

Upon Separation from the University

When normal account closure processes are insufficient, supervisors will promptly contact the WashU IT Service Desk or System Owner to request removal of access to data and systems.

The OIS will review exceptions on a case-by-case basis.

102.07 Privileged Access Management

Privileged access refers to elevated permissions granted to individuals in unique positions of responsibility and trust such as system and network administrators, staff performing account administration, or those with specific job duties that require special privileges. Those with privileged access can take actions and make changes that might affect network and computing systems, accounts, files, data, and processes.

Privileged Access Controls

To mitigate the risks associated with granting individuals privileged access, the OIS implements controls as described below:

Departments, Schools, and Unit Responsibilities

The principle of least privilege, as discussed above, must always be followed. Even privileged users must have their access permissions set to the lowest level needed for their specific job functions. These permissions will be granted on a need-to-know basis, following standard university processes for requesting privileged access.

Each department, school, or relevant unit in conjunction with OIS, will develop and implement a plan for separation of duties. In the separation of duties, roles and responsibilities for high-risk business processes are managed by multiple individuals.

Units will ensure that privileged accounts are maintained, controlled, and their use is logged and monitored. These logs must be available to the OIS upon request. Refer to Policy 101: Information Security Status Monitoring, Reporting, and Review for additional information.

Privileged-Access User Responsibilities

Users with privileged access will uphold the following security principles and practices:

Use WashU IT-managed devices or devices that comply with Policy 103: Information Security Device Management
Use individual accounts with unique usernames and passwords
Participate in security training as deemed appropriate by OIS
Comply with applicable laws, policies, and regulations
Protect the integrity of WashU systems, data, and physical information resources
Protect the confidentiality and integrity of any information encountered while fulfilling specified roles and responsibilities
Respect the rights and privacy of system users, accessing only that information necessary to resolve a situation in the performance of specific job duties

Emergency Access and Role Changes

Users may be assigned temporary just-in-time privileges and access rights to perform legitimate tasks in emergency situations. Management approval is required. In health care emergencies, documented justification of the need to invoke emergency access (e.g., “break glass”) is required and subject to audit. Refer to Policy 107: Information Technology Business Continuity and Disaster Recovery Planning and department-specific processes for additional information.

Please be aware of the following limitations and expectations:

Once the temporary need is over, supervisors will revoke privileged access or restore previous access levels.
Emergency access triggers an automatic review of who was granted access, the purpose of access, and the duration of access.

Policy Compliance

The Office of Information Security (OIS) will evaluate compliance with this policy using various methods, including reports, internal and external audits, and feedback to the policy owner. If compliance with this policy is not feasible, technically possible, or practical users should request an exception from the OIS. Exceptions to this policy must be approved by the OIS in advance. Non-compliance will be addressed with management, the appropriate Area Specific Compliance Offices, Human Resources, or the Office of Student Conduct.

Internal Audit will independently review and assess compliance with this policy, reporting findings and recommendations to senior management and the Board of Trustees.

Policy 100: Information Security Program

Policy 101: Information Security Status Monitoring, Reporting, and Review

Policy 103: Information Security Device Management

Policy 106: Information Security Infrastructure Risk Management

Policy 107: Information Technology Business Continuity and Disaster Recovery Planning

Policy 114: Information Security Exceptions

Standard 200: Information Security Classification, Labeling, and Handling

Standard 202: Information Security Identity, Authentication, and Access Control