Policy 102 Information Security Authentication, Authorization, and Audit
- Purpose
- Applicability and Audience
- Information Security Roles and Responsibilities (100.01)
- Policy
- Policy Compliance
- Related Policies, Standards, and Guidelines
- References
- Policy Review
Purpose
The Information Security Authentication, Authorization, and Audit Policy outlines the process for granting, managing, and reviewing access to university systems and data based on user roles during normal and emergency operations at Washington University in St. Louis (WashU). Access control is necessary to maintain compliance with regulatory requirements.
This policy establishes access controls and describes the following:
- authentication factors
- the purpose and implementation of least privilege and functionality
- the use of and responsibilities associated with privileged accounts
- the periodic review or audit of the privileges and permissions granted to individuals.
Applicability and Audience
This policy applies to all information resources that are owned, leased, vended, contracted, or operated by the university, including hardware, software, systems, and data.
This policy applies to all members of the WashU Community, including faculty, staff, students, and any agent of the university with access to WashU information and networks for contracted services. This includes, but is not limited to partners, affiliates, contractors, temporary employees, trainees, guests, and volunteers.
WashU community members with elevated privileges as systems administrators have additional responsibilities for ensuring compliance with this policy and associated standards.
Information Security Roles and Responsibilities (100.01)
Policy
102.00 Introduction
WashU authentication and authorization processes help protect the Confidentiality, Accessibility, and Integrity (CIA) of university information resources by reducing the risk of unauthorized access and use. Authentication verifies that an individual is who they claim to be based on something they know (e.g., password), something they have (e.g., smart phone), or something they are (e.g., biometrics). Authorization involves how access to institutional data and systems is controlled. Audit refers to the documentation and review of access.
The Information Security Authentication, Authorization, and Audit Policy describes processes for authenticating user identity, authorizing access to various university information resources, and the responsibility of managing access to WashU data and systems.
102.01 Managing Access
Securing WashU Protected and Confidential Data and Information
Controls to grant, modify, and review account access are necessary to secure WashU’s Protected and Confidential Data and Information, as defined in Policy 100: Information Security Program (see section 100.04 Data, Information, and System Classification). In addition to controls, WashU departments and schools will develop and maintain processes to ensure access to Protected and Confidential Data and Information is assigned and managed according to role.
The Office of Information Security (OIS) and other offices involved will regularly review and validate that appropriate controls are in place.
Managing Physical Access
Physical areas containing WashU IT infrastructure will have physical controls to prevent unauthorized access and use of information resources. Physical security controls are described in the Infrastructure Physical Security section of Policy 106: Information Security Infrastructure Risk Management.
Managing Remote Access
WashU Community members working remotely need access to the WashU network and applications to create, transmit, and store information related to university activities. All OIS policies, standards, and guidelines apply for WashU Community members working in remote settings. Remote access and computing guidance is available and regularly updated on the OIS website.
Controls
The OIS will review and identify applicable security frameworks (e.g., NIST CSF, NIST SP 800-53) and other industry standards that apply within WashU departments and schools. Control assignments are based on the classification of information created, hosted, or transmitted within the WashU infrastructure. Refer to Standard 200: Information Security Classification, Labeling, and Handling for more information about security frameworks, controls, and control zones.
To ensure compliance, departments and schools will document the implementation of controls identified by the OIS. Refer to Standard 202: Information Security Identity, Authentication, and Access Control for additional details.
Monitoring and Audit
Regular monitoring and auditing of access to WashU information resources allow the OIS to manage security risks more effectively. Management, supervisors, Data Owners, and System Custodians/System Administrators are responsible for coordinating the following:
- Documenting access controls
- Monitoring for unauthorized personnel, connections, devices, and software
- Integrating authentication and access logs with monitoring systems
- Regularly reviewing and managing accounts according to Standard 202: Information Security Identity, Authentication, and Access Control
- Ensuring access is granted according to the principle of least privilege and to maintain separation of duties where possible
- Reviewing and revising privileged accounts with access to systems containing Protected and Confidential Information or control code
- Promptly modifying access levels to accommodate role/personnel changes, inactivity, and separation from the university
- Generating reports using an identity and access management tool
The OIS will review requests for exceptions to these requirements.
102.02 Information Access Controls
Access Processes
WashU departments and schools will develop and document access processes based on information classification. Standard 202: Information Security Identity, Authentication, and Access Control includes specific requirements for these processes.
Accessing Protected and Confidential Data and Information
Supervisors, managers, Data Owners, and/or System Custodian/System Administrators will coordinate to ensure separation of duties when reviewing privileged accounts, access to systems containing Confidential and Protected Data and Information, and access to control code. Refer to Standard 202: Information Security Identity, Authentication, and Access Control for additional information.
102.03 Identity Authentication Factors
Digital Identity and Authentication Factors
Digital identity refers to the unique representation of a user involved in an online transaction such as sending an email, using cloud storage, checking in or out of a web clock, or accessing other university resources.
Authentication is a way of establishing that the user is who they claim to be before granting access to university systems and data. This step is especially important for safeguarding Protected and Confidential Information and critical university systems. Authentication requires that the user has control over a device or information that can verify they are who they claim to be. To avoid the possibility of impersonation and reduce the risk of unauthorized access, WashU requires multiple authentication steps wherever possible.
Authentication factors fall into the categories of “something you know” (e.g., a password, pass phrase, pin, or answer to a secret question), “something you have” (e.g., a second device such as a mobile phone), or “something you are” (e.g., a biometric characteristic such as a fingerprint). WashU two-factor authentication (2FA) requires the use of two different factors to verify the identity of a user trying to access university data and systems from an off-campus location. Logging into the WUSTL ONE Single Sign On page (SSO) walks users through the 2FA process.
Whenever users attempt to log into university systems and access university resources, their identities will be proofed and bound to credentials. WUSTLKey is required wherever possible.
102.04 WashU Community Member Responsibilities
WashU Community members accept the following responsibilities for managing authentication factors to protect the CIA of WashU systems and data:
WashU Community Members
- Will not share login credentials or other authentication factors.
- Will not write passwords down or save them in an unencrypted digital file.
- Will not send emails, text messages, or other communications containing WashU login information/credentials or personal access details.
- Will not use the same password for personal accounts and WashU accounts.
- Will not circumvent authentication with auto logon, application remembering, embedded scripts, or hard-coded authentication credentials in client software except as approved by the OIS.
- Will contact the WashU IT Support group to reset passwords if a compromise is suspected.
Additional password requirements are detailed in Standard 202: Information Security Identity, Authentication, and Access Control.
WashU IT and IT @ WashU
- Will only reset passwords after successfully verifying WashU Community member identity.
- Will not ask for a WashU Community member’s password via email, chat, text, or other forms of electronic communication.
102.05 Expectations for Systems, Applications, and Devices
Passwords
WashU systems, applications, and devices will not store or remember passwords, especially on shared devices and workstations.
WashU 2FA
- WashU 2FA is required for remote access to the WashU network.
- WashU 2FA is required for systems containing proprietary, Confidential, sensitive, and Protected Data and Information.
- WashU 2FA may be required for all connections to the WashU network based upon job roles and requirements.
The OIS will review exceptions to these expectations on a case-by-case basis. Refer to Policy 114: Information Security Exceptions for additional information.
102.06 Least Privilege and Functionality
Employees are granted access and authorization based on their role and in accordance with the principles of least privilege and least functionality (i.e., minimum system resources and authorizations needed to perform their role). Refer to Standard 202: Information Security Access Control for additional information.
Implementing Least Privilege and Functionality
Supervisors will determine which data and functions are necessary for users and information systems. Managers, Data Owners, and System Custodians/System Administrators will regularly review and modify access according to the principles of least privilege and functionality.
Upon Joining the University or Changing Positions or Status within the University
Supervisors will grant access to only those data and systems necessary for task completion. In the event of a role or status change within the university, supervisors will promptly contact the WashU IT Service Desk or System Owner to modify or revoke access to data, systems, files, or folders that are no longer required for task completion.
Upon Separation from the University
When normal account closure processes are insufficient, supervisors will promptly contact the WashU IT Service Desk or System Owner to request removal of access to data and systems.
The OIS will review exceptions on a case-by-case basis.
102.07 Privileged Access Management
Privileged access refers to elevated permissions granted to individuals in unique positions of responsibility and trust such as system and network administrators, staff performing account administration, or those with specific job duties that require special privileges. Those with privileged access can take actions and make changes that might affect network and computing systems, accounts, files, data, and processes.
Privileged Access Controls
To mitigate the risks associated with granting individuals privileged access, the OIS implements controls as described below:
Departments, Schools, and Unit Responsibilities
The principle of least privilege, as discussed above, must always be followed. Even privileged users must have their access permissions set to the lowest level needed for their specific job functions. These permissions will be granted on a need-to-know basis, following standard university processes for requesting privileged access.
Each department, school, or relevant unit in conjunction with OIS, will develop and implement a plan for separation of duties. In the separation of duties, roles and responsibilities for high-risk business processes are managed by multiple individuals.
Units will ensure that privileged accounts are maintained, controlled, and their use is logged and monitored. These logs must be available to the OIS upon request. Refer to Policy 101: Information Security Status Monitoring, Reporting, and Review for additional information.
Privileged-Access User Responsibilities
Users with privileged access will uphold the following security principles and practices:
- Use WashU IT-managed devices or devices that comply with Policy 103: Information Security Device Management
- Use individual accounts with unique usernames and passwords
- Participate in security training as deemed appropriate by OIS
- Comply with applicable laws, policies, and regulations
- Protect the integrity of WashU systems, data, and physical information resources
- Protect the confidentiality and integrity of any information encountered while fulfilling specified roles and responsibilities
- Respect the rights and privacy of system users, accessing only that information necessary to resolve a situation in the performance of specific job duties
Emergency Access and Role Changes
Users may be assigned temporary just-in-time privileges and access rights to perform legitimate tasks in emergency situations. Management approval is required. In health care emergencies, documented justification of the need to invoke emergency access (e.g., “break glass”) is required and subject to audit. Refer to Policy 107: Information Technology Business Continuity and Disaster Recovery Planning and department-specific processes for additional information.
Please be aware of the following limitations and expectations:
- Once the temporary need is over, supervisors will revoke privileged access or restore previous access levels.
- Emergency access triggers an automatic review of who was granted access, the purpose of access, and the duration of access.
Policy Compliance
The Office of Information Security (OIS) will evaluate compliance with this policy using various methods, including reports, internal and external audits, and feedback to the policy owner. If compliance with this policy is not feasible, technically possible, or practical users should request an exception from the OIS. Exceptions to this policy must be approved by the OIS in advance. Non-compliance will be addressed with management, the appropriate Area Specific Compliance Offices, Human Resources, or the Office of Student Conduct.
Internal Audit will independently review and assess compliance with this policy, reporting findings and recommendations to senior management and the Board of Trustees.
Related Policies, Standards, and Guidelines
Policy 100: Information Security Program
Policy 101: Information Security Status Monitoring, Reporting, and Review
Policy 103: Information Security Device Management
Policy 106: Information Security Infrastructure Risk Management
Policy 107: Information Technology Business Continuity and Disaster Recovery Planning
Policy 114: Information Security Exceptions
Standard 200: Information Security Classification, Labeling, and Handling
Standard 202: Information Security Identity, Authentication, and Access Control
References
National Institute of Standards and Technology (2018) Cybersecurity Framework
National Institute of Standards and Technology (2020) Special Publication 800-53: Security and Privacy Controls for Information Systems and Organizations, Rev. 5
Policy Review
This policy will be reviewed by the OIS at a minimum of every three years.
Policy Number and Title: Policy 102: Information Security Authentication, Authorization, and Audit
Owner: Office of Information Security
Approved By: Cyber Security Executive Advisory Committee
Original Approval Date: June 6, 2024
Current Version Publication Date: December 6, 2024