Printed on: 07/21/2019. Please go to http://policy.umn.edu for the most current version of the Policy or related document.
University of Minnisota  Appendix

Authentication, Access, and Account Management Standard

Appendix to Policy

Objective

To prevent and record unauthorized access to University IT resources, including data, systems, and applications, by using the appropriate level of authentication, authorization, and account lifecycle management controls.

Security Controls

The controls are grouped by Authentication, Multi/Two-Factor Authentication, Access, and Account Management (including shared, group, system, service, and vendor accounts).

Authentication

The following table defines baseline security controls for authenticating access to data, application, operating system, or systems (e.g., workstation, device, server, network infrastructure), including user, organization/department account, system or service account, administrative/privileged account.

ControlSecurity Level
IDDescriptionHighMediumLow
AAAM.A.01 Use authenticated access Required Required Required
AAAM.A.02 Use a complex password or passphrase Required Required Recommended
AAAM.A.03 Uniquely associate access with an account or system Required Required 
Required 1
AAAM.A.04 Uniquely associate interactive sessions with an individual or automated sessions with a system account Required Required Recommended
AAAM.A.05 Do not use personal identifying information in passwords or passphrases (e.g., cannot contain user’s first name, last name, username, employee number/student ID, telephone number, SSN) Recommended Recommended Recommended
AAAM.A.06 Do not use repeating characters in passwords or passphrases (e.g., cannot repeat characters four or more times in a row) Recommended Recommended Recommended
AAAM.A.07 Do not allow commonly used passwords Recommended Recommended Recommended
AAAM.A.08 For operating systems: Set a password expiration for temporary/reset passwords (suggest: 1 day) Required Required Recommended
AAAM.A.08 For non-operating systems: Set a password expiration for temporary/reset passwords (suggest: 1 day) Required
Effective July 2019
Required
Effective July 2019
Recommended
AAAM.A.09 Expire passwords used with single-factor authentication at least annually2 Required Required Recommended
AAAM.A.10 Limit re-use of passwords to at least the last five passwords Required Required Optional
AAAM.A.11 Deter password guessing attempts (e.g., lockout access after 10 consecutive failed login attempts for a minimum of 15 minutes or until an administrator enables the account)2 Required Required Recommended
AAAM.A.12 Re-authenticate access after a period of inactivity, excluding service accounts (suggest: 15-30 minutes for operating system; 60 minutes or less for interactive applications)2 Required Required Required 1
AAAM.A.13 Log successful and unsuccessful logon attempts Required Required Required
AAAM.A.14 Conceal password being entered Required Required Recommended
AAAM.A.15 Display only generic identifiers or messages until successful login Required Recommended Recommended
AAAM.A.16 Use industry-standard strong encryption and/or hashing to render the password unreadable during transmission on the network Required Required Required
AAAM.A.17 Use industry-standard strong encryption and/or hashing to store the password in applications or systems Required
Effective
July 2019
Required
Effective
July 2019
Required
Effective July 2019
AAAM.A.18 Periodically review authentication management procedure (suggest: annual) Required Required
Effective
July 2019
Optional

1 Optional for view only access.

2 PCI DSS requires for all systems or applications that store, process, or transmit cardholder data, or support the credit card processing environment to:

  • Expire all user passwords at least every 90 days
  • Re-authenticate access after 15 minutes of inactivity
  • Lockout access after 6 consecutive failed login attempts for a minimum of 30 minutes or until an administrator enables the account

Multifactor Authentication

The following table identifies use of multifactor authentication (also referred to as two-factor authentication) based on interactive logins to applications and multi-user systems.

ControlSecurity Level
IDDescriptionHighMediumLow
AAAM.B.01 Accounts with interactive administrator or privileged access Required Required Recommended
AAAM.B.02 Accounts with interactive non-privileged access Required Recommended Recommended
AAAM.B.03 Use when authenticating to University primary authentication management systems (e.g., shibboleth) Required Effective
July 2019
Required Effective
July 2019
Required Effective
July 2019

Access

The following table defines the baseline security controls for access based on the security level of the system or application.

ControlSecurity Level
IDDescriptionHighMediumLow
AAAM.C.01 Restrict direct remote administrative/privileged access to a server Required Effective
July 2019
Recommended Recommended
AAAM.C.02 Use privileged access only when required by the system or application Required Required Recommended
AAAM.C.03 Authenticate as an individual and then escalate Required Required Recommended
AAAM.C.04 Periodically review access controls used (suggest: annual) Required Recommended Recommended

Account Management

The following table defines the baseline security controls for account management for all types of accounts (including shared, group, system, service, and vendor accounts) based on the security level of the system or application.

ControlSecurity Level
IDDescriptionHighMediumLow
AAAM.D.01 Follow the principle of least privilege access (e.g., when assigning access) Required Required Recommended
AAAM.D.02 Establish auditable authorization of access requests and changes to access (written or electronic) Required Required Recommended
AAAM.D.03 Review user and role access permissions (suggest: annual) Required Required Recommended
AAAM.D.04 Inform user of their responsibilities for use of and management of their account (e.g., timely notification when access is no longer needed, use of administrative privileges) Required Required Recommended
AAAM.D.05 Limit knowledge of "root", "Administrator" or equivalent account credentials to a minimum number of individuals Required Required Required Effective
July 2019
AAAM.D.06 For operating systems: Change default passwords (e.g., vendor, guest, administrator) during the installation process or when identified as a default password Required Required Required
AAAM.D.06 For non-operating systems: Change default passwords (e.g., vendor, guest, administrator) during the installation process or when identified as a default password Required Required Required
Effective July 2019
AAAM.D.07 Reset authentication and/or password or suspend account after suspected or confirmed compromise or disclosure Required Required Required
AAAM.D.08 Disable unused guest and default accounts Required Required Recommended
AAAM.D.09 Disable or deprovision account or access promptly (suggest: involuntary separation within 1 day, voluntary separation within 1-10 days) Required Required Recommended
AAAM.D.10 Periodically review account management procedures (suggest: annual) Required Required Effective
July 2019
Recommended

Shared and Group Accounts

Shared and group accounts need to meet the Account Management controls for all types of accounts and the following controls for shared and group accounts based on the security level of the system or application.

ControlSecurity Level
IDDescriptionHighMediumLow
AAAM.E.01 Use for view only access with approval from the data owner or their designee1 Required Required Required
AAAM.E.02 Periodically review the specific need for the account (suggest: annual) Required
Effective July 2019
Required
Effective July 2019
Recommended
AAAM.E.03 Periodically review the individual(s) responsible for managing the account (suggest: annual) Required
Effective July 2019
Required
Effective July 2019
Recommended
AAAM.E.04 Change the password or shared secret when someone with knowledge of the password or secret changes job responsibilities or terminates employment, or the password or secret is compromised Required
Effective July 2019
Required
Effective July 2019
Required
Effective July 2019
AAAM.E.05 Apply secondary controls to limit how the account may be used (e.g., account only used on-campus, during specific hours) Recommended Recommended Recommended

1 Specific restrictions:

  • PCI DSS does not allow the use of shared or group accounts for system administration and other critical functions (e.g., access to cardholder data), or to administer any system components, systems, or applications that store, process, or transmit cardholder data, or support the credit card processing environment.
  • Health information, HIPAA or ePHI does not allow the use of shared or group accounts.

System and Service Accounts

System and service accounts need to meet the Account Management controls for all types of accounts and the following controls for system and service accounts based on the security level of the system or application.

ControlSecurity Level
IDDescriptionHighMediumLow
AAAM.F.01 Periodically review the specific need and access for the account1 (suggest: annual) Required Effective July 2019 Required Effective July 2019 Required Effective July 2019
AAAM.F.02 Periodically review the individual(s) responsible for managing the account (suggest: annual) Required Effective July 2019 Required Effective July 2019 Recommended
AAAM.F.03 Change the password or shared secret when someone with knowledge of the password or secret changes job responsibilities or terminates employment, or the password or secret is compromised Required Effective July 2019 Required Effective July 2019 Required Effective July 2019
AAAM.F.04 Apply secondary controls to limit how the account may be used (e.g., account only used on-campus, during specific hours) Recommended Recommended Recommended

1 PCI DSS does not allow the use of service accounts for system administration and other critical functions (e.g., access to cardholder data), or to administer any system components, systems, or applications that store, process, or transmit cardholder data, or support the credit card processing environment.

Vendor Accounts

Vendor accounts need to meet the Account Management controls for all accounts. Vendor accounts associated with SaaS or IaaS may be covered by the controls in the Vendor/Supplier Management standard. The following table defines additional controls for vendor accounts based on the security level of the system or application.

ControlSecurity Level
IDDescriptionHighMediumLow
AAAM.G.01 Periodically review the University individual(s) responsible for managing the vendor account (suggest: annual) Required
Effective July 2019
Required
Effective July 2019
Required
Effective July 2019
AAAM.G.02 Enable vendor access during time period needed Required Required Recommended
AAAM.G.03 Disable vendor access when not in use Required
Effective July 2019
Required
Effective July 2019
Recommended
AAAM.G.04 Monitor actions performed by the vendor account Required
Effective July 2019
Required
Effective July 2019
Recommended

Resources Covered

This applies to IT resources owned or contracted by the University. This also applies to personally owned devices accessing, or authorized to store, University data designated as private-highly restricted or private-restricted.

Individuals Covered

This standard applies to University community members who use or manage University IT resources.

Related Information

Published Date

November 2014

Last Reviewed

April 2019

Document Feedback

Information Technology