APPENDIX TO POLICY

Application Access Control Standard

Objective

To ensure authorized access and to prevent unauthorized access to University information, applications must be configured so that access requires authentication, access attempts are controlled and recorded, and breaches of security generate alerts.

Security Controls

Application Access Control

The following table defines the baseline security controls for application access. Controls in this section apply to any access (user, system or service account) to the data or application.

Control

Security Level

ID

Description

High

Medium

Low

AAC.A.01

Do not transmit password in clear text

Required

Required

Required

AAC.A.02

Maximum password age (365 days or less)

Required

Required

Optional

AAC.A.03

User inactive session timeout (suggested: 60 minutes or less)

Required 2

Required

Optional to view data.
Required for all other access

AAC.A.04

Uniquely associate application sessions with an individual or system (e.g., disable unused guest and default accounts)

Required

Required

Recommended

AAC.A.05

Limit the number of unsuccessful logon attempts (suggested: no more than 10 consecutive unsuccessful attempts)

Required

Required

Optional to view data.
Recommended for all other access

AAC.A.06

Record successful and unsuccessful logon attempts

Required

Required

Required

AAC.A.07

Conceal password entry

Required

Required

Recommended 3

AAC.A.08

Enforce password history (suggested: restrict from using the last 5 passwords)

Required

Required

Optional

AAC.A.09

Display only generic identifiers or messages until successful logon

Required

Recommended

Recommended

AAC.A.10

Change vendor default passwords

Required

Required

Recommended

AAC.A.11

Maintain a dedicated (isolated) computing environment (e.g., separate server, separate network subnet)

Recommended 1

Recommended

Optional

AAC.A.12

Document application access controls used

Required

Recommended

Optional to view data.
Recommended for all other access

1 This is required for systems in scope for credit card processing environment per PCI-DSS. This includes systems that support or store, process or transmit cardholder data, or support the credit card processing environment.

2 PCI-DSS requires 15 minute timeout for systems that store, process, or transmit cardholder data, or support the credit card processing environment.

3 Required if using University central authentication service or single sign on passwords.

Resources Covered

This standard applies to IT resources owned or contracted by the University.

Individuals Covered

This standard applies to University community members who use or manage University IT resources.

Related Information

More information on Application Access Control

Published Date

  • November 2014

Document Feedback