Printed on: 11/13/2018. Please go to http://policy.umn.edu for the most current version of the Policy or related document.
Appendix

Authentication Standard

Appendix to Policy

Objective

Use the appropriate level of authentication to data, systems and applications to protect University IT resources.

Security Controls

Authentication

The following table defines baseline security controls for authentication to systems that store, process or transmit University data. Controls in this section apply to any access (user, system or service) account to the data or systems (single-user computer, server, etc.).

Control Security Level
ID Description High Medium Low
A.A.01 Access to University data and/or system is authenticated See table below See table below See table below
A.A.02 Access to University data and/or system is re-authenticated after a period of inactivity (suggested: 15-60 minutes) Required Required Optional to view data
Required for all other access
A.A.03 Access to University data and/or system is uniquely associated with an individual or system Required Required 1 Optional to view data
Required for all other access 1

1 Group IDs allowed only where necessary for business or operational reasons and must be approved by the data owner or their designee.

Multi or Single-factor Authentication Table

The following table identifies where multi-factor and single-factor authentication is required.

Control Security Level
ID Description High Medium Low
A.B.01 Type of access: Administer Require multi-factor Require multi-factor Recommend multi-factor or Require single-factor
A.B.02 Type of access: Create, modify or delete access Require multi-factor Require single-factor Require single-factor
A.B.03 Type of access: View Require single-factor Require single-factor Recommend single-factor

Resources Covered

This standard applies to IT resources owned or contracted by the University. This also applies to personally owned devices accessing, or authorized to store, University data designated as private-highly restricted or private-restricted .

Individuals Covered

This standard applies to University community members who use or manage University IT resources.

Related Information

More information on Authentication

Published Date

  • November 2014

Document Feedback