APPENDIX TO POLICY

Authentication Standard

Objective

Use the appropriate level of authentication to data, systems and applications to protect University IT resources.

Security Controls

Authentication

The following table defines baseline security controls for authentication to systems that store, process or transmit University data. Controls in this section apply to any access (user, system or service) account to the data or systems (single-user computer, server, etc.).

Control

Security Level

ID

Description

High

Medium

Low

A.A.01

Access to University data and/or system is authenticated

See table below

See table below

See table below

A.A.02

Access to University data and/or system is re-authenticated after a period of inactivity (suggested: 15-60 minutes)

Required

Required

Optional to view data
Required for all other access

A.A.03

Access to University data and/or system is uniquely associated with an individual or system

Required

Required 1

Optional to view data
Required for all other access 1

1 Group IDs allowed only where necessary for business or operational reasons and must be approved by the data owner or their designee.

Multi or Single-factor Authentication Table

The following table identifies where multi-factor and single-factor authentication is required.

Control

Security Level

ID

Description

High

Medium

Low

A.B.01

Type of access: Administer

Require multi-factor

Require multi-factor

Recommend multi-factor or Require single-factor

A.B.02

Type of access: Create, modify or delete access

Require multi-factor

Require single-factor

Require single-factor

A.B.03

Type of access: View

Require single-factor

Require single-factor

Recommend single-factor

Resources Covered

This standard applies to IT resources owned or contracted by the University. This also applies to personally owned devices accessing, or authorized to store, University data designated as private-highly restricted or private-restricted .

Individuals Covered

This standard applies to University community members who use or manage University IT resources.

Related Information

More information on Authentication

Published Date

  • November 2014

Document Feedback