Access, Authorization, and Authentication Standard

This Standard supports and supplements the Whitman College Information Security Policy. The Standard is enforced in the same manner as the policy. It will be periodically reviewed and updated as necessary to meet emerging threats, changes in legal and regulatory requirements, and technological advances.

1. Overview

Access management and authentication protocols help to protect Whitman College systems and sensitive institutional data. This Standard applies to processes and procedures across the lifecycle of both user and system access and accounts.

Identity and access management (IAM) as a discipline is a foundational element of Whitman's information security program and the one that campus users interact with the most. IAM establishes procedures for verifying the identity and eligibility of individuals seeking to access and use the College's information technology resources.

2. Scope

This Standard applies to the systems managed by Whitman College Technology Services (WCTS) and department-managed services. Specifically, it also applies to:

  • All departments, faculty, staff, and workforce members that create, process, maintain, transmit, or store sensitive institutional data on any college-owned device, whether or not it is connected to the campus network and whether or not it is College or self-managed;
  • All College computer and telecommunications systems, including externally hosted systems that are accessed via Whitman authentication systems;
  • Personally owned devices, in accordance with provisions of Security of Personally-owned Devices Policy
  • Any third-party provider with a contractual relationship with the College that maintains sensitive institutional data.

3. Standard

This Standard establishes the framework for provisioning and deprovisioning access by staff and workforce members to Whitman systems and applications that create, process, maintain, transmit, or store sensitive or restricted institutional data. Its objective is to protect the college's sensitive and restricted institutional data from compromises or breaches due to inadequate access and authentication management practices, as well as capture the information needed for compliance-related audit trails. Well-structured access management results in college personnel having access to the right services at the right times based on their current job responsibilities.

Access Control

Access control is the practice of determining throughout an individual's college lifecycle the authorized transactions, functions, and activities of legitimate users with regard to campus information resources.

As much as possible, access to systems that create, process, maintain, transmit, or store sensitive institutional data should be primarily role-based. Affiliation with Whitman determines an individual's eligibility for standard Whitman computing services. Administrative and privileged access to Whitman enterprise systems, as well as access to departmentally-provided services, are generally initiated by the individual's department or unit. Whitman departments are responsible for ensuring that individual requests for access to enterprise systems are limited to systems and access levels required for the individual's work-related responsibilities.
Access control at Whitman, whether managed at the central or unit level, must adhere to the following requirements:

Access Control Requirements Description
User Identification
The identification of authorized users of the information system and the specification of access privileges is fundamental to access control. Eligible college users are granted one unique user identification and password on the college network to ensure accurate auditing of access and actions; departments will not share individual user IDs for system access. Eligible non-Whitman users must follow the same standards when issued sponsored or guest accounts.
Acceptable Use Notification and User Acceptance All account-holders must accept and abide by the Acceptable Use Policy. Where technically feasible, Whitman login screens should include links to the Acceptable Use Policy.
Principle of Least Privilege Individuals should be granted the minimum access sufficient to complete their day-to-work job responsibilities. Individuals that are granted privileged access should use the least privileged account for day-to-day activities; privileged accounts should only be used when the elevated privilege is required by the system or application.
Separation of Duties No one person should have responsibility for more than one related function. For example, the person with the authority to grant access should not be the person who fulfills the request, or audit functions should not be performed by the personnel responsible for administering access. At no time should any person fulfill and grant access to themselves.
Training and Compliance Prior to being granted access to any enterprise administrative application or database, staff members must complete the appropriate required institutional or unit-specific training. In some instances, staff members may be required to formally attest to their agreement with terms and conditions before access is provided.
Additional Access Controls for Restricted Data In addition to enforcing authorized access at the information system level, additional role-based access enforcement mechanisms should be employed wherever feasible at the application level for Restricted data.
Unauthorized Access Users must not attempt to gain access to college information systems or databases for which they have not been given proper authorization.
Session Termination All users are required to logoff or lock their systems when they are finished with their current session or are expected to be away from their workstation.
Access Revocation or Termination Authorized access of Whitman faculty, staff, and workforce members should be revoked within 72 hours (or as soon after as possible) for an individual leaving Whitman employment or transferring from one position to another with different responsibilities and access requirements.
Access Review User, privileged, and shared accounts should be periodically reviewed, at least annually.
Regulatory and Contractual Compliance Some regulations and contractual obligations with which Whitman College must comply-have mandated access and authentication management requirements. A non-exhaustive set of requirements may include password expiration, lockout after failed attempts, and automatic logoff after a period of inactivity. Devices and accounts that fall under such compliance requirements must be specifically configured to meet those requirements or implement alternative compensating controls.

Privileged Credentials

Role-based privileged user accounts are necessary for certain functions and systems. Privileged roles include, for example, workstation management, network and system administration, database administration, and web administration.

Owners of privileged accounts need to be especially diligent to reduce the risk of threats to institutional data from misuse, including credentials theft, inappropriate disclosure of sensitive data whether intentional or accidental, data tampering, and unauthorized access to administrative interfaces and configuration stores.

To help prevent the above threats, privileged accounts must have a designated owner that:

  • Identifies a specific business need prior to establishing the accounts;
  • Can grant administrator or other privileged access to other authorized users with a job-related need;
  • Configures systems containing all levels of Sensitive or Restricted data with additional security controls;
  • Configures systems containing Restricted data to audit the actions of individuals;
  • Deactivates, suspends or terminates access or administrator privileges after notification that authorized users have left their position or no longer have a job-related need for elevated access;
  • Tracks and monitors privileged access accounts.

Shared Accounts

A shared account is an enterprise system account with access independent of any individual's computing account. Shared accounts allow for privileged users responsible for specific systems or applications to have the access needed to carry out job-related responsibilities. Shared accounts must have a designated owner and co-owner that, in addition to all of the above requirements for privileged account owners:

  • Are jointly accountable for the security of the data, system, or application for which they have been provided access.
  • Are periodically reviewed to ensure only those individuals that require access to the shared account have access to the account.

Authentication

Authentication is a process by which users, processes, or services provide proof of their identity.
Authentication confirms that a person or device really is who or what it is claiming to be and through which access to the requested resource is then authorized. All college IT systems and services must use only encrypted authentication and authorization mechanisms.

Whitman has established the following rules for creating and securing passwords with the objective that passwords are complex enough to withstand attempts by unauthorized users to guess or decipher them.

  • Password management: Passwords are to be kept secure and confidential, and not shared with or used by anyone other than the user to whom they are assigned.
  • Choosing a password: Where feasible, the College's minimum factors for selecting strong passwords should be followed. Guidance is included in the college's Password Policy.
  • Password Security Controls
    • Password Compromise: If a password has been improperly disclosed, accessed, or used by an unauthorized person, it should be immediately changed;
    • Password expiration: The college highly recommends changing passwords at least once a year, unless otherwise required by regulation;
    • Password Reuse: The college recommends not reusing passwords when changing passwords;
    • Shared Account Password Changes: Passwords for shared accounts should be changed at least once a year and whenever anyone with knowledge of the password for whatever reason no longer has job-related responsibilities requiring access to the account.
  • Multi-factor authentication: Multi-factor authentication (MFA) adds a second layer of security to protect Whitman's most sensitive data and computing resources. Privileged accounts should utilize two-factor authentication to the maximum extent feasible.

4. Violations

Violations of this standard may result in disciplinary action up to and including suspension or revocation of computer accounts and access to networks, dismissal, and/or legal action.  The connectivity of machines and servers to the Whitman network that do not comply with this standard may be limited or disconnected.

Disciplinary action for faculty and staff, if any, for violation of this standard shall be consistent with the Whitman College Human Resource policies and procedures. Disciplinary action for students, if any, for violation of this standard shall be consistent with the Whitman College Dean of Students' policies and procedures.


<update: January 2019>