56.50 - Identification & Authentication (IA)

Return to policies website

Policy Statement
TTUHSC El Paso shall implement mechanisms are employed to properly identify system users, processes acting on behalf of users, or devices, and authenticate the identities of those users, processes, or devices.

Reason for Policy
The purpose of the Identification & Authentication (IA) policy is to ensure sufficient methods are enacted to properly identify and authenticate TTUHSC El Paso's authorized users and processes.

Entities Affected by this Policy are any and all users of Information Resources at TTUHSC El Paso.

What is covered in this Policy?
The overall policy addresses the Institutional stance as it applies to TTUHSC El Paso in the areas of identification and authentication, account management, device-to-device identification and authentication, identifier management, authenticator management, timely maintenance, and cryptographic module authentication.

It is the stance of TTUHSC El Paso to ensure that there are safeguards in place aligned with NIST 800-53 and TAC 202 to ensure the protection, integrity, and confidentiality of information resources at TTUHSC El Paso.

Who Should Read this Policy?
All individuals accessing, storing, viewing any TTUHSC El Paso information resources.

What happens if I violate this policy?
Any person(s) violating TTUHSC El Paso Information Technology policies are subject to penalty under federal, state, and local legislation. Disciplinary actions are further outlined in HSCEP OP 56.50, Sanctions Policy.1

 

IA-01: Identification & Authentication Policy & Procedures

TTUHSC El Paso develops, disseminates, reviews & updates:2

  • A formal, documented identification and authentication policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
  • Formal, documented procedures to facilitate the implementation of the identification and authentication policy and associated identification and authentication controls.

TTUHSC El Paso is required to document organization-wide identification and authentication controls that, at a minimum, include:

  • A formal, documented identification and authentication policy; and
  • Processes to facilitate the implementation the identification and authentication policy, procedures, and associated controls.

IA-02: Account Management

Systems uniquely identify and authenticate organizational users or processes to:3

  • Allow the use of group authenticators only when used in conjunction with an individual/unique authenticator; and
  • Require individuals to be authenticated with an individual authenticator prior to using a group authenticator.
  • Verify the identity of a user, process or device as a prerequisite to granting access.

TTUHSC El Paso is required to assign all users a unique identification (ID) before allowing them to access systems. In addition to assigning a unique ID, employ at least one of the following methods to authenticate all users:

  1. Something you know, such as a password or passphrase;
  2. Something you have, such as a token device or smart card; or
  3. Something you are, such as a biometric.

User Identification & Authentication Includes:

Network Access To Privileged Accounts
Where technically feasible, information systems must implement multifactor authentication for network access to privileged accounts.

Network Access To Non-Privileged Accounts
Where technically feasible, and a business justification exists, information systems must implement multifactor authentication for network access by non-privileged accounts.

Access To Privileged Accounts
Where technically feasible, and a business justification exists, asset custodians are required to incorporate two-factor authentication for local access to systems by employees, administrators, and third parties.

Group Authentication
Where technically feasible, individuals must be authenticated with an individual authenticator when a group authenticator is employed.

Network Access To Privileged Accounts - Replay Resistant
Where technically feasible and a business justification exists, information systems must implement replay-resistant authentication mechanisms for network access by privileged accounts.

Network Access To Non-Privileged Accounts - Replay Resistant
Where technically feasible and a business justification exists, information systems must implement replay-resistant authentication mechanisms for network access by non-         privileged accounts.

Remote Access - Separate Device (Multifactor Authentication)
Asset custodians are required to secure all individual non-console administrative access and all remote access to sensitive networks using multi-factor authentication:4,5,6,7

  1. Incorporate multi-factor authentication for all non-console access for personnel with administrative access.
  2. Incorporate multi[factor authentication for all remote network access (both user and administrator, and including third-party access for support or maintenance) originating from outside TTUHSC El Paso's network.

Acceptance Of PIV Credentials
Where technically feasible and justified by a valid business case, TTUHSC El Paso shall configure information systems to accept and electronically verify Personal Identity Verification (PIV) credentials.

IA-03: Device-To-Device Identification & Authentication

Systems uniquely identify and authenticate devices before establishing a connection.

TTUHSC El Paso is required to use Active Directory (AD) to authenticate devices before establishing network connections using bidirectional authentication between devices that is cryptographically based.

IA-04: Identifier Management (User Names)

TTUHSC El Paso manages system identifiers for users and devices by:8

  • Receiving authorization from a designated organizational official to assign a user or device identifier;
  • Selecting an identifier that uniquely identifies an individual or device;
  • Assigning the user identifier to the intended party or the device identifier to the intended device; and
  • Preventing reuse of user or device identifiers.

TTUHSC El Paso is required to ensure proper user identification and authentication management for all standard and privileged users on all systems, as follows:

  1. Ensure that only authorized users are provided with user IDs'
  2. Ensure that user names and service accounts are uniquely named and in a manner consistent with organizationally defined guidelines; and
  3. Require written authorization by a supervisor or manager to receive a user ID.

Identifier Management Includes:

Identity User Status
Where technically feasible, TTUHSC El Paso shall identify individuals with unique username characteristics that correspond to employment status.

Dynamic Management
Where technically feasible, information systems shall dynamically manage identifiers.

Cross-Organization Management
Where technically feasible, TTUHSC El Paso shall coordinate with external organizations for cross-organization management of identifiers.

Privileged Account Identifiers
TTUHSC El Paso requires privileged user accounts to be:

  1. A unique account separate from a standard user account; and
  2. Used only when necessary for running privileged functions.

IA-05: Authenticator Management (Passwords)

TTUHSC El Paso manages system authenticators for users and devices by:9

  • Verifying, as part of the initial authenticator distribution, the identity of the individual and/or device receiving the authenticator;
  • Ensuring that authenticators have sufficient strength of mechanism for their intended use;
  • Establishing and implementing administrative procedures for initial authenticator distribution, for lost/compromised or damaged authenticators, and for revoking authenticators;
  • Changing default content of authenticators upon system installation;
  • Establishing minimum and maximum lifetime restrictions and reuse conditions for authenticators (if appropriate)'
  • Changing/refreshing authenticators according to an organization-defined time period by authenticator type;
  • Protecting authenticator content from unauthorized disclosure and modification; and
  • Requiring users to take, and having devices implement, specific measures to safeguard authenticators.

TTUHSC El Paso manages system accounts (authenticators) for users and devices by the following:10

  1. Verify, as part of the initial authenticator distribution, the identity of the individual and/or device receiving the authenticator;
  2. Ensure that authenticators have sufficient strength of mechanism for their intended use;
  3. Establish and implement administrative procedures for initial authenticator distribution, for lost/compromised or damaged authenticators, and for revoking authenticators;
  4. Change default content of authenticators upon system installation;
  5. Establish minimum and maximum lifetime restrictions and reuse conditions for authenticators (if appropriate);
  6. Change/refresh authenticators according to an TTUHSC El Paso-defined time period by authenticator type;
  7. Protect authenticator content from unauthorized disclosure and modification; and
  8. Require users to take, and having devices implement, specific measures to safeguard authenticators.

Authenticator Management includes:

Password-Based Authentication11
TTUHSC El Paso manages system accounts (authenticators) for users and devices by    the following:

  1. User Accounts:
    1. Password Length: Minimum of eight (8) characters
    2. Password Reuse: Ten (10) (users cannot use any of the last ten (10) password he or she have used)
    3. Password Life:
      1. Maximum: Ninety (90) days
      2. minimum: One (1) day
    4. Password Complexity:
      1. Passwords are not a derivative of the user ID
      2. Passwords have at least one (1) lower alpha, one (1) upper alpha, one (1) number, and one (1) special character.
      3. Passwords cannot contain two identical, consecutive characters
  2. Service Accounts:
    1. Password Length: Minimum of eight (8) characters
    2. Password Reuse: Ten (10) (service accounts cannot use any of the last ten (10) password he or she have used)
    3. Password Life:
      1. Maximum: Three hundred sixty-five (365) days
      2. Minimum: One(1) day
    4. Password Complexity:
      1. Passwords are not a derivative of the user ID
      2. Passwords have at least one(1) lower alpha, one (1) upper alpha, one (1) upper alpha, one (1) number, and one (1) special character.
      3. Passwords cannot contain two identical, conservative characters
  3. Password Protection:
    1. Do not use the same password for TTUHSC El Paso accounts as for other non-TTUHSC El Paso access (e.g., personal ISP account, online banking, benefits, etc.). Users must not use the same password for various TTUHSC El Paso access needs and are required to have unique passwords for each account they access.
    2. Do not share TTUHSC El Paso passwords with anyone, including administrative assistants or secretaries. All passwords are to be treated as Restricted, Confidential TTUHSC El Paso information.
    3. Prohibited password practices:
      1. Do not use default vendor passwords
      2. Do not reveal a password over the phone to anyone for any reason
      3. Do not reveal a password in an e-mail message
      4. Do not reveal a password to a co-worker or supervisor
      5. Do not talk about a password in front of others
      6. Do not hint at the format of a password (e.g., "my family name")
      7. Do not reveal a password on questionnaires or security forms
      8. Do not share a password with family members
      9. Do not write passwords down and store them anywhere in the user's office
      10. Do not store passwords in a file on any information asset without encryption
  4. Compromise:
    1. If an account or password is suspected to have been compromised, report the incident to management and change all passwords immediately.

PKI-Based Authentication
Where technically feasible, asset custodians must configure assets for PKI-based authentication by:

  1. Validating certifications by constructing and verifying a certification path to an accepted trust anchor including checking certificate status information;
  2. Enforcing authorized access to the corresponding private key;
  3. Mapping the authenticated identity to the account of the individual or group; and
  4. Implementing a local cache of revocation data to support path discovery and validation in case of inability to access revocation information via the network.

In-Person or Trusted Third-Party Registration
TTUHSC El Paso's Human Resources (HR) department, in conjunction with the Identity and Access Management (IAM) team, must develop and implement mechanisms to enforce authenticators are only issued by:

  1. An in-person process that is managed by HR-designated personnel/roles; or
  2. An outsourced process that is managed by a trusted third party.

Automated Support For Password Strength
TTUHSC El Paso Identity and Access Management (IAM) team may perform password cracking on a periodic or random basis determine if password authenticators are sufficiently strong to satisfy TTUHSC El Paso-defined requirements.

Protection of Authenticators12
Users are required to follow TTUHSC El Paso's practices in

  1. The use of authentication mechanisms (e.g., passwords, passphrases, physical or logical security tokens, smart cards, certificates, etc.); and
  2. Protecting authenticators commensurate with the risk posed to TTUHSC El Paso that use of the authenticator permits access.

No Embedded Unencrypted Static Authenticators
TTUHSC El Paso prohibits unencrypted static authenticators from being;

  1. Embedded in applications or access scripts; or
  2. Stored on function keys.

Hardware Token-Based Authentication
Where applicable, asset custodians must employ mechanisms for hardware token-based authentication that satisfy TTUHSC El Paso's token quality requirements.

Vendor-Supplied Defaults13
Asset custodians and data/process owners are required to change vendor-supplied defaults before installing a system on the network, including but not limited to

  1. Passwords;
  2. Encryption keys;
  3. Simple Network Management Protocol (SNMP) strings; and
  4. Removing unnecessary, default accounts.

IA-06: Timely Maintenance

TTUHSC El Paso systems obscure feedback of authentication information during the authentication process to protect the information from possible exploitation/use by unauthorized individuals.

Asset custodians and data/process owners are required to ensure all systems and applications obscure the visible feedback of authentication information (e.g., passwords) during the authentication process to protect the information from possible exploitation by unauthorized individuals.

IA-07: Cryptographic Module Authentication

Systems use mechanisms for authentication to a cryptographic module that meet the requirements of applicable local, state, and federal laws, as well as non-regulatory requirements that the organization is contractually bound toaddress.14 

The minimum allowed encryption standard is AES 128 but the recommended standard for compliance is AES 256.

IA-08: Identification & Authentication (Non-Organizational Users)

Systems uniquely identify and authenticate non-organizational users (or processes acting on behalf of non-organizational users).

Where technically feasible, asset custodians are required to assign non-TTUHSC El Paso users with unique identifiers in both usernames and email addresses to clarify the user is not directly employed by TTUHSC El Paso.

Identification & Authentication (non-organizational users) includes:

Acceptance of PIV Credentials from other organizations
Where technically feasible and justified by a valid business case, TTUHSC El Paso shall configure information systems to accept and electronically verify Personal Identity Verification (PIV) credentials from US federal agencies.

Acceptance of Third-Party Credentials
Where technically feasible and justified by a valid business case, TTUHSC El Paso shall configure information systems to accept only FICAM-approved third-party credentials.

Use of FICAM-Approved products
Where technically feasible and justified by a valid business case, TTUHSC El Paso shall employ only FICAM-approved information system components to accept third-party credentials.

Use of FICAM-Issued profiles
Where technically feasible and justified by a valid business case, TTUHSC El Paso shall configure information systems to conform to FICAM-issued profiles.

 

All other IT Policies can be found at https://ttuhscep.edu/it/policies/

 

  1. 56.50 Sanctions Policy (SN)
  2. PCI DSS 8.1
  3. PCI DSS 8.1.1 & 8.2 | MA201CMR17 17.04(1)(c) & 17.04(2)(b)
  4. PCI DSS 8.3
  5. PCI DSS version 3.2 Requirement 8.3
  6. PCI DSS version 3.2 Requirement 8.3.1
  7. PCI DSS version 3.2 Requirement 8.3.2
  8. HIPAA 164.312(a)(b)(i) | MA201CMR17 17.04(1)(d)
  9. HIPAA 164.308(a)(5)(ii)(D) | PCI DSS 8.1.2, 8.2.3, 8.2.4 & 8.2.5 | MA201CMR17 17.04(1)(b)-(e) & 17.04(2)(b)
  10. HIPAA 164.308(a)(5)(ii)(D) | PCI DSS 8.1.2, 8.2.3, 8.2.4 & 8.2.5 | MA201CMR17 17.04(1)(b)-(e) & 17.04(2)(b)
  11. HIPAA 164.308(a)(5)(ii)(D) | PCI DSS 8.1.2, 8.2.3, 8.2.4 & 8.2.5 | MA201CMR17 17.04(1)(b)-(e) & 17.04(2)(b)
  12. NIST 800-53 IA-5(6) | ISO 27002 9.3.1 | FedRAMP | PCI DSS 8.6
  13. PCI DSS 2.1, 2.1.1 & 8.3
  14. PCI DSS 8.2.1
  15. PCI DSS 8.1.8

 

Revised May 2018