UW-Whitewater Authentication Policy
Approved: March 27, 2017
Purpose
Reducing the risk of data loss, and protecting the confidentiality, integrity, and availability of information resources requires granting authorized individuals appropriate access to the resources. The goal for authentication is to provide appropriate Identification of authorized individuals. Knowing the identity of an individual, and then assigning a unique credential or identifier to the individual is the first step. Appropriate controls are needed to reduce the risk of having the credential used by an individual other than the one to whom it was assigned. The purpose of this policy is to establish the minimum requirements for authentication and authentication management.
Scope
This policy applies to all individuals or entities who require access to non-public University of Wisconsin (UW) - Whitewater information or systems, and establishes the minimum requirements for all authentication mechanisms administered by, or on behalf of the UW - Whitewater which are used to provide access to non-public information.
Definitions
Assurance: The degree of confidence in the vetting process used to establish the identify of an individual to whom a credential was issues, and the degree of confidence that the individual who uses the credential is the individual to whom the credential was issued. (NIST SP 800-63)
Authentication: The process of establishing confidence in the identify of a user or information system.
Authenticator: The means to confirm the identity of a user, process, or device. Examples include, but are not limited to user password, passphrase, or token.
Multi-factor authentication: Multiple forms of authentication used to increase the likelihood that the credentials are from the individual to whom they were assigned, and reduce the risk of impersonation or the use of compromised credentials by an unauthorized individual. The types of credentials typically fall into three categories - something you know, such as a PIN or password, something you have, such as a one-time passcode generator, token or smart card, and something you are, such as a fingerprint or other biometrics.
Protected data: Any UW - Whitewater data and resources assigned a classification level other than public, as defined in the UW - Whitewater Instructional, Communication, and Information Technology (ITS) Information Asset Classification Policy.
User ID: Unique identifier assigned to a user or process. Examples include, but are not limited to account names, Net-ID, or certificate.
UW - Whitewater credential: Authentication mechanism or identifier provided by the UW - Whitewater to an authorized individual which grants access to protected information resources. This includes, but is not limited to, Net-IDs, token, biometrics, proximity or access cards, etc.
Policy Statement
Authentication systems which use passwords, and are used for access to UW-Whitewater information resources, must enforce the minimum password standards as defined in the UW-Whitewater Minimum Password Standards document.
Authentication methods used to access high risk data, as defined in the UW - Whitewater Instructional, Communication, and Information Technology (ITS) Information Asset Classification Policy and the University of Wisconsin System Administrative Policy 1031 - Information Security: Data Classification, must use multi-factor authentication.
Authentication methods and systems used when accessing protected data must meet the requirements as defined in the University of Wisconsin System Administrative Policy 1030 - Information Security: Authentication and University of Wisconsin System Administrative Procedure 1030.A - Information Security: Authentication documents.
Prior to being assigned a UW-Whitewater credential, the individual must agree to the UW-Whitewater Acceptable Use Policy.
Access for employees that have been discharged shall be removed immediately.
All users assigned UW-Whitewater credentials are required to protect their credentials. Credentials are assigned to a specific individual, and are not to be shared. Any activity performed by the credential is the responsibility of the account holder.
All UW-Whitewater account holders are required to notify the UW-Whitewater Helpdesk immediately if they suspect that their account credentials have been compromised.
If the account credentials of a user or system have been disclosed or otherwise compromised, the password must be changed immediately.
All UW-Whitewater account holders provided credentials which use passwords shall comply with the UW - Whitewater Minimum Password Standards.
Related Documents
- National Institute of Science and Technology (NIST) Special Publication (SP) 800-63-2: "Electronic Authentication Guideline" http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63-2.pdf
- University of Wisconsin - Whitewater Acceptable Use Policy
http://www.uww.edu/ITS/policies-agreements/acceptable-use-policy - University of Wisconsin - Whitewater ITS Information Asset Classification Policy
http://www.uww.edu/ITS/policies-agreements/asset-classification - University of Wisconsin - Whitewater Minimum Password Standards
http://www.uww.edu/ITS/policies-agreements/min-password-standards - University of Wisconsin System Administrative Policy 1030 - Information Security: Authentication
https://www.wisconsin.edu/uw-policies/uw-system-administrative-policies/information-security-authentication/ - University of Wisconsin System Administrative Procedure 1030.A - Information Security: Authentication
https://www.wisconsin.edu/uw-policies/uw-system-administrative-policies/information-security-authentication/information-security-authentication/ - University of Wisconsin System Administrative Policy 1031 - Information Security: Data Classification
https://www.wisconsin.edu/uw-policies/uw-system-administrative-policies/information-security-data-classification/ - University of Wisconsin System Administrative Procedure 1031.A - Information Security: Data Classification
https://www.wisconsin.edu/uw-policies/uw-system-administrative-policies/information-security-data-classification/information-security-data-classification/
Scheduled Review
This document will be reviewed on an annual basis, or as deemed necessary.
Revision/Review Log
| Date | Approver | Action | Decription |
| 03/27/2017 | New Policy | Created based on the requirements contained in the September 14, 2016 version of the University of Wisconsin System Administrative Information Security Authentication Policy (1030) and Procedure (1030.A) documents. | |
| 03/27/2017 | Approved. | New policy was approved. |