Ñý¼§Ö±²¥

UM Account Security Standard

UM Information Security Office - Area: Information Security Policy

Document History

Approvals

Introduction

This standard is based on National Institute for Standards and Technology (NIST) Special Publication (SP) Digital Identity Guidelines 800-63B and describes how Ñý¼§Ö±²¥ (UM) users, as well as system and application administrators must configure and use Passphrases and Multi-Factor Authentication (MFA) to protect accounts that provide access to UM information and systems. This standard helps protect Personally Identifiable Information (PII), Personal Health Information (PHI), and Controlled Unclassified Information (CUI) for which UM is responsible, by helping to ensure that only authorized users can access such information, or systems that contain such information. All members of the UM community must follow and comply with this standard to comply with UM Information Security and MUS Information Technology policy.

Definitions

Account Credentials

Account types may be local to an appliance or system, or may be provided by an account directory system, and may consist of the following, non-exhaustive attributes:

• Account name or number (NetID, UM ID)
• Passphrase
• Personal Identification Number (PIN)
• Multi-Factor Authentication (MFA)

Multi-Factor Authentication (MFA)

Something you know (a passphrase)

Something you have (a fob, a mobile device with an MFA application)

Something you are (biometrics)

Account Management System

A system such as Microsoft Active Directory (AD), Microsoft Entra ID or other Lightweight Directory Access Protocol (LDAP) software, including technologies that integrate with AD/LDAP to assist in the management of accounts.

Account Types

• Privileged Account – An account that a person uses for accessing information where privileges greater than a standard user account are needed to complete work. Privileged accounts must not be used for non-administrative purposes (i.e., web browsing, email)
• Service Account – An account that is used specifically for running an application or IT service
• Standard Account – any account on any information system, that is used by an individual to access that information system

STANDARD

UM Information Systems User Requirements

All users of UM information systems, including system and application administrators when managing systems, are responsible for:

• Maintaining the security of their account credentials and never sharing their credentials
• Selecting strong passphrases for their UM accounts
• Selecting a passphrase that has not been used on any other systems, but specifically, a passphrase that has not been used on non-UM systems
• Selecting a passphrase that does not contain PII or other readily guessable details
• Changing their passphrases when passphrases are suspected or known to have been compromised
• Changing their passphrase immediately after a service desk passphrase reset
• Using Multi-Factor Authentication (MFA) on every UM system on which MFA is available
• Using a “service account” and/or other separate “privileged account,” when managing IT services, or when needed to utilize elevated privileges on a system, but never for day-to-day activities, such as web browsing, reading email, etc.
• Being mindful when approving Multi-Factor Authentication (MFA) requests, to only approve requests that the authorized user has initiated
• Using secure password management software, where available

UM System and Application Administrator Requirements

All system and application administrators, as well as account/identity management administrators are responsible for:

• Configuring information systems and applications for which administrators are responsible to comply with this standard
• Changing all default passphrases when implementing new or replacement products, technologies, or systems
• Creating and using separate “service accounts” and/or “privileged accounts” to manage information systems and applications, or when elevated privileges are otherwise needed
• Documenting ownership and retention requirements of all privileged/service accounts
• Differentiating user, privileged, and service accounts, and recording details including:
  • User or department name, account name, purpose for account, creation and de-provisioning dates
• Periodically audit the inventory of all accounts and ensure:
  • Access to the account is still needed
  • Privileges for the account are still needed. If a role change results in different privileges for the account, the passphrase must be reset and active sessions reset
  • Accounts that are inactive are locked after a reasonable period of inactivity.
• Due to regulatory and record retention requirements, inactive accounts should be locked and de-provisioned, but not deleted. The UM Information Security Office can assist areas in determining what inactivity period is reasonable
• Accounts are created and authorized using the appropriate processes, especially for new and/or privileged accounts, ensuring accounts are associated with a valid department or user
• Ensuring that any non-employee/vendor accounts follow all UM procedures for authorizing and securing such accounts
• Ensuring that service and/or privileged accounts, have complex passphrases that meet the passphrase requirements below
• Configuring all non-service account access to require MFA to access the application or system
• Configuring MFA to expire and require reauthentication after no more than thirty (30) days
• Configuring systems to disallow known, i.e., compromised and/or sample passphrases.
• Complying with the "MFA Requirements" section below
• Ensuring that passphrases are never re-used on an application, information system, or account management system
• Ensuring that known (i.e., published/sample) passphrases are not allowed by the system
• Ensuring that passphrases are changed at least annually for all service and/or privileged accounts
• Ensuring that passphrases are stored in a secure, unrecoverable manner (e.g. hashing)
• Configuring systems to lock user accounts after five (5) failed password attempts for at least fifteen (15) minutes
• Configuring systems to expire user and privileged account sessions after a reasonable pre-defined period. The UM Information Security Office can assist areas in determining what session expiration period is reasonable
• Using Privileged Account Management (PAM) software that is approved and authorized by UM, to securely manage account credentials, where available
• Enabling the “show passphrase” option, if the application or information system supports this feature
• Configuring systems so that passphrases are not composed of easily guessed characters, words, or terms, such as “Passwordpasswordpassword,” by utilizing a passphrase dictionary or similar tool to prevent weak passphrases from being selected
• Configuring systems so that passphrases do not contain the same character or phrase more than two (2) times in a row, (e.g., aaaa123456789asdfzxcv would not be allowable due to repeated “a” characters repeated in a row)
• Configuring systems to prevent password hints and other mechanisms that may leak information regarding the passphrase
• Configuring systems to de-provision accounts after employee role-change or separation in a timely manner
• Establishing manual procedures for emergency de-provisioning of accounts
• The UM Information Security Office may periodically assess passphrase strength by conducting brute-force, dictionary, or other passphrase guessing exercises, to validate that passphrases are not easily compromised, so as not to expose UM accounts, applications, or information systems. Weak passphrases compromised in such exercises must be locked and a stronger account passphrase selected.

UM Passphrase Requirements

Passphrase requirements for UM information systems must meet or exceed the following:

• For Standard Accounts, the passphrase must contain at least thirteen (13) characters including a mix of upper and lower case
• For Privileged Accounts, the passphrase must contain at least twenty (20) characters including a mix of upper and lower case
• Passphrases must be changed when compromise is suspected or if passphrase is found to be weak during information security passphrase testing. User account passphrases do not otherwise expire
• Passphrases may not:
  • Be composed of easily guessed words or terms, such as “Passwordpasswordpassword”
  • Contain the same character or phrase more than two (2) times, (e.g., aaaa123456789asdfzxcv would not be allowable due to repeated “a” character repeated in a row)
  • Have been used by the account user before, and may not be used on any another system (for example, never use any UM passphrases for your Facebook account, or for your banking site)
• Other passphrase complexity rules are not enforced – passphrase does not need special characters, numbers, etc.

MFA Requirements

All account access for all UM applications and information systems must use at least two (2) “Factors,” to enforce Multi-Factor Authentication (MFA).

Due to risks to Personally Identifiable Information (PII), UM recommends not using biometric factors for authentication to UM applications or systems

Due to the ease of interception, SMS and other push technologies are the least secure MFA factor, and should not be used as a method for privileged or service account use

If an application, account management system, or information system is not capable of technically enforcing any of these requirements, administrators must consult with the UM Information Security Office to determine whether compensating controls can be implemented to protect the application or system. Exceptions to this standard must document the risks related to the information accessible through the system and require CISO approval.

Procedures

The UM Information Security Office (ISO) will update this document periodically in response to emerging trends and guidance from information security professional organizations.

References

• NIST 800-63B
• UM Acceptable Use of Technology Resources Policy
• UM Information Security Policy
• MUS BOR 1300.1