Authentication and Access Control Standard

This Standard exists as an element of the Queen's University Electronic Information Security Policy Framework as has been developed in conjunction with the Queen's Security Community of Practice. Over time, it will be updated to reflect new threats to IT and information security as these emerge, new measures to safeguard security, and new or revised practices which are recommended for those who install and manage IT resources.

Purpose

Authentication is the process by which a system confirms that a person or device really is who or what is claiming to be, and through which access to the requested resource is authorized. Strong authentication protocols help to both protect personal and University information and prevent misuse of University resources. 

Access control is the process by which a system ensures appropriate access to information and functions, and prevents inappropriate access to such resources.

The purpose of this standard is to state University requirements and recommended measures to ensure that a server or software application is protected by appropriate authentication, and that users and others have only the necessary access to services and resources as required by their position at Queen's.

General Recommendations: Measures and Practices

User Accounts & Access Control

1. Where possible, access to systems should be authenticated and controlled with standard Queen's NetID. Use of hte NetID provides a common identification across separate systems.
2. Don't give the NetID password to others.
3. NetID passwords should not be reused on other accounts.
4. Password choice must be controlled to meet complexity standards (details below).
5. Passwords on employee NetIDs must be changed at least once a year.
6. Logins should be disabled for a period of time after a number of unsuccessful authentication attempts (details below).
7. Create and configure a user access only at the request of the individual's supervisor or unit management, or by the owner of the system for which the access is required.
8. Regularly review all user access at least annually to verify that each is still required.
9. Ensure user accounts for departed users are immediately disabled.
10. Require users to change their initially assigned password.
11. Where user accounts will be used to access personal, confidential, or operationally sensitive information, configure user accounts to require the use of strong passwords, and require passwords to be changed at regular intervals.
12. Ensure that each user's account only has access to information, data or software that they have been authorized to have access to.

+ Generic Accounts
A generic account is one named for a role or function, not an individual person (e.g. abuse@queensu.ca).

1. Every generic account must have a continuing employee sponsor who is responsible for all use of the account.
2. Minimize use of generic accounts.
3. Employ mechanisms that will link each use to the individual responsible (e.g. shared mailbox access, sudo).
4. Generic login sponsorship must be renewed annually.
5. Passwords must be changed annually.

Privileged Accounts
Privileged accounts generally have much more advanced access to the entire computer or software application, and hence represent a larger risk if such an account becomes compromised. Thus, privileged accounts require a greater degree of controls, safeguards and practices.

1. Privileged accounts must require the use of strong passwords, and password change at regular intervals must be required.
2. Use of privileged accounts must be logged and, on high-risk systems, reviewed at appropriate intervals.
3. Two-factor authentication should be required when privileged accounts are used remotely, e.g. from outside the campus network.
4. Employ mechanisms that will link each use to the individual responsible.
5. Do not use privileged accounts for day-to-day computing, such as e-mail and web browsing. On personal computers, create a separate account for everyday work, and use the Administrator account only when necessary for software installation, updates, and device setup.

Operating System Access Control
Access control for operating systems on servers or multi-user systems must be configured in accordance with the Server Security Standards.

Software Acquisition and Development

1. Where there will be a significant operational dependency on a software application, or where it will be used with personal, confidential, or operationally sensitive information, the software must be acquired or developed in accordance with relevant policies and standards in the Queen's University Electronic Information Security Policy Framework.
2. For software that is acquired, determine whether the application being considered:
   • is able to interface with Queen's authentication and access control services, or
   • includes appropriate authentication and access control provisions or measures.
3. If a software application will be developed rather than acquired, such software development should be done in accordance with the Queen's University Electronic Security Policy Framework.
4. If the software application chosen will work with personal, confidential or operationally sensitive information, configuration of its authentication and access control mechanisms should be reviewed by the Information Systems Security Manager or his/her designate before the application moves into production or is used with real data.
5. Whether purchasing or installing an existing software application, or developing an application to meet some requirement, Unit Heads are strongly advised to consult with ITServices in the early stages of such endeavours.
6. Web login form pages must use Extended Validation. TLS (formerly SSL) certificates, to validate the site owner as "Queen's University at Kingston (CA)".

Detailed Specifications

Password complexity

1. A minimum of 10 characters
2. Must contain upper AND lowercase letters AND a number AND a special character: !"#$%&()*+,-./:;<+>?@[\]_{}~
3. For employees with access to personal, confidential or operationally sensitive information, the previous 5 passwords may not be re-used.

Unsuccessful logins

1. 10 consecutive failures over 15 minutes, results in a 15 minute lockout.