Authentication, Authorization and Access Controls (S-13)

Standard: S-13
Responsible Executive: Vice President for Information Technology and System Chief Information Officer
Responsible Office: Office of the Vice President for Information Technology
Date Issued: July 15, 2019
Date Last Revised: N/A 

TABLE OF CONTENTS

Contacts
Individuals and Entities Affected by this Standard
Statement of Standard
Responsibilities
Definitions (defined terms are capitalized throughout the document)
Related Documents, Forms and Tools
History and Updates
Appendix 

CONTACTS

Clarification of Standard

Title/Office

Telephone

Email/Webpage

ITaP Security and Policy

765-494-4000

Itap-securityhelp@purdue.edu

INDIVIDUALS AND ENTITIES AFFECTED BY THIS STANDARD

University students, faculty, staff and all other individuals or entities using University IT Resources.

STATEMENT OF STANDARD

Controlled access to IT Resources is essential for Purdue University to continue its mission of learning, discovery and engagement. Identification, authentication and authorization are controls that facilitate access to University IT Resources. Purdue University uses access controls and other security measures to protect the confidentiality, integrity and availability of University IT Resources and Information Assets. This standard identifies the requirements supporting these controls.

Identification

The Purdue University identifier (PUID) number is a ten-digit identification number assigned to each person based on the individual’s unique relationship with the University. A person’s PUID number identifies the person to Purdue University’s IT Resources. A PUID number will be assigned to each individual who has a legitimate business, research or educational need to access University IT Resources, but a PUID number alone is not sufficient to access these IT Resources.

  • A PUID number will be assigned to all prospective students at the time of application to the University.
  • A PUID number will be assigned to all employees of the University at the time of employment.
  • All contractors, consultants, or other non-employees, who must be granted User Credentials in order to fulfill a legitimate business, education and/or research obligation to or on behalf of Purdue University, must follow the Request for Privileges Application (R4P) A PUID number will be assigned once that process is complete.
  • The PUID number must be used with appropriate authentication credentials. By itself, the PUID number must not be used to gain access to any private information or non-public IT Resource.

Authentication

A PUID number is not the same as a Purdue Career Account or Multi-factor Authentication. A Purdue Career Account and/or Multi-factor Authentication gives an individual electronic access to a number of services. All Purdue students, faculty and staff receive a Purdue Career Account with base access that may include different services depending upon a person's affiliation with the University.

  • A Purdue Career Account and Multi-factor Authentication will automatically be assigned to all faculty and staff at the beginning of their employment period, and to students upon offer of admission to the University.
  • A Purdue Career Account and Multi-factor Authentication may be assigned to an individual who has a legitimate business, research or educational need to access University IT Resources, but is not a faculty, staff, or student at the University. Assignment of account will require the user’s explicit acknowledgement to follow Purdue policies. This access is subject to quarterly review through Human Resource Services.
  • A Purdue Career Account and Multi-factor Authentication must be used, where technically possible, for general user authentication purposes for all Purdue IT Resources and those hosted on behalf of Purdue.
  • All University IT Resources must use only encrypted authentication mechanisms.
  • Authentication credentials for Purdue IT Resources will not be coded into programs or queries unless they are encrypted, and only when no other reasonable options exist, and must follow the standard on User Credentials (S-16) for password expiry. A security policy exception request is required in order to code authentication credentials into programs or queries if unencrypted.
  • Use of biometric technologies for authentication purposes must follow the standard on Biometric Technologies (S-14).

Authorization

Authorization for University IT Resources depends on the individual’s relationship(s) to the University and the requirements associated with that relationship.

  • Only the minimum privileges necessary to complete required tasks will be assigned to an individual.
  • Privileged Access may not be assigned to Career Accounts.
  • When Privileged Access is needed across systems, separate privileged accounts must be used. For example, Active Directory OU admin, database admin, and application admin will be separate accounts.
  • Privileges assigned to each individual must be reviewed on a regular basis and modified or revoked upon a change in status with the University. When the privileges assigned to an individual change (e.g., due to a change in role or responsibilities), access to University IT Resources must be adjusted accordingly.
  • System users must be permitted to modify production data only when employing a controlled process or system.

General Access Controls

  • Access controls will be accompanied by mechanisms to detect, record and generate alerts in accordance with IT Resource Logging (S-11) about repeated failed attempts to access University IT Resources.
  • Access controls must include account lockout capabilities, including a maximum number of login attempts and a lockout time duration.
  • Access control permissions for all non-public Purdue University IT Resources must default to no access, which blocks access by unauthorized users.
  • IT Resources must be designed to default to no access (denial of privileges to end-users) in the event of a malfunction.
  • Operating system access to IT Resources must use a password-protected session lock after inactivity for 15 minutes or less.
  • Testing or attempting to compromise internal controls, when outside of the scope of an individual's employment duties with Purdue University, is prohibited unless specifically approved in advance and in writing by the Office of the Vice President for Information Technology.
  • All contractors, consultants or other non-employees must only be given Privileged Access to IT Resources when the IT Resource Owner, or designee, determines there is a legitimate business need. These privileges must be enabled only for the time period required to accomplish approved tasks and then promptly disabled upon completion of the approved tasks.

Remote Access Controls

Remote Users accessing non-public University IT Resources must follow these requirements for any Remote Host accessing IT Resources, as well as any guidelines, procedures or other requirements issued by their departmental IT units and/or the owners of the IT Resource to be remotely accessed:

  • Utilize Purdue’s VPN service to access IT Resources that are only available on campus.
  • Utilize Purdue Career Account and Multi-factor Authentication service.
  • Ensure the Remote Host meets the security expectations specified in the End User Security Guidelines.
  • Take reasonable precautions to ensure Remote Access connections are secured from interceptions, eavesdropping or misuse including, but not limited to, shielding their screen from view in a public area when accessing sensitive or restricted data and not sharing the Remote Host with another party for use while it is remotely connected.
  • Follow University Data Handling Procedures and any departmental requirements including, but not limited to, those associated with federal, state or local laws, such as HIPAA, FERPA, etc.

Terminating Access to IT Resources

In accordance with the policy on Acceptable Use of IT Resources and Information Assets (VII.A.4), use of IT Resources is a privilege and not a right, and violations of this policy or any other University policy or regulation may result in revoked or limited IT Resource privileges.

Access to IT Resources must be immediately terminated when an employee separates from the University and when a non-employee, such as a student, vendor, contractor or consultant, no longer has a legitimate business or educational need.

RESPONSIBILITIES

Centralized and Departmental IT Units and IT Resource Owners (and designees)

  • Implement and monitor compliance with this standard and any related policies, standards and best practices for University IT Resources within their areas of responsibility.
  • Establish additional guidelines, procedures or other requirements that exceed this standard, as necessary, to secure University IT Resources

IT Security and Policy Identity and Access Management Office (IAMO)

  • Provide identification, authentication and authorization services to departments and academic units.

Remote IT Resource Users

  • Comply with this standard and any related policies, standards or security guidelines and procedures that may be issued by their departmental IT units and/or owners of the IT Resource(s) to be remotely accessed.
  • Comply with University Data Handling Procedures and any departmental requirements including, but not limited to, any guidelines issued by the HIPAA Privacy Compliance Office for Remote Access to Protected Health Information or those associated with federal, state or local law.

University students, faculty, staff and all other individuals or entities granted use of University IT Resources

  • Comply with the requirements of this standard and any related policies, standards or security guidelines and procedures that may be issued by their departmental IT units and/or owners of the IT Resource(s) they access.

DEFINITIONS

All defined terms are capitalized throughout the document. Additional defined terms may be found in the policy on Information Security and Privacy (VII.B.8) and in the central Policy Glossary.

Career Account
A general user account assigned at first affiliation with the University that gives an individual electronic access to a number of services at Purdue University, including but not limited to, services for email, instructional, research and departmental use with basic access to these different services based on the individual’s affiliation with the University. 

Privileged Access
Elevated or administrative access privileges beyond those of a general user Career Account. For example, accounts such as root, local administrator, domain administrator, OU admin, super user, and emergency or “break glass” have Privileged Access. 

Remote Access
Access to Purdue University IT Resources from an electronic or other device not directly connected to the Purdue University wired or wireless networks, but not including access to publicly available IT Resources. For example, use of a web browser to remotely access a publicly available Purdue University webpage is not covered by this standard. 

Remote Host
An electronic or other device used for Remote Access. 

Remote User
Any user of IT Resources from a Remote Host. 

Multi-factor Authentication
Multi-Factor Authentication (MFA), also referred to as two-step verification, or two-factor authentication (TFA, 2FA), is a security mechanism requiring two types of credentials for authentication designed to provide an additional layer of validation, minimizing security breaches. Typically, one is something you have, such as a physical token or software token on a mobile device, and the other is something you know, such as a PIN (personal identification number). The combination of the token and the PIN authenticates users to the system. At Purdue, Multi-factor Authentication is commonly referred to as “BoilerKey.” 

User Credentials
A computer or software user’s authentication information, typically a password, token or certificate in combination with a username. 

RELATED DOCUMENTS, FORMS AND TOOLS

This standard is issued in support of the policy on Information Security and Privacy (VII.B.8), as amended or superseded.

Other related policies, standards and procedures

BoilerKey Two-Factor Authentication

Health Insurance Portability and Accountability Act of 1996 (HIPPA) 

Family Rights and Privacy Act of 1974 (FERPA)

HISTORY AND UPDATES

July 15, 2019:  This standard supersedes the policy on Authentication and Authorization (VII.B.1) and the policy on Remote Access to IT Resources (VII.B.4). It also supersedes associated Remote Access Standards dated March 1, 2010, and Access Control Standards issued by the Identity and Access Management Office (IAMO) dated February 1, 2008, and revised December 7, 2011.

APPENDIX

There are no appendices to this standard.

Purdue University, 610 Purdue Mall, West Lafayette, IN 47907, (765) 494-4600

© 2017 Purdue University | An equal access/equal opportunity university | Copyright Complaints | Maintained by University Policy Office

Trouble with this page? Disability-related accessibility issue? Please contact University Policy Office at policies@purdue.edu.