Purpose
The purpose of these Guidelines is to define baseline security controls for protecting Institutional Data, in support of the University’s Information Security Policy.
Applies To
This Policy applies to all faculty, staff and third-party Agents of the University as well as any other University affiliate who is authorized to access Institutional Data. In particular, this Guideline applies to those who are responsible for protecting Institutional Data, as defined by the Information Security Roles and Responsibilities.
Definitions
Electronic Storage Media is defined as any electronic device that can be used to store data. This includes but is not limited to internal and external hard drives, CDs, DVDs, Floppy Disks, USB drives, ZIP disks, magnetic tapes and SD cards.
Information System is generically defined as any electronic system that stores, processes or transmits information. For the purpose of this Guideline, it is any electronic system that stores, processes or transmits Institutional Data.
Institutional Data is defined as any data that is owned or licensed by the University.
Least Privilege is an information security principle whereby a user or service is provisioned the minimum amount of access necessary to perform a defined set of tasks.
Multi-factor Authentication is the process by which more than one factor of authentication is used to verify the identity of a user requesting access to resources. There are three common factors of authentication: something you know (e.g. password, pin, etc.), something you have (e.g. smart card, digital certificate, etc.) and something you are (e.g. fingerprint, retinal pattern, etc.). Use of username and password combination is considered single-factor authentication, even if multiple passwords are required. Username and password used in conjunction with a smartcard is two-factor authentication. Multi-factor authentication represents the use of two or three factors.
Privileged Access is defined as a level of access above that of a normal user. This definition is intentionally vague to allow the flexibility to accommodate varying systems and authentication mechanisms. In a traditional Microsoft Windows environment, members of the Local Administrators, Domain Administrators and Enterprise Administrators groups would all be considered to have privileged access. In a traditional UNIX or Linux environment, users with root level access or the ability to sudo would be considered to have privileged access. In an application environment, users with ‘super-user’ or system administrator roles and responsibilities would be considered to have privileged access.
No comments:
Post a Comment