chemsilikon.blogg.se - Authentication security policy

#Authentication security policy password

Where technically feasible, U-M weblogin and active directory login must include notification of user requirement to abide by the Responsible Use of Information Resources (SPG 601.07) policy and provide for one-time user acknowledgement of such requirement. Responsible Use Notification and User Acceptance Login Banner Eligible non-U-M users must follow the established process for sponsored affiliates, guest/friend accounts, federated identities, social login, or documented trusted relationships.

#Authentication security policy password

Eligible university users are granted one unique user identification and password on the university network to ensure accurate auditing of access and actions departments will not share individual user IDs for system access. The identification of authorized users of the information system and the specification of access privileges is fundamental to access control. U-M departments are responsible for ensuring that individual requests for access to enterprise systems are limited to systems and access levels required for the individual’s work-related responsibilities.Īccess control at U-M, whether managed at the central or unit level, must adhere to the following requirements described in Table 1: Access Control Requirements Administrative and privileged access to U-M enterprise systems, as well as access to departmentally-provided services, are generally initiated by the individual’s department or unit. Affiliation with U-M determines an individual’s eligibility for standard U-M computing services.

Access ControlĪccess control is the practice of determining throughout an individual’s university lifecycle the authorized transactions, functions, and activities of legitimate users with regard to campus information resources.Īccess control at U-M to systems that create, process, maintain, transmit, or store sensitive institutional data should be primarily role-based as much as possible. Well-structured access management results in university personnel having access to the right services at the right times based on their current job responsibilities, a boost to overall productivity.

Its objective is to protect the university’s sensitive institutional data from compromises or breaches due to inadequate access and authentication management practices, as well as capture the information needed for compliance-related audit trails. This Standard establishes the framework for provisioning and deprovisioning access by staff and workforce members to U-M systems and applications that create, process, maintain, transmit, or store sensitive institutional data.

Any third-party provider with a contractual relationship with the university that maintains sensitive institutional data.

Personally owned devices, in accordance with provisions of Security of Personally Owned Devices that Access or Maintain Sensitive Institutional Data (SPG 601.33).

All university computer and telecommunications systems, including externally hosted systems that are accessed via U-M authentication systems.

All units, faculty, staff, and workforce members that create, process, maintain, transmit, or store sensitive institutional data on any university owned device, whether or not it is connected to the campus network and whether or not it is university or self-managed.

This Standard applies to the Ann Arbor, Dearborn, and Flint campuses, as well as all schools, colleges, institutes, and Michigan Medicine. IAM establishes procedures for verifying the identity and eligibility of individuals seeking to access and use the university’s information technology resources. Identity and access management (IAM) as a discipline is a foundational element of U-M’s information assurance program and the one that campus users interact with the most. This Standard applies to processes and procedures across the lifecycle of both user and system access and accounts. OverviewĪccess management and authentication protocols help to protect U-M systems and sensitive institutional data. It will be periodically reviewed and updated as necessary to meet emerging threats, changes in legal and regulatory requirements, and technological advances. The Standard is mandatory and enforced in the same manner as the policy. This Standard supports and supplements the Information Security (SPG 601.27) policy. Printable copy: Access, Authorization, and Authentication Management (PDF)

Responsible office: Information Assurance Approval authority: Vice President for Information Technology and CIO