MUSC Information Security Standards: Identity and Access Management

Author: Richard Gadsden
Contact: gadsden@musc.edu
Version: 0.4
Date: 19 May 2005
Status: DRAFT

Contents

1. Purpose and Scope

The purpose of these standards is to document the minimum requirements for identifying individuals who are requesting access to an information resource, for establishing their authorization to access the resource, and for controlling their access to the resource.

2. Applicable MUSC Policies

3. Standards

This document sets minimum standards for workforce members acting in each of the following types of roles:

3.1. System Owners

If an MUSC System may be used to house protected information, then the System Owner must ensure that appropriate access control policies and procedures are developed, documented, implemented and maintained. The System's access control policies and procedures must support the principle that access to protected information is restricted to authorized users of the information.

The System Owner must ensure that the following specific objectives are met:

  • Users of the System are assigned unique identifiers to enable tracking of their access to protected information.
  • Policies and procedures are documented for the proper management of the passwords, access codes, and/or other tokens that are assigned to users:
    • Procedures that are followed for positively identifying prospective users (identity proofing)
    • Procedures followed for securely conveying access credentials (e.g. passwords) to new users
    • Procedures for handling lost, expired, forgotten and/or compromised credentials (e.g. resetting expired or forgotten passwords)
    • If passwords are used as access credentials, then the password policies (e.g. minimum and maximum length, rules for composition and complexity, history and expiration), and the user procedure for changing passwords, must be documented
  • User sessions that may provide access to protected information are automatically terminated after a predetermined period of inactivity (as determined through the System risk assessment)
  • Procedures exist to allow authorized users to obtain access to protected information in an emergency.
  • Encryption is used whenever reasonable and appropriate to restrict access to protected information (as determined through the System risk assessment)

If an MUSC System is used to house protected information, then each person or entity seeking access to any of the System's protected information must, with a documented degree of assurance, be individually identified, authenticated, and authorized.

MUSC maintains and operates a centrally-provisioned Identity and Access Management Service that provides user identification and authentication credentials, at an assurance level that is intended to meet the needs of most MUSC systems that house protected information. In addition, certain user attributes that are commonly used to support access control decisions, such as organizational role and status, are maintained in the Identity and Access Management Service.

No MUSC System may require its users to be issued a new identifier (e.g. username), or a new access credential (e.g. password, PIN, access code, token, or certificate), unless there is a documented reason that the System cannot use MUSC's Identity and Access Management Service.

3.2. System Administrators

The System Administrator of each MUSC information system that houses protected information must not grant a workforce member access to protected information unless that access has been authorized by the workforce member's supervisor or manager and further, the access has not been de-authorized by the supervisor or manager due to a change in assigned role or workforce membership status.

3.3 Managers and Supervisors

The supervisors and managers of a workforce member are responsible for determining and authorizing each assigned workforce member's access to any information system that houses protected information. A workforce member may not authorize his own access to an information system that houses protected information.

The supervisors and managers of an Entity's workforce members are also responsible for updating or withdrawing their assigned workforce member's authorizations as needed to reflect changes in assigned role, or termination from the Entity's workforce.

Supervisors and managers are also responsible for ensuring the accuracy of their assigned workforce member's organizational affiliation and role information in the Identity and Access Management Service.

3.4. Sponsors of Non-Workforce Members

If a non-MUSC workforce member (an affiliate user) is individually authorized to access any MUSC information system that houses protected information, then the individual who is sponsoring and authorizing the access is responsible for:

  • ensuring that the affiliate user's organizational affiliation and role information in the Identity and Access Management Service is accurate and current; and
  • updating or withdrawing the affiliation status and/or the access authorization, as needed to reflect changes in the affiliate user's status and/or authorization.

3.5 System Users

Each User of an MUSC System is required to:

  • Properly manage his password, access codes, and/or other tokens, following the procedures documented for the System.
  • Report any apparent discrepancies in the use of his account to the System Administrator for the System.
  • Notify the System Administrator if any excessive or unnecessary privileges appear to have been granted to his account.