用户帐户和访问管理策略

上次审查:2022年10月6日
最后修改日期:2022年10月6日

1. 介绍

   Computer accounts are the means used to grant access to the University of Denver (“University”) Information 资源. 这些账户提供了问责制, 任何计算机安全程序的钥匙, 信息资源使用. 创建, 控制, and monitoring all computer accounts and their access is essential to the University’s security program.

2. 政策概述
   1. 目的
      This policy establishes the rules for creating, monitoring, 控制, and removing accounts.
   2. 范围
      这项政策适用于该大学的学生, 教师, 工作人员, 咨询顾问, 承包商, 代理, 及获授权人士访问大学的资讯资源.
   3. 政策
      大学应建立一个流程:
      1. 用于请求、批准、发放和关闭用户帐户.
      2. 根据最小权限原则分配访问权限.
      3. 定期检查用户访问情况.
          
3. 过程概述
   1. 帐户管理要求
      1. 用户帐户请求必须正式记录并适当批准.
      2. 所有用户必须使用唯一的ID访问大学系统和应用程序. 密码应按照学校的密码管理政策设置.
      3. 在执行密码重置之前，必须验证用户的身份.
      4. User accounts and access rights must be reviewed annually to detect unused or dormant accounts and accounts with excessive privileges.
      5. Accounts of individuals on extended leave (more than 90 days) shall be disabled.
      6. Users must complete security awareness training within 30-days of account activation/matriculation.
      7. User accounts must follow the University’s documented account termination procedures.
      8. 必须监控用户帐户的不当使用和活动.
          
   2. 接入管理要求
      1. The University will provide access privileges to the University’s technology (including networks, 系统, 应用程序, 电脑, 以及移动设备)，基于以下原则:
         1. Business needs – users or resources will be granted access to 系统 necessary to fulfill their roles and responsibilities.
         2. Least privilege – users or resources will be provided with the minimum privileges necessary to fulfill their roles and responsibilities
      2. 所有帐户和权限的访问请求, 包括特权和有限用户帐户, must be documented using the banner access request process or the ticketing system.
      3. Alternative authentication mechanisms that do not rely on a unique ID and password must be formally approved.
      4. Access to University 系统 and 应用程序 must use multifactor authentication (MFA), 在技术上可行和实用的地方.
      5. 远程访问必须经过授权. 所有远程访问大学系统和服务都需要MFA, 并且必须监视连接并启用附加警报.
      6. System sessions must automatically lock after 15 minutes of inactivity where feasible and practical. 应用程序的非活动计时器应设置为8小时.
      7. University 系统 shall enforce a limit of 5 or fewer consecutive invalid login attempts by a user and lock the offending account for 15 minutes.
      8. Access rights shall be disabled or removed when the user is terminated or ceases to have a legitimate reason to access University 系统.
      9. User account access must be reviewed annually to determine if access rights are still needed. 对帐户访问权限的更改必须得到批准和记录.
      10. 大学IT部门负责管理应用程序和服务的访问. 异常 must be documented, reviewed, and approved by the CISO, CIO, or their designee.
      11. 所有的帐户访问必须持续监控和审查.
           
   3. 承建商及供应商帐户
      University contracts with vendors and 承包商 to support business processes and functions, 管理系统和应用程序，并代表大学执行任务.
       
      1. 在提供访问权限之前应签署保密协议.
      2. Shall maintain a list of 承包商 or vendors’ accounts having access to University 系统.
      3. Shall automatically expire after 180 days; extensions must be requested and documented.
      4. 应在可行的情况下使用MFA.
      5. 应按季度进行监测和评审.
      6. Shall follow the University’s account termination procedures when no longer needed.
      7. 必须有至少15个字符的密码
          
   4. 限制访问帐户(例如. 校友账户)
      与大学有特殊关系的个人, 比如校友, 退休教职员工, 或官方访客, 既没有受雇也没有在大学注册的学生, 可能被授予有限的访问权限:
       
      1. 应接受使用条款
      2. 应经特殊社区批准的访问请求流程
      3. 90天后将自动停用
      4. 在365天后自动删除
      5. Shall be locked after five (5) failed login attempts and must be manually unlocked
      6. 应要求在可行的情况下使用MFA
      7. 必须有至少15个字符的密码
          
   5. 特权帐户
      Privileged accounts typically have additional access that allows users to configure 系统 and 应用程序 or add or remove user access rights. 有几种类型的特权帐户-管理员, 服务, 默认的, 共享, 和测试账户.
       
      1. Privileged user accounts must be requested by managers or supervisors and appropriately approved.
      2. 在可能的情况下，所有默认用户帐户都将被禁用或更改. 这些帐户包括“guest”,”“临时,”“管理,”“管理员,以及任何其他已知或常用的默认帐户, as well as related default passwords used by vendors on “commercial off-the-shelf” 系统 and 应用程序.
      3. The creation, modification, or deletion of a privileged account shall trigger an alert. 当特权帐号登录失败5次时产生告警.
      4. IT管理层应审核所有特权账户的季度报告

         
         管理员账户

      • System administrators must use a separate administrator account to perform system-related duties
        • Shall read and sign the Administrator Code of Conduct and IT management approval
        • 应遵循管理员帐户的命名标准
        • 须经IT管理层批准
        • 不得使用电子邮件
        • 应在可能的情况下要求使用MFA
        • 必须有一个至少长度为20个字符的密码
        • 在五(5)次尝试失败后被锁定，必须手动解锁
        • 当不再需要时，应遵循帐户终止程序.
        • 应至少每年审查一次
        • 应受到监视和警报

        服务帐户

      • 服务 accounts are typically non-human accounts used by 系统 and 应用程序 to interact and communicate with each other:
      • 服务 accounts must only be used by application components requiring authentication; access to the passwords must be restricted to authorized IT administrators or application developers only.
        • 应遵循服务账户的命名标准
        • 对于每个应用或服务都是独一无二的
        • Shall have a complex system-generated password with a minimum of 30 characters that does not expire
        • 应在批准的密码管理工具中进行跟踪和记录
        • 应至少每年审查一次
        • 应受到监视和警报
           

        默认的账户

      • 默认的 accounts are built-in or system accounts such as ‘Administrator’ in Windows or ‘Root’ on Linux.”
        • 应使用至少30个字符的复杂密码
        • 不得使用电子邮件
        • 应至少每月审核一次
        • 应在批准的密码管理工具中进行跟踪和记录
        • 应受到监视和警报
         

        共享账户

      • 共享 or “generic” accounts are human user accounts created when it is not practical or feasible to create a unique user account. 这些帐户应该很少，并且需要额外的监测
      • 共享帐户必须得到IT管理部门的批准.
      • 共享帐户必须有指定的所有者. The owner is responsible for providing and maintaining the required documentation justifying the need for a shared account and a list of individuals with access to the account.
      • 当需要共享帐户时:
        • 应遵循共享帐户的命名标准.
        • 应具有至少30个字符的复杂系统密码.
        • 应要求每30天更换一次密码
        • 五(5)次尝试失败后锁上，手动解锁.
        • 每月回顾一次.
        • 不得使用电子邮件
        • 应持续监控

      测试账户

      • Test accounts can only be created if they are justified by the relevant business area or project team and approved by the application owner through a formal request to the IT management.
      • 测试帐户必须有有效期(最多180天)。. Maintaining test accounts beyond this date must be re-evaluated every 90 days and approved appropriately.
      • 测试帐户将被禁用/删除时，他们不再需要.
      • All user accounts and access shall be appropriately authorized and documented before accounts are created and access is provided.
      • 当需要测试帐户时
        • 应遵循测试账户的命名标准.
        • 应具有至少30个字符的复杂系统密码.
        • 应要求每30天更换一次密码
        • 五(5)次尝试失败后锁上，手动解锁
        • 除非明确要求，否则不应启用电子邮件
        • 应持续监控
           
   6. 异常
      此策略的例外情况必须由IT管理层审查和批准.
       
4. 定义

• 用户——学生, 员工, 咨询顾问, 承包商, 志愿者, 代理, 授权用户访问大学的IT系统和应用程序.
• 访问权限-与帐户关联的系统权限, 包括访问或更改数据的权限, 处理事务, 创建或更改设置, 等.
• Administrator Account – a user account with privileges with advanced permissions on an IT system that are necessary for the administration of this system. 例如, 管理员帐户可以创建新用户, 更改帐户权限, 修改密码等安全设置, 修改系统日志, 等.
• 服务帐户 – user accounts not associated with a person but with an IT system, 一个应用程序, 数据库(或应用程序的特定部分), 或者网络服务.