Objective:

This policy is created to establish a method of managing risks from user access and authentication into all University of Tennessee Institute of Agriculture’s (the Institute) information technology (IT) assets and for providing the minimum requirements for the control of that risk.

Scope:

This policy applies to all IT assets owned, operated, or provided by the Institute, as well as all students, faculty, staff, and users who access, use, or handle the Institute’s assets. The policy also applies to all contractors, visitors, volunteers, visiting researchers, county-paid employees, and Tennessee State University employees accessing Institute-owned IT assets.

Policy:

All Institute-owned IT assets must be protected from unauthorized access potentially leading to modification, disclosure, or destruction of the asset and the data contained on the asset. The Institute has multiple security policies and procedures that explain the requirements for using unique identification and authentication methods (see UTIA IT0110 – Acceptable Use of Information Technology Resources Policy (AUP), UTIA IT01xx – Media Protection Policy, UTIA UT01xx – Information Technology Access Control Policy). In addition, this policy defines policies and procedures for accessing Institute-owned IT assets. This policy will be reviewed at least annually and will be updated as necessary.

Identification and Authentication (Organizational Users)

Access to Institute-owned IT assets is authorized based on the principle of least privilege. This means that an individual is given the minimum access level to a given asset or system in order to perform his/her job duties.

Each user must use their own unique account to access any Institute-owned IT asset. Systems may be audited for appropriate login data. Group accounts (e.g., departmental NetIDs) must have a valid business reason for use and must be approved. Should an Institute-owned IT asset become compromised, the user who is logged in at the time of the compromise will be contacted for information regarding any investigation. Unauthorized or improper access to any Institute-owned IT asset is subject to disciplinary action.

Device Identification and Authentication

Institute-owned IT assets in all locations must be registered in the UTK NetReg database. This registration identifies a specific device and uses the MAC address to assign an IP address for device identification and authentication. UTK’s Network Services is responsible for determining the required strength of authentication mechanisms by the classification of information systems.

Identifier Management

UTK’s Office of Information Technology (OIT) assigns a unique NetID, or user ID, to all Institute employees as appropriately authorized upon hiring. OIT is responsible for managing the NetID system. NetIDs are unique to each person and the reuse of NetIDs is not allowed.

The Institute uses the NetID that has been assigned as the user’s unique identifier throughout employment or association with the Institute. There are instances when an associate of the Institute (i.e., volunteer, friend, third-party vendor, etc.) requires use of an Institute-owned IT asset. Such NetIDs can be requested through the OIT HelpDesk and may need to be sponsored by the appropriate unit, department, county, or center.

The NetID absolutely must be used for accessing Institute-owned IT assets classified as moderate, high, or business critical. The NetID, or federated account where appropriate, must be used for accessing certain systems like SUPER, IRIS, Volmail, Office 365, etc., and the VPN, or access will not be granted. Supervisors are responsible for determining the level of access necessary and must convey this information to the party(s) responsible for assigning the access. After a period of 180 consecutive days in which a user has not accessed a device or system, access to the NetID will be disabled. Owners of any Information System not able to use the NetID or LDAP authentication must provide the CISO with a plan for meeting this 180-day limit. Should a person’s job duties change or the person transfers to another department or campus, the supervisor shall immediately notify the appropriate party(s) or CISO to adjust the level of access given. Access will be disabled immediately upon termination of employment.

Guest or anonymous accounts are prohibited. If a shared account is required in certain situations, a formal exception request must be submitted and approved (UTIA IT0302 – Information Technology Formal Exception Policy).

Authenticator Management

Once the NetID is assigned, the employee is required to log in and create their password and security questions. The password must meet certain complexity requirements:

Minimum of eight characters if the user prefers to change the NetID password regularly, or a minimum of 12 characters if the user prefers to not change the NetID password regularly
At least three of the following:
- Uppercase letters
- Lowercase letters
- Numbers

– Special characters (accepted: `~!@#$^&*()_-={}|[]:;'<>?,)

May not contain a significant portion of the username or displayname
May not reuse the last 10 passwords

NetID passwords should be changed periodically, but is no longer required if using a minimum of 12 characters. If using an eight-character password, the timeframe for changing a password depends on the classification of data being accessed. In addition to the NetID password, all users must use two-factor authentication when accessing certain data sources.

Passwords must never be shared with anyone (see UTIA IT0110 – Acceptable Use of Information Technology Resources Security Policy).

Authenticator Feedback

Business critical, moderate, and high information systems must obscure feedback of authentication information during the authentication process in order to protect the information from potential unauthorized use. Obscuring the feedback of authentication information means masking the information as it is entered to prevent others from seeing in on the screen. This can be done, for example, by using asterisks as a user types in a password.

University and Institute systems are doing this where the NetID is being used.