BP 8102 User Authentication

Statement of Purpose

PCC’s Information Security Policies support the following goals:
1. Promote a “security is everyone’s responsibility” philosophy to assist PCC in meeting its business and legal commitments.
2. Ensure that PCC complies with all applicable laws and regulations.
3. Ensure the integrity, reliability, availability, and superior performance of IT resources.
4. Ensure that users are protected from data breach and cybercrime.
5. Ensure that use of IT resources is consistent with the principles and values that govern the use of other college facilities and services.
6. Prevent unauthorized disclosure of controlled sensitive data.
7. Prevent disruption of the learning experience.
8. Ensure the college is protected from financial, legal, regulatory, and reputational harm.
9. Ensure that IT systems are used for their intended purposes.
10. Establish processes for addressing policy violations and sanctions for violators.

As one of the largest metropolitan community college districts in the world, PCC handles a large amount of sensitive information on a daily basis, including student and patient data regulated under federal law.

The Health Insurance Portability and Accountability Act of 1996 (HIPAA), and the the Health Information Technology for Economic and Clinical Health Act (HITECH), enacted as part of the American Recovery and Reinvestment Act of 2009, require strong safeguards for the protection of Patient Health Information (PHI) by covered entities such as PCC.

The Financial Modernization Act of 1999, also known as The Gramm-Leach-Bliley Act (GLBA) mandates similar safeguards for the financial information in the possession of financial institutions, including higher ed institutions obtaining student information from federal agencies, such as for Financial Aid processing.

The Department of Education, in two “Dear Colleague” letters, has emphasized that all Higher Ed institutions accepting financial aid funding are required under their Program Participation Agreements and under their Student Aid Internet Gateway Agreements to safeguard all student Personally Identifiable Information in compliance with GLBA, FERPA and all other applicable state and federal privacy regulations.

In addition, in order to be allowed to accept payment from our customers in the form of credit card transactions, PCC must pass regular audits to satisfy the Payment Card Industry Data Security Standards (PCI-DSS).

The first step in securing data is to ensure that access to critical data is granted to users based on their individual needs and is subject to controls based on industry best practices. This policy seeks to support an environment in which users of PCC IT Resources are granted customized privileges, such that they can only access the data that they need to perform their required duties (this is based on the security principle of “least access” or “least privilege”).

Scope Statement

All Portland Community College (PCC) employees, students, and affiliates or other third parties that create, use, maintain, or handle PCC IT resources are subject to this policy. This policy applies all controlled sensitive data stored or transmitted using PCC IT Resources and all users of such data.

Policy Summary

PCC shall vet new users before assigning any access rights to IT Resources. User Access Rights shall be assigned based on role using the principle of least privilege to ensure correct authentication to the appropriate IT Resources. PCC IT shall implement and maintain user access mechanisms and privileges that employ industry best practices that comply with regulatory standards.

This policy shall be subject to and superseded by applicable regulations and laws.

Policy

NEW USER ONBOARDING
1. All users shall read and acknowledge the applicable policies regarding acceptable use of IT Resources, prior to being granted access to PCC information systems and networks.
2. In addition, IT employees shall read and acknowledge the applicable policies regarding information security, prior to being granted access to PCC information systems and networks.
3. Before being assigned access credentials, new users shall:
a) Prove identity through a method satisfying NIST 800-63A Identity Assurance Level 2 (IAL2) requirements
b) Sign agreement to comply with all College policies and procedures for accessing and handling sensitive information
4. Before being assigned access credentials, new employees or contracted service providers shall pass a Level 2 criminal background check.

LEAST PRIVILEGE
1. New employees or contracted service providers shall only be granted access to controlled sensitive data upon formal request showing need-to-know based on their specific job duties
2. New students shall only be assigned access to the information required to provide services to them or information they have a legal right to obtain
3. New employees and their supervisor shall be required to sign formal requests for access to information that indicates which systems and data they will need to access, how they will use that data, and what kind and level of access is needed.
4. New contracted service providers and the PCC manager authorizing the contracted service shall be required to sign formal requests for access to information that indicates which systems and data they will need to access, how they will use that data, and what kind and level of access is needed.

AUTHENTICATION & PASSWORDS
1. Every user shall use a unique user account (user ID) for access to PCC IT resources.
2. Use of non-authenticated user IDs (e.g. no password) or user IDs not associated with a unique identified user are prohibited.
3. Shared or group user IDs are not permitted.
4. Where appropriate, IT Resources shall have an automated or procedural access control process to authenticate all system users.
5. PCC authentication systems shall use either a biometric authenticator (“something you are”) or a password authenticator (“something you know”) as their sole or primary authentication factor.
6. Passwords shall be between nine and sixty-four characters long, allowing any printable ASCII character or Unicode character.
7. Users failing authentication six consecutive times shall be locked out from further attempts for 30 minutes or until authorized personnel re-verifies the user’s identity and disables the lockout.
8. No password shall be permitted that:
a) contains sequential or repetitive characters;
b) is a variant of a context specific word or set of words;
c) is a variant of the user’s personally identifying information;
d) is in a list of known compromised passwords or close variant.
9. Users may not recover or reset their password (or other authentication factor) without either:
a) first re-verifying their identity by the same method of identity proofing used for new users;
b) authenticating via a multi-factor authentication mechanism satisfying the requirements of this policy.
10. Any knowledge-based password recovery mechanisms shall be disabled, and all stored user-specific data used for such mechanisms destroyed.

MULTI-FACTOR AUTHENTICATION (MFA)
1. PCC shall implement Multi-Factor Authentication (MFA) for user accounts with access to any system administration functions, user credentials, or other controlled sensitive data.
2. MFA secondary factors shall be of type “something you have,” and either:
a) reside uniquely in one physical client device, and never be copied, transferred or transmitted from that device;
b) change with each use, reside in full only on one physical client device and one authentication server, and be transferred or transmitted between them only in a fragmented manner;
c) be independent of one another such that access to one factor does not grant access to any other factor, and the compromise of any one factor does not affect the integrity or confidentiality of any other factor.

Exemptions

1. Shared or group user IDs may be permitted to address a specific departmental need and with Chief Information Security Officer approval.
2. Until such time that MFA is fully implemented, the second factor may be a shared secret, securely transmitted.

Exceptions

Exceptions to this policy must be pre-approved in writing by the Chief Information Officer (CIO) / Chief Information Security Officer (CISO)

Policy Violation

1. Violation of this policy may result in disciplinary action in accordance with PCC Human Resources and/or Student Conduct guidelines.
2. PCC reserves the right to report security violations or compromises to the appropriate authorities. This may include reporting violations of Federal, State, and local laws and regulations governing computer and network use, or required accreditation reporting.
3. Anyone who violates this policy may be held liable for damages to PCC assets, including but not limited to the loss of information, computer software and hardware, lost revenue due to disruption of normal business activities or system down time, and fines and judgments imposed as a direct result of the violation.
4. PCC reserves the right to deactivate any User’s access rights (whether or not the User is suspected of any violation of this policy) when necessary to preserve the integrity of IT Resources.

Complaint Procedures

Report non-security-related violations (such as receipt of inappropriate content, other Human Resource policy violations, general college policy violations, or regulatory compliance violations) to a supervisor, HR, or EthicPoint.

Report information security and general technical policy violations to the IT Service Desk at 971-722-4400 or servicedesk@pcc.edu, or contact the CIO or CISO.

Governing Standards, Policies & Guidelines

  • US Dept of Education: Guidance Letter – Protecting Student Information
  • US Dept of Education: Family Educational Rights and Privacy Act (FERPA)
  • US Dept of Homeland Security: Federal Information Security Management Act (FISMA)
  • Gramm-Leach-Bliley Act (GLBA)
  • FTC Red Flags Rule
  • Health Insurance Portability and Accountability Act (HIPAA)
  • International Organization for Standardization (ISO)
  • National Institute Standards and Technology (NIST)
  • Payment Card Industry Data Security Standard (PCI DSS)
  • Sarbanes-Oxley (SOX) for Colleges and Universities

Definitions

Access Control
The selective restriction of access to a place or computing resource for security purposes.

The act of accessing may mean consuming, entering, or using. For example, the lock on your front door is an access control mechanism to limit who can enter your house. Similarly, entering a user ID and password restricts access to your computer account.

Affiliate
Any person or entity that has been sponsored by a PCC manager to receive controlled temporary access to PCC services.

This is generally as a result of a contractual relationship with PCC. For example, an air conditioning vendor may require affiliate access to test the HVAC system. A consultant project manager may require affiliate access to access project plans on a PCC system.

Authentication
Any process by which a system verifies the identity of a user who wishes to access it.

Since access control is normally based on the identity of the user who requests access to a resource, authentication is essential to effective security. For example, when someone logs into myPCC, the user-ID and password entered authenticates that the person logging in is the owner of the account.

Chief Information Officer (CIO)
Senior manager of the Information Technology (IT) Department and a member of Cabinet.

At PCC, the CIO is responsible for all technology, with the exception of:
– Online Learning (Academic Affairs)
– Some specialized technology that supports CTE or other engineering programs (e.g. software that supports machine labs, specialized dental technology, etc.)
– Some technology that supports auxiliary services (e.g. Point of Sale systems in the cafeterias and bookstores)

Chief Information Security Officer (CISO)
Senior manager responsible for information security compliance at PCC.

Controlled Sensitive Data (CSD)
A general categorization that is used in PCC’s Information Technology (IT) policies (primarily the Information Security Policy and the Acceptable Use Policy) to represent all confidential and private information governed by those policies.

CSD includes: PII, PHI, HIPAA, FERPA, regulated, private, personal, or sensitive information for which PCC is liable if publicly disclosed.

Family Education Rights and Privacy Act (FERPA)
A Federal law that protects the privacy of student education records.

FERPA applies to all schools that receive funds under an applicable program of the U.S. Department of Education.

Health Insurance Portability and Accountability Act (HIPAA)
A federal government regulation to which PCC is required to adhere and that imposes strict information security requirements regarding the protection of medical records.

Enacted by the United States Congress and signed by President Bill Clinton in 1996. Title I of HIPAA protects health insurance coverage for workers and their families when they change or lose their jobs. Title II of HIPAA, known as the Administrative Simplification (AS) provisions, requires the establishment of national standards for electronic health care transactions and national identifiers for providers, health insurance plans, and employers.

IT Resource
(At PCC) All Information Technology (IT) resources that are the property of PCC and include, but are not limited to, all network-related systems; business applications; network and application accounts; administrative, academic and library computing facilities; college-wide data, video and voice networks; electronic mail; video and web conferencing systems; access to the Internet; voicemail, fax machines and photocopiers; classroom audio/video; computer equipment; software and operating systems; storage media; Intranet, VPN, and FTP.

IT Resources include resources administered by IT, as well as those administered by individual departments, college laboratories, and other college-based entities.

Payment Card Industry Data Security Standard (PCI DSS)
(Commonly just PCI) A data security standard that promotes the safety of credit card holder data across the globe.

System
(In Information Technology [IT]) A computer system consists of hardware components that work with software components to achieve a defined outcome.

The main software component that runs on a system is an operating system that manages and provides services to other programs that can be run in the computer. Computer systems may also include peripheral devices such as printers, A/V equipment, operating machinery, etc.

User
Any person who makes any use of any PCC IT resource from any location (whether authorized or not).

Responsible Executive

Chief Information Officer

Responsible Officer

Chief Information Security Officer (CISO)

Responsible Office

IT Information Security

Last Revision Date

09-27-2018