This standard includes access controls as they pertain to the following:

  • Creation and administration of IDs and passwords.
  • Authentication controls.
  • Authorized internal access to UofT resources.
  • Remote access to UofT resources.
  • Third party access to UofT resources.

Date of Effectiveness
To Be Determined

Standard Owner
Director, Information Security, Information Technology Services

Version
Version 0.5

Summary showing Section Headings

ID Section Headings Brief Description
IAM-GN General
IAM-IP Implementation
IAM-IA Client/Internet Facing Applications
IAM-IM Identity Management
IAM-ID Personal IDs
IAM-PI Privileged Class IDs
IAM-AI IDs Used by Systems and Application
IAM-SI Support IDs (Individual and Shared)
IAM-RI Emergency/Recovery Support (Fire IDs)
IAM-PM Password Management
IAM-PC Password Creation and Composition
IAM-PD Password Distribution
IAM-PR Password Change and Reset
IAM-PS Password Storage and Compromise
IAM-AH Authorized Handheld Devices
IAM-RA Remote Access
IAM-TA Third Party Access

Identity and Access Management Standard Controls

Control ID Control Existing Status Public Confidential Restricted Effort
IAM-GN General Existing Status Public Confidential Restricted Effort
IAM-GN-01 Owners must be identified for the following technology resources:

  • IDs.
  • Physical devices within the Infrastructure Inventory.
  • Applications within the Managed Application Portfolio (MAP) and their supporting databases, Platforms, and shared services.
  • Active Directory groups, shared logical directories, or network folders.
 TRUE Approved Required Required Required TBD
IAM-GN-02 Access to UofT information and computing resources must be denied by default unless expressly permitted by the information or computing resource owners. TRUE Approved Not Applicable Required Required TBD
IAM-GN-03 Only UofT authorized resources must be permitted access to UofT owned, managed or authorized resources. FALSE Proposed Not Applicable Required Required TBD
IAM-GN-04 Access to UofT information and computing resources must require a login process that includes a unique ID and authentication through a reliable and secure means (e.g., password, token or biometric). TRUE Approved Recommended Required Required TBD
IAM-GN-05 ISEA must be engaged when designing new access control mechanisms or making changes to existing access control mechanisms. TRUE Approved Recommended Required Required TBD
IAM-GN-06 Access control procedures must ensure access and privilege (read, write, delete, execute, etc.) to information and computing resources is restricted based on the principles of least privilege, need to know, and segregation of duties. TRUE Approved Recommended Required Required TBD
IAM-GN-07 An access management life cycle process must be documented and implemented. The life cycle controls how additions, deletions, and modifications to access privileges and IDs are managed, authorized, and tracked. These processes must identify:

  • Roles and responsibilities
  • Authorization required by access type
  • Request and authorization confirmations required
  • Access review frequency
  • For Fire IDs, activity approval required.
 TRUE Approved Required Required Required TBD
IAM-GN-08 The ongoing use, management and oversight of IDs must adhere to the requirements in the Logical Access Control table. FALSE Proposed Required Required Required TBD
IAM-GN-09 IDs must only be used for their authorized and intended purpose. TRUE Approved Required Required Required TBD
IAM-IP Implementation Existing Status Public Confidential Restricted Effort
IAM-IP-01 Authentication of users for applications, systems, and other computing resources must use a UofT-approved authentication repository. TRUE Approved Recommended Required Required TBD
IAM-IP-02 Any prompts for ID and password must be generic and must not identify the version or build number of the operating system or platform being accessed. Any response must not reveal if the user name or password was wrong. TRUE Approved Recommended Required Required TBD
IAM-IP-03 Where supported by the native technology and on all UofT proprietary systems, a standard message must be displayed to warn individuals that they are trespassing when they try to access a resource that stores, processes, or handles information except on locked down security appliances. Client-facing applications are exempt as they are intended to display the UofT branding and a welcome message.

  • The following approved message must be implemented on all externally accessible systems:
  • This is a proprietary system. Unauthorized access or use is prohibited, may result in civil liability, and may be a criminal offence. Usage of this system is monitored.
  • The following approved message must be displayed on all internally accessible systems or once the individual has been successfully authenticated:
  • This system is proprietary to UofT, its affiliates and/or its suppliers. Access and use is governed by UofT policies. Unauthorized access or use may result in disciplinary action and civil liability, and may be a criminal offence. Usage of this system may be monitored.
  • Alternate versions of these messages must be approved by UofT Legal and Compliance.
 TRUE Approved Recommended Required Required TBD
IAM-IP-04 Welcoming messages or invitations to access a resource must not be displayed until after a successful authentication. Client-facing applications are exempt as they are intended to display the UofT branding and a welcome message. TRUE Approved Recommended Required Required TBD
IAM-IP-05 Terminals including laptops and desktops must lock after fifteen minutes of inactivity and require re-authentication to regain access. TRUE Approved Recommended Required Required TBD
IAM-IP-06 Access control mechanisms within systems and applications must be implemented to ensure that devices and users are assigned the minimum access rights necessary to perform their required job functions. TRUE Approved Required Required Required TBD
IAM-IP-07 Biometric access control mechanisms must only be implemented after a risk assessment that includes privacy considerations. FALSE Proposed Required Required Required TBD
IAM-IP-08 Business users and business-based administrators must only access platforms (e.g., databases, operating systems) through an application interface and must not be provided with direct access. TRUE Approved Required Required Required TBD
IAM-IP-09 User access to applications must be restricted based on the time-of-day requirements defined by the business (e.g., lab access restrictions based on lab hours). TRUE Approved Recommended Required Required TBD
IAM-IA Client/Internet Facing Applications Existing Status Public Confidential Restricted Effort
IAM-IA-01 External, client Internet facing applications must lock after no more than fifteen minutes of inactivity by the client. Subsequent access after lockout must require re-authentication. FALSE Proposed Required Required Required TBD
IAM-IA-02 Systems must require a minimum password length of ten characters on client Internet facing applications. TRUE Approved Recommended Required Required TBD
IAM-IA-03 Clients must be advised of the parameters and security benefits of strong passwords and must be encouraged to create strong passwords. TRUE Approved Recommended Required Required TBD
IAM-IA-04 All client Internet-facing applications must implement extra authentication in addition to ID and password / PIN, as determined through an approved risk assessment. TRUE Approved Recommended Required Required TBD
IAM-IM Identity Management Existing Status Public Confidential Restricted  Effort
IAM-IM-01 Access request approvals must be obtained from the authorized Resource Owner (e.g., application, information, infrastructure owners) and the user’s manager. TRUE Approved Not Applicable Required Required TBD
IAM-IM-02 New IDs or changes to access permissions for existing IDs must only be actioned by an independent security administrator upon receipt of a formal request. TRUE Approved Not Applicable Required Required TBD
IAM-IM-03 The following information must be captured and updated when approving and reviewing new and renewed IDs:

  • User name.
  • Transit or organization unit.
  • User’s manager.
  • Resource Owners (includes information, platform or application owners, etc. depending on access required).
  • Role Owner.
  • Privileges requested.
 FALSE Proposed Required Required Required TBD
IAM-IM-04 Access reviews must be conducted and signed off by all authorized approvers to validate all of the above and must also validate ID status. As part of the review all outstanding changes to access levels and permissions must be implemented promptly.

  • Privileged IDs with access to infrastructure and all IDs with access to applications must be reviewed every six months.
  • IDs on SOX-sensitive systems must be reviewed every six months and signed off by all authorized approvers.
  • All other IDs must be reviewed every twelve months.
 TRUE Approved Required Required Required TBD
IAM-IM-05 An audit trail of all approved access requests and access reviews must be retained for twenty-four months. FALSE Proposed Required Required Required TBD
IAM-IM-06 All activities performed with an ID (including root) must be associated to an individual user except functional IDs. Users must be held individually accountable for all actions they perform with any ID they are approved to use. TRUE Approved Required Required Required TBD
IAM-IM-07 Access rights must be changed or removed to reflect changes in or termination of employee or contractor job function or third party agreements in a timely manner. TRUE Approved Not Applicable Required Required TBD
IAM-IM-08 All terminations of employees and contractors must be renewed monthly to ensure access to Active Directory, VPN, or Citrix is deleted. If access is still enabled, there must be follow-up to ensure deletion or suspension of access. FALSE Proposed Required Required Required TBD
IAM-ID Personal IDs Existing Status Public Confidential Restricted Effort
IAM-ID-01 Personal IDs must not be provided with the capability to administer support, add, edit, or delete user privileges on applications and infrastructure. TRUE Approved Required Required Required TBD
IAM-PI Privileged Class IDs Existing Status Public Confidential Restricted Effort
IAM-PI-01 The following ID types are considered Privileged Class IDs:

  • Individual Support IDs.
  • Shared Support IDs (only permitted based on technology limitations).
  • Functional IDs.
  • Fire IDs.
 TRUE Approved Required Required Required TBD
IAM-PI-02 The assignment and use of Privileged Class IDs on production systems must be limited to a minimal number of persons who are responsible for operational system support or administration. TRUE In Progress Required Required Required TBD
IAM-PI-03 Developer access to SOX-sensitive systems must only be permitted through an approved Fire ID. FALSE Deferred Required Required Required TBD
IAM-AI IDs used by Systems and Applications (non-human) Existing Status Public Confidential Restricted Effort
IAM-AI-01 A Functional ID list must be maintained. The list must contain the owner, requirement/function, the systems interacted with, authority granting the approval for it, date of inception, last password change, and system where the ID is maintained. TRUE Approved Required Required Required TBD
IAM-AI-02 Implementations of net new Functional User IDs, those put into operation after the effective date of this standard, must be implemented in a manner to ensure that their passwords are capable of being changed once annually. FALSE Proposed Required Required Required TBD
IAM-SI Support IDs (Individual and Shared) Existing Status Public Confidential Restricted Effort
IAM-SI-01 Direct access to and use of shared Support IDs is only permitted where controls are in place to monitor usage or in instances where the technology provides no alternative, (e.g. MQ). TRUE Approved Required Required Required TBD
IAM-RI Emergency\Recovery Support (Fire IDs) Existing Status Public Confidential Restricted Effort
IAM-RI-01 A process must be documented and implemented for creating, testing, and verifying Fire IDs. TRUE Approved Required Required Required TBD
IAM-RI-02 A process must be documented and implemented for requesting the use and management review of activities conducted using Fire IDs. The process must ensure:

  • Creation of an incident ticket before issuance of the Fire ID password.
  • Authentication of the requester to the Fire ID Approver list before issuance of the Fire ID password.
  • Monitoring of Fire ID password expiry within 36 hours or request for an extension.
  • Appropriate activity approvals required.
  • Review and verification of usage report within 5 working days.
 FALSE Proposed Required Required Required TBD
IAM-RI-03 A list of approved individuals who can request the activation and use of a Fire ID must be maintained and updated to reflect any change in job function or employment status and must be reviewed every six months. TRUE Approved Required Required Required TBD
IAM-RI-04 Fire IDs must only be used for emergency support activities and have a corresponding incident ticket opened prior to the request. FALSE Proposed Required Required Required TBD
IAM-RI-05 Details for issuing and suspending Fire IDs must be recorded in the associated ticket. FALSE Proposed Required Required Required TBD
IAM-RI-06 Fire ID passwords must be disabled by security administrators immediately after notification of the completion of required activities or automatically expire within 36 hours of issuance if no notification is received. FALSE Proposed Required Required Required TBD
IAM-PM Password Management Existing Status Public Confidential Restricted Effort
IAM-PM-01 Passwords for IDs with control of an enterprise credential repository (e.g., AD, RACF, NonStop) must not be fully known to a single person (e.g., split knowledge). These passwords must expire and be renewed annually. FALSE Proposed Required Required Required TBD
IAM-PM-02 All passwords created as part of the development process must be changed by production support staff immediately upon promotion to production. TRUE Approved Required Required Required TBD
IAM-PM-03 All passwords and passphrases (including handheld devices and soft telephones) must be masked during user entry. TRUE Approved Recommended Required Required TBD
IAM-PM-04 Passwords (excluding Functional IDs) must not be included in any automated login process (e.g., stored in a macro or function key), including Remember Password functions. TRUE Approved Recommended Required Required TBD
IAM-PC Password Creation and Composition Existing Status Public Confidential Restricted Effort
IAM-PC-01 Temporary passwords must be created by an authorized Security Administrator or through an automated system. TRUE Approved Required Required Required TBD
IAM-PC-02 Systems must require Personal ID users to create their own passwords the first time they login with a temporary password. TRUE Approved Required Required Required TBD
IAM-PC-03 The following password composition rules must be complied with to the extent permitted by the native capability of the specific technology and detailed within published security hardening guides. Legacy implementations that do not meet the native capability requirements must do so as of the date of next refresh:

  • For Personal IDs, passwords of at least eight characters which include three of the following: One upper case letter. One lower case letter. One number. One special character (e.g., !&$).
  • For voice systems, a biometric password or a password of at least six characters.
  • For Privileged Class IDs, two-factor authentication or passwords of at least twelve characters and which include all of the following: One upper case letter. One lower case letter. Two numbers. One special character (e.g., !&$).
  • Maintain password history and prevent the use of the same password within seven iterations of a password change cycle.
  • Enable users to initiate a password change at any time.
 FALSE Proposed Required Required Required TBD
IAM-PC-04 Users must not create passwords which constitute a common keyboard combinations (e.g., QWERTY), common dictionary terms, acronyms in any language, easily obtained personal information (e.g., UofT, family or pet name, phone number, dates of birth etc.), project acronyms, names of sports teams, or any proper name. TRUE Approved Required Required Required TBD
IAM-PD Password Distribution Existing Status Public Confidential Restricted Effort
IAM-PD-01 Passwords must only be provided after authenticating the requestor. Passwords must be communicated through a UofT approved process or must be left in the authenticated requestor’s personal UofT voicemail. TRUE Approved Required Required Required TBD
IAM-PD-02 IDs and passwords must not be distributed together except through UofT-approved distribution mechanisms. TRUE Approved Required Required Required TBD
IAM-PR Password Change and Reset Existing Status Public Confidential Restricted Effort
IAM-PR-01 When a password expires, systems must deny access to all resources associated with the ID until the user selects or is provided with a new password. TRUE Approved Required Required Required TBD
IAM-PR-02 When a member of a share group no longer requires use of the Shared Support ID to perform their ongoing job function (e.g., termination, departmental move, job change) they must be prevented from using that ID. In exceptions where direct access to and use of Shared Support IDs is permitted (e.g., MQ), the password must be immediately changed. TRUE Approved Required Required Required TBD
IAM-PS Password Storage and Compromise Existing Status Public Confidential Restricted Effort
IAM-PS-01 Where a duplicate or back-up password is necessary for continued support or other contingencies, a copy of the duplicate or back-up password must be held under joint custody and securely stored. TRUE Approved Required Required Required TBD
IAM-PS-02 Passwords that are compromised or suspected of being compromised must immediately be changed or the ID must be disabled or suspended. TRUE Approved Required Required Required TBD
IAM-PS-03 If an ID is compromised or suspected of being compromised, the appropriate UofT Information Security group must be notified immediately. TRUE Approved Required Required Required TBD
IAM-AH Authorized Handheld Devices Existing Status Public Confidential Restricted Effort
IAM-AH-01 If a handheld device is or is suspected of being lost, stolen, or accessed through unauthorized means, the device must be remotely erased and disabled. TRUE Approved Recommended Required Not Applicable TBD
IAM-AH-02 Users must not compose passwords that constitute a common keyboard combinations (e.g., QWERTY), common dictionary terms, acronyms in any language, easily obtained personal information (e.g., UofT, family or pet name, phone number, dates of birth etc.), project acronyms, names of sports teams, or any proper name. TRUE Approved Required Required Not Applicable TBD
IAM-AH-03 All handheld devices must be protected with at least a six character password and the password must not contain three or more consecutive characters (e.g., AAA777) or use ascending or descending sequencing beyond two consecutive characters (e.g., Ab34Cd12). TRUE Approved Required Required Not Applicable TBD
IAM-AH-04 Devices must require device owners to change their passwords within every sixty day period. FALSE Proposed Recommended Required Not Applicable TBD
IAM-AH-05 Password history must be maintained to prevent the use of the same password within six iterations of a password change cycle. FALSE Proposed Recommended Required Not Applicable TBD
IAM-AH-06 Handheld devices must lock after fifteen minutes of inactivity. FALSE Proposed Required Required Not Applicable TBD
IAM-AH-07 After ten unsuccessful login attempts, all data must be deleted from the device. FALSE Proposed Required Required Not Applicable TBD
IAM-RA Remote Access (IAM) Existing Status Public Confidential Restricted Effort
IAM-RA-01 PINs for token devices must be a minimum of four digits. TRUE Approved Required Required Required TBD
IAM-RA-02 Users must create a new password each time a digital certificate is renewed. FALSE Proposed Required Required Required TBD
IAM-RA-03 Digital certificates must be protected with a password that meets the complexity requirements for password creation defined in this standard. FALSE Proposed Required Required Required TBD
IAM-RA-04 A process must be developed and implemented to distribute tokens in an approved and controlled manner. TRUE Approved Required Required Required TBD
IAM-RA-05 Users must be notified that a token has been issued to them and this must be separate from the distribution of the token. Users must notify ISEA if the token is not received within five working days of the notice of issuance. FALSE Proposed Required Required Required TBD
IAM-RA-06 Tokens must only be activated after the user confirms receipt of the token. FALSE Proposed Required Required Required TBD
IAM-TA Third Party Access Existing Status Public Confidential Restricted Effort
IAM-TA-01 Automated alerts to third party service providers via a diagnostic port must be configured to allow only outbound calls and must not communicate any UofT information beyond what is required for diagnosis and break-fix activities. TRUE Approved Required Required Required TBD
IAM-TA-02 Third party service provider (vendor) access to production for support purposes must be permitted through Support IDs or Fire IDs only and must only be enabled for the period needed. TRUE Approved Required Required Required TBD