This standard includes access controls as they pertain to the following:
- Creation and administration of IDs and passwords.
- Authentication controls.
- Authorized internal access to UofT resources.
- Remote access to UofT resources.
- Third party access to UofT resources.
Date of Effectiveness |
To Be Determined |
|
Standard Owner |
Director, Information Security, Information Technology Services |
|
Version |
Version 0.5 |
Summary showing Section Headings
ID | Section Headings | Brief Description |
IAM-GN | General | |
IAM-IP | Implementation | |
IAM-IA | Client/Internet Facing Applications | |
IAM-IM | Identity Management | |
IAM-ID | Personal IDs | |
IAM-PI | Privileged Class IDs | |
IAM-AI | IDs Used by Systems and Application | |
IAM-SI | Support IDs (Individual and Shared) | |
IAM-RI | Emergency/Recovery Support (Fire IDs) | |
IAM-PM | Password Management | |
IAM-PC | Password Creation and Composition | |
IAM-PD | Password Distribution | |
IAM-PR | Password Change and Reset | |
IAM-PS | Password Storage and Compromise | |
IAM-AH | Authorized Handheld Devices | |
IAM-RA | Remote Access | |
IAM-TA | Third Party Access |
Identity and Access Management Standard Controls
Control ID | Control | Existing | Status | Public | Confidential | Restricted | Effort |
---|---|---|---|---|---|---|---|
IAM-GN | General | Existing | Status | Public | Confidential | Restricted | Effort |
IAM-GN-01 | Owners must be identified for the following technology resources:
|
TRUE | Approved | Required | Required | Required | TBD |
IAM-GN-02 | Access to UofT information and computing resources must be denied by default unless expressly permitted by the information or computing resource owners. | TRUE | Approved | Not Applicable | Required | Required | TBD |
IAM-GN-03 | Only UofT authorized resources must be permitted access to UofT owned, managed or authorized resources. | FALSE | Proposed | Not Applicable | Required | Required | TBD |
IAM-GN-04 | Access to UofT information and computing resources must require a login process that includes a unique ID and authentication through a reliable and secure means (e.g., password, token or biometric). | TRUE | Approved | Recommended | Required | Required | TBD |
IAM-GN-05 | ISEA must be engaged when designing new access control mechanisms or making changes to existing access control mechanisms. | TRUE | Approved | Recommended | Required | Required | TBD |
IAM-GN-06 | Access control procedures must ensure access and privilege (read, write, delete, execute, etc.) to information and computing resources is restricted based on the principles of least privilege, need to know, and segregation of duties. | TRUE | Approved | Recommended | Required | Required | TBD |
IAM-GN-07 | An access management life cycle process must be documented and implemented. The life cycle controls how additions, deletions, and modifications to access privileges and IDs are managed, authorized, and tracked. These processes must identify:
|
TRUE | Approved | Required | Required | Required | TBD |
IAM-GN-08 | The ongoing use, management and oversight of IDs must adhere to the requirements in the Logical Access Control table. | FALSE | Proposed | Required | Required | Required | TBD |
IAM-GN-09 | IDs must only be used for their authorized and intended purpose. | TRUE | Approved | Required | Required | Required | TBD |
IAM-IP | Implementation | Existing | Status | Public | Confidential | Restricted | Effort |
IAM-IP-01 | Authentication of users for applications, systems, and other computing resources must use a UofT-approved authentication repository. | TRUE | Approved | Recommended | Required | Required | TBD |
IAM-IP-02 | Any prompts for ID and password must be generic and must not identify the version or build number of the operating system or platform being accessed. Any response must not reveal if the user name or password was wrong. | TRUE | Approved | Recommended | Required | Required | TBD |
IAM-IP-03 | Where supported by the native technology and on all UofT proprietary systems, a standard message must be displayed to warn individuals that they are trespassing when they try to access a resource that stores, processes, or handles information except on locked down security appliances. Client-facing applications are exempt as they are intended to display the UofT branding and a welcome message.
|
TRUE | Approved | Recommended | Required | Required | TBD |
IAM-IP-04 | Welcoming messages or invitations to access a resource must not be displayed until after a successful authentication. Client-facing applications are exempt as they are intended to display the UofT branding and a welcome message. | TRUE | Approved | Recommended | Required | Required | TBD |
IAM-IP-05 | Terminals including laptops and desktops must lock after fifteen minutes of inactivity and require re-authentication to regain access. | TRUE | Approved | Recommended | Required | Required | TBD |
IAM-IP-06 | Access control mechanisms within systems and applications must be implemented to ensure that devices and users are assigned the minimum access rights necessary to perform their required job functions. | TRUE | Approved | Required | Required | Required | TBD |
IAM-IP-07 | Biometric access control mechanisms must only be implemented after a risk assessment that includes privacy considerations. | FALSE | Proposed | Required | Required | Required | TBD |
IAM-IP-08 | Business users and business-based administrators must only access platforms (e.g., databases, operating systems) through an application interface and must not be provided with direct access. | TRUE | Approved | Required | Required | Required | TBD |
IAM-IP-09 | User access to applications must be restricted based on the time-of-day requirements defined by the business (e.g., lab access restrictions based on lab hours). | TRUE | Approved | Recommended | Required | Required | TBD |
IAM-IA | Client/Internet Facing Applications | Existing | Status | Public | Confidential | Restricted | Effort |
IAM-IA-01 | External, client Internet facing applications must lock after no more than fifteen minutes of inactivity by the client. Subsequent access after lockout must require re-authentication. | FALSE | Proposed | Required | Required | Required | TBD |
IAM-IA-02 | Systems must require a minimum password length of ten characters on client Internet facing applications. | TRUE | Approved | Recommended | Required | Required | TBD |
IAM-IA-03 | Clients must be advised of the parameters and security benefits of strong passwords and must be encouraged to create strong passwords. | TRUE | Approved | Recommended | Required | Required | TBD |
IAM-IA-04 | All client Internet-facing applications must implement extra authentication in addition to ID and password / PIN, as determined through an approved risk assessment. | TRUE | Approved | Recommended | Required | Required | TBD |
IAM-IM | Identity Management | Existing | Status | Public | Confidential | Restricted | Effort |
IAM-IM-01 | Access request approvals must be obtained from the authorized Resource Owner (e.g., application, information, infrastructure owners) and the user’s manager. | TRUE | Approved | Not Applicable | Required | Required | TBD |
IAM-IM-02 | New IDs or changes to access permissions for existing IDs must only be actioned by an independent security administrator upon receipt of a formal request. | TRUE | Approved | Not Applicable | Required | Required | TBD |
IAM-IM-03 | The following information must be captured and updated when approving and reviewing new and renewed IDs:
|
FALSE | Proposed | Required | Required | Required | TBD |
IAM-IM-04 | Access reviews must be conducted and signed off by all authorized approvers to validate all of the above and must also validate ID status. As part of the review all outstanding changes to access levels and permissions must be implemented promptly.
|
TRUE | Approved | Required | Required | Required | TBD |
IAM-IM-05 | An audit trail of all approved access requests and access reviews must be retained for twenty-four months. | FALSE | Proposed | Required | Required | Required | TBD |
IAM-IM-06 | All activities performed with an ID (including root) must be associated to an individual user except functional IDs. Users must be held individually accountable for all actions they perform with any ID they are approved to use. | TRUE | Approved | Required | Required | Required | TBD |
IAM-IM-07 | Access rights must be changed or removed to reflect changes in or termination of employee or contractor job function or third party agreements in a timely manner. | TRUE | Approved | Not Applicable | Required | Required | TBD |
IAM-IM-08 | All terminations of employees and contractors must be renewed monthly to ensure access to Active Directory, VPN, or Citrix is deleted. If access is still enabled, there must be follow-up to ensure deletion or suspension of access. | FALSE | Proposed | Required | Required | Required | TBD |
IAM-ID | Personal IDs | Existing | Status | Public | Confidential | Restricted | Effort |
IAM-ID-01 | Personal IDs must not be provided with the capability to administer support, add, edit, or delete user privileges on applications and infrastructure. | TRUE | Approved | Required | Required | Required | TBD |
IAM-PI | Privileged Class IDs | Existing | Status | Public | Confidential | Restricted | Effort |
IAM-PI-01 | The following ID types are considered Privileged Class IDs:
|
TRUE | Approved | Required | Required | Required | TBD |
IAM-PI-02 | The assignment and use of Privileged Class IDs on production systems must be limited to a minimal number of persons who are responsible for operational system support or administration. | TRUE | In Progress | Required | Required | Required | TBD |
IAM-PI-03 | Developer access to SOX-sensitive systems must only be permitted through an approved Fire ID. | FALSE | Deferred | Required | Required | Required | TBD |
IAM-AI | IDs used by Systems and Applications (non-human) | Existing | Status | Public | Confidential | Restricted | Effort |
IAM-AI-01 | A Functional ID list must be maintained. The list must contain the owner, requirement/function, the systems interacted with, authority granting the approval for it, date of inception, last password change, and system where the ID is maintained. | TRUE | Approved | Required | Required | Required | TBD |
IAM-AI-02 | Implementations of net new Functional User IDs, those put into operation after the effective date of this standard, must be implemented in a manner to ensure that their passwords are capable of being changed once annually. | FALSE | Proposed | Required | Required | Required | TBD |
IAM-SI | Support IDs (Individual and Shared) | Existing | Status | Public | Confidential | Restricted | Effort |
IAM-SI-01 | Direct access to and use of shared Support IDs is only permitted where controls are in place to monitor usage or in instances where the technology provides no alternative, (e.g. MQ). | TRUE | Approved | Required | Required | Required | TBD |
IAM-RI | Emergency\Recovery Support (Fire IDs) | Existing | Status | Public | Confidential | Restricted | Effort |
IAM-RI-01 | A process must be documented and implemented for creating, testing, and verifying Fire IDs. | TRUE | Approved | Required | Required | Required | TBD |
IAM-RI-02 | A process must be documented and implemented for requesting the use and management review of activities conducted using Fire IDs. The process must ensure:
|
FALSE | Proposed | Required | Required | Required | TBD |
IAM-RI-03 | A list of approved individuals who can request the activation and use of a Fire ID must be maintained and updated to reflect any change in job function or employment status and must be reviewed every six months. | TRUE | Approved | Required | Required | Required | TBD |
IAM-RI-04 | Fire IDs must only be used for emergency support activities and have a corresponding incident ticket opened prior to the request. | FALSE | Proposed | Required | Required | Required | TBD |
IAM-RI-05 | Details for issuing and suspending Fire IDs must be recorded in the associated ticket. | FALSE | Proposed | Required | Required | Required | TBD |
IAM-RI-06 | Fire ID passwords must be disabled by security administrators immediately after notification of the completion of required activities or automatically expire within 36 hours of issuance if no notification is received. | FALSE | Proposed | Required | Required | Required | TBD |
IAM-PM | Password Management | Existing | Status | Public | Confidential | Restricted | Effort |
IAM-PM-01 | Passwords for IDs with control of an enterprise credential repository (e.g., AD, RACF, NonStop) must not be fully known to a single person (e.g., split knowledge). These passwords must expire and be renewed annually. | FALSE | Proposed | Required | Required | Required | TBD |
IAM-PM-02 | All passwords created as part of the development process must be changed by production support staff immediately upon promotion to production. | TRUE | Approved | Required | Required | Required | TBD |
IAM-PM-03 | All passwords and passphrases (including handheld devices and soft telephones) must be masked during user entry. | TRUE | Approved | Recommended | Required | Required | TBD |
IAM-PM-04 | Passwords (excluding Functional IDs) must not be included in any automated login process (e.g., stored in a macro or function key), including Remember Password functions. | TRUE | Approved | Recommended | Required | Required | TBD |
IAM-PC | Password Creation and Composition | Existing | Status | Public | Confidential | Restricted | Effort |
IAM-PC-01 | Temporary passwords must be created by an authorized Security Administrator or through an automated system. | TRUE | Approved | Required | Required | Required | TBD |
IAM-PC-02 | Systems must require Personal ID users to create their own passwords the first time they login with a temporary password. | TRUE | Approved | Required | Required | Required | TBD |
IAM-PC-03 | The following password composition rules must be complied with to the extent permitted by the native capability of the specific technology and detailed within published security hardening guides. Legacy implementations that do not meet the native capability requirements must do so as of the date of next refresh:
|
FALSE | Proposed | Required | Required | Required | TBD |
IAM-PC-04 | Users must not create passwords which constitute a common keyboard combinations (e.g., QWERTY), common dictionary terms, acronyms in any language, easily obtained personal information (e.g., UofT, family or pet name, phone number, dates of birth etc.), project acronyms, names of sports teams, or any proper name. | TRUE | Approved | Required | Required | Required | TBD |
IAM-PD | Password Distribution | Existing | Status | Public | Confidential | Restricted | Effort |
IAM-PD-01 | Passwords must only be provided after authenticating the requestor. Passwords must be communicated through a UofT approved process or must be left in the authenticated requestor’s personal UofT voicemail. | TRUE | Approved | Required | Required | Required | TBD |
IAM-PD-02 | IDs and passwords must not be distributed together except through UofT-approved distribution mechanisms. | TRUE | Approved | Required | Required | Required | TBD |
IAM-PR | Password Change and Reset | Existing | Status | Public | Confidential | Restricted | Effort |
IAM-PR-01 | When a password expires, systems must deny access to all resources associated with the ID until the user selects or is provided with a new password. | TRUE | Approved | Required | Required | Required | TBD |
IAM-PR-02 | When a member of a share group no longer requires use of the Shared Support ID to perform their ongoing job function (e.g., termination, departmental move, job change) they must be prevented from using that ID. In exceptions where direct access to and use of Shared Support IDs is permitted (e.g., MQ), the password must be immediately changed. | TRUE | Approved | Required | Required | Required | TBD |
IAM-PS | Password Storage and Compromise | Existing | Status | Public | Confidential | Restricted | Effort |
IAM-PS-01 | Where a duplicate or back-up password is necessary for continued support or other contingencies, a copy of the duplicate or back-up password must be held under joint custody and securely stored. | TRUE | Approved | Required | Required | Required | TBD |
IAM-PS-02 | Passwords that are compromised or suspected of being compromised must immediately be changed or the ID must be disabled or suspended. | TRUE | Approved | Required | Required | Required | TBD |
IAM-PS-03 | If an ID is compromised or suspected of being compromised, the appropriate UofT Information Security group must be notified immediately. | TRUE | Approved | Required | Required | Required | TBD |
IAM-AH | Authorized Handheld Devices | Existing | Status | Public | Confidential | Restricted | Effort |
IAM-AH-01 | If a handheld device is or is suspected of being lost, stolen, or accessed through unauthorized means, the device must be remotely erased and disabled. | TRUE | Approved | Recommended | Required | Not Applicable | TBD |
IAM-AH-02 | Users must not compose passwords that constitute a common keyboard combinations (e.g., QWERTY), common dictionary terms, acronyms in any language, easily obtained personal information (e.g., UofT, family or pet name, phone number, dates of birth etc.), project acronyms, names of sports teams, or any proper name. | TRUE | Approved | Required | Required | Not Applicable | TBD |
IAM-AH-03 | All handheld devices must be protected with at least a six character password and the password must not contain three or more consecutive characters (e.g., AAA777) or use ascending or descending sequencing beyond two consecutive characters (e.g., Ab34Cd12). | TRUE | Approved | Required | Required | Not Applicable | TBD |
IAM-AH-04 | Devices must require device owners to change their passwords within every sixty day period. | FALSE | Proposed | Recommended | Required | Not Applicable | TBD |
IAM-AH-05 | Password history must be maintained to prevent the use of the same password within six iterations of a password change cycle. | FALSE | Proposed | Recommended | Required | Not Applicable | TBD |
IAM-AH-06 | Handheld devices must lock after fifteen minutes of inactivity. | FALSE | Proposed | Required | Required | Not Applicable | TBD |
IAM-AH-07 | After ten unsuccessful login attempts, all data must be deleted from the device. | FALSE | Proposed | Required | Required | Not Applicable | TBD |
IAM-RA | Remote Access (IAM) | Existing | Status | Public | Confidential | Restricted | Effort |
IAM-RA-01 | PINs for token devices must be a minimum of four digits. | TRUE | Approved | Required | Required | Required | TBD |
IAM-RA-02 | Users must create a new password each time a digital certificate is renewed. | FALSE | Proposed | Required | Required | Required | TBD |
IAM-RA-03 | Digital certificates must be protected with a password that meets the complexity requirements for password creation defined in this standard. | FALSE | Proposed | Required | Required | Required | TBD |
IAM-RA-04 | A process must be developed and implemented to distribute tokens in an approved and controlled manner. | TRUE | Approved | Required | Required | Required | TBD |
IAM-RA-05 | Users must be notified that a token has been issued to them and this must be separate from the distribution of the token. Users must notify ISEA if the token is not received within five working days of the notice of issuance. | FALSE | Proposed | Required | Required | Required | TBD |
IAM-RA-06 | Tokens must only be activated after the user confirms receipt of the token. | FALSE | Proposed | Required | Required | Required | TBD |
IAM-TA | Third Party Access | Existing | Status | Public | Confidential | Restricted | Effort |
IAM-TA-01 | Automated alerts to third party service providers via a diagnostic port must be configured to allow only outbound calls and must not communicate any UofT information beyond what is required for diagnosis and break-fix activities. | TRUE | Approved | Required | Required | Required | TBD |
IAM-TA-02 | Third party service provider (vendor) access to production for support purposes must be permitted through Support IDs or Fire IDs only and must only be enabled for the period needed. | TRUE | Approved | Required | Required | Required | TBD |