4-OP-H-25.07 IT Access, Authorization and Authentication Standard

I. Purpose

This Standard supports and supplements FSU Technology Policies and provides additional security and privacy best practices. It defines Identity Management and Access Controls that protect IT resources from unauthorized use. This Standard applies to processes and procedures implemented to protect data and access to devices, systems, services, and applications, including accounts with privileged access, whether provisioned locally or at the enterprise-level.

Compliance with this Standard is mandatory and is enforced in the same manner as the policies it supports. Standards will be periodically reviewed and updated as necessary to meet emerging threats, changes in legal and regulatory requirements, and technological advances. All users are required to comply with this Standard or obtain an exception in accordance with the 4-OP-H-25.20 Request for Exception to IT Security Policy.

II. Definitions

Administrative Account – a user account with full privileges on a computer. Such an account is intended to be used only when performing personal computer (PC) management tasks, such as installing updates and application software, managing user accounts, and modifying operating system (OS) and application settings.

Consolidated University Unit – a consolidated group of related university units that has management authority and responsibility for compliance with IT policies, standards, and guidelines.

IT Assets – technology resources including, but not limited to, computers, networks, servers, applications, databases, software, and operating systems owned by, managed by or sponsored by IT Asset Custodians..

Information Security Incident – a suspected, attempted, successful, or imminent threat of unauthorized access, use, disclosure, breach, modification, or destruction of information; interference with information technology operations; or significant violation of responsible use policy.

Privileged Access – an elevated or higher level of access to university IT (Information Technology) systems or data resources than would be granted to a standard user account and ordinary user. Privileged access requires explicit authorization to perform functions considered to be of a sensitive or confidential nature when accessing university systems, tools, or data.

Privileged Account – a university user account with the approved authorizations of a privileged user.

Privileged User – a user that is trusted and authorized to perform elevated security functions or operations, which include access to confidential data that non-privileged user accounts and ordinary system users are not authorized to perform.

Process Account - a non-interactive account used to provide access to resources or services within an application or across applications.

Service Account – an interactive account provided by the software vendor to be used only for access required at the highest level within the application.

Full IT Glossary

III. Standard

FSU has adopted the NIST Framework for Improving Critical Infrastructure Cybersecurity in conjunction with NIST 800-53 Controls as the foundation for a risk-based approach to cybersecurity management. The Cybersecurity Framework (CSF) Core uses common cybersecurity functions, activities, and desired outcomes to align university policy to the management of IT risk. The CSF Core leverages industry standards, guidelines, and practices to establish baseline expectations for cybersecurity for all university units.

University Units are responsible for using this framework and controls to assess their unique risks, threats, vulnerabilities, and risk tolerances to determine an appropriate risk management plan that complies with FSU Technology Policies, Standards and Guidelines.

Controls supporting this Standard include, but are not limited to:

NIST Cybersecurity Framework and Controls

Function	Category	Desired Outcome (Subcategory)
Protect (PR)	Identity Management and Access Control (PR.AC): Access to physical and logical assets and associated facilities is limited to authorized users, processes, and devices, and is managed consistent with the assessed risk of unauthorized access.	PR.AC-1: Identities and credentials are issued, managed, verified, revoked, and audited for authorized devices, users and processes
		PR.AC-3: Remote access is managed
		PR.AC-4: Access permissions and authorizations are managed, incorporating the principles of least privilege and separation of duties
		PR.AC-6: Identities are proofed and bound to credentials and asserted in interactions
		PR.AC-7: Users, devices, and other assets are authenticated (e.g., single-factor, multi-factor) commensurate with the risk of the transaction (e.g., individuals’ security and privacy risks and other organizational risks)

Full CSF Crosswalk to Controls: NIST Crosswalk
*The above NIST chart describing Cybersecurity Framework and Controls and the link to other NIST Crosswalk principles and information in no way belongs to or is owned by Florida State University.

Roles and Responsibilities

Chief Information Security Officer (CISO) and Information Security and Privacy Office (ISPO)
The CISO directs the Information Security and Privacy Office (ISPO) for the University. The CISO reports to the CIO and the Provost and serves as both the CISO and the Chief Privacy Officer for FSU. The CISO and ISPO are responsible for enforcing the application of appropriate operational security controls necessary to mitigate risks associated with unauthorized disclosure, loss, or theft of university information.
Consolidated University Unit (CUU) Dean, Director, or Department Head (DDDH)
The Dean, Director, Department Head, or other managerial position responsible for protecting the confidentiality, availability, and integrity of university IT Assets within a CUU. The CUU DDDH has responsibility for ensuring IT security and privacy for the units within the CUU.
Consolidated University Unit (CUU) Information Security Manager (ISM)
The liaison designated by the CUU Dean, Director, or Department Head (DDDH) responsible for coordinating the CUU’s information security program. The CUU ISM is the central point of contact between the University Units and ISPO for security issues. CUU ISM responsibilities will be included in position descriptions.
Consolidated University Unit (CUU) Privacy Coordinator
The liaison designated by the CUU Dean, Director, or Department Head (DDDH) responsible for coordinating the CUU’s privacy program. The CUU Privacy Coordinator is the central point of contact between the University Units and ISPO for privacy issues.
University Unit Information Security Manager (ISM)
The liaison designated by a University Unit Dean, Director, or Department Head (DDDH) responsible for ensuring a university unit’s compliance with security IT policies, standards, and guidelines, in coordination with their designated CUU’s information security program.
University Unit Privacy Coordinator
The liaison designated by a University Unit Dean, Director, or Department Head (DDDH) responsible for ensuring a University Unit’s compliance with privacy IT policies, standards, and guidelines, in coordination with their designated CUU’s information privacy program.
Data Custodian
The Dean, Director, Department Head, or other manager who is ultimately responsible for the integrity, accurate reporting and use of university data resources, based on classification level identified by the 4-OP-H-25.01 Data Security Standard.
Data Manager
The University Unit employee(s) delegated operational oversight responsibility for data resources by the Data Custodian.
IT Asset Custodian
An individual with responsibility for the configuration, implementation, management, monitoring, oversight, and day-to-day operations of university IT Assets. IT Assets include but are not limited to enterprise or distributed networks, computers. servers, workstations, IoT devices, applications, databases, operating systems, and firmware.
All Users
Users are accountable for all activities performed by their account. Every person to whom this policy applies is responsible for:

safeguarding FSU IT resources.
understanding the Data Classification of information being stored, transmitted, processed, or otherwise handled to ensure that appropriate action is taken to protect the information in accordance with FSU Security and Privacy Policies and Standards.
complying with all applicable federal, state, and local laws; and all contractual obligations.
signing and complying with requirements of the Florida State Employee Memorandum of Understanding addressing access to High Risk or Moderate Risk information (employees).

For more information, see IT Roles and Responsibilities.

Account Management

This Standard establishes requirements for provisioning and deprovisioning access to systems and applications that create, process, maintain, transmit, or store institutional data based on authorization by the appropriate Data Custodian and proper authentication of authorized users. This includes access to campus facilities that maintain information resources, as defined by the 4-OP-H-25.08 IT Physical Security Standard. This standard provides protection for the University’s data from compromises or breaches due to inadequate access and authentication management practices, and captures information needed for compliance-related audit trails. Proper access management results in users having appropriate role-based access to authorized services. CUU and University Unit ISMs are responsible for ensuring compliance for authorization and access to IT resources based on job duties, responsibilities, and classification of data. Users are accountable for all activities performed by their account.

1) Access
Access control is the practice of authorizing and granting appropriate access and privileges to legitimate users for resources, transactions, functions, and activities. Access to systems that create, process, maintain, transmit, or store institutional data shall be granted by Data Custodians or their designated Data Managers based on assigned job duties and responsibilities, and role-based whenever supported by IT systems and applications. Reviews must be completed periodically to ensure validity and continued need for access. Users that require access to High Risk or Moderate Risk information as defined by the 4-OP-H-25.01 Data Security Standard require additional security and privacy compliance. Examples of High Risk and Moderate Risk information include, but are not limited to, personally identifiable information (PII), student education records, protected health information, payment, and financial information, etc. Users’ acceptance and use of access denotes agreement to comply with all FSU IT Policies and Standards.
2) Authorization
CUU and University Unit ISMs are responsible for ensuring that individual requests for access are limited to systems and access levels required based on roles and responsibilities authorized by Data Custodians and IT Asset Custodians. Individuals’ affiliation with FSU determines the appropriate access needed for university data and computing resources, with the minimum access granted sufficient to perform required responsibilities. Standard Access will be granted to users unless additional access is necessary. Privileged Access to enterprise and locally provided systems is generally initiated by the individual’s unit or department. Additional access or an additional account that requires enhanced, elevated, administrative, or similar Privileged Access rights to systems, applications or data is necessary for some individuals to perform routine duties required by their position. Examples of activities that may require use of privileged accounts include digital key management, network and system administration, database administration, and application administration. Privileged Access is also required when accessing and administering systems that store data classified as High Risk or Moderate Risk, as defined by the 4-OP-H-25.01 Data Security Standard.
3) Authentication
Authentication is a process by which users, processes, or services provide proof of their identity. Users are accountable for all activities performed by their account. Authentication systems administered by CUUs, University Units or individuals are prohibited unless authorized in writing by the CISO. Impersonation of FSU authentication services, including graphic elements or similar URLs, is not permitted unless access is granted in writing by the CISO. Individuals granted privileged access may not use their accounts to bypass or disable security controls.

Interactive administrative accounts must not be shared, and activities using administrative accounts must be traceable to an individual. Service accounts (e.g., backup) must not be used for interactive sessions.

FSU has established the following password management requirements for creating and securing passwords:

Password management
Passwords and related security questions must be kept secure and confidential, and not shared with or used by anyone other than the person to whom they are assigned:

Password masking must be used for all FSU authentication to ensure passwords are not visible as they are entered.
Systems accepting password input should provide an option to display the password as it is entered. The system may also permit the user’s device to display individual entered characters for a short time after each character is typed to verify correct entry.
Any passwords with default values set by the vendor must be reset.
Under circumstances requiring that multiple people have access to a credential, such as software developers accessing an Application Programming Interface, the credential must be changed whenever anyone with knowledge of it no longer has job-related responsibilities requiring access granted via the credential.

Password Construction
The University's minimum factors for selecting passwords must be followed by individuals when selecting and setting a password and must be enforced by IT systems whenever technically feasible. Passwords:

Must be at least 8 characters
Must contain one or more alpha characters (a-z, A-Z)
Must contain one or more numeric characters (0-9)
Must contain one or more non-alphanumeric characters (#~!@$%^&*+_?...)
Must not contain spaces
Must not be the user’s name
Must not be the user’s FSUID
Must not be any of the user’s last ten passwords
Must not use repetitive or sequential characters (e.g. “aaaa”, “1234abcd”, etc.)
Must not contain any context-specific words, such as the name of the service, the username, and derivatives thereof

Password Security Controls
IT systems that verify credentials must enforce the following security controls whenever technically feasible:

Password complexity: Passwords must be checked against a blacklist that includes dictionary words, repetitive or sequential strings, passwords identified in prior security breaches, variations on the site name, commonly used passphrases, or other words and patterns that cybercriminals are likely to guess.
Multi-Factor Authentication (MFA): MFA is recommended whenever technically feasible. Access to High Risk and Moderate Risk FSU information requires MFA. DUO is approved for this requirement. Use of any other MFA technology requires an approved exception via the 4-OP-H-25.20 Request for Exception to IT Security Policy.
Password Expiration: Passwords shall expire in 365 days or less when MFA is not used. No expiration requirement with MFA.
Password transmission: Transmission of passwords over any network must be encrypted.
Password creation: If a password does not meet the criteria listed in “Password Construction” above, the system must advise the person that they need to select a different password, provide the reason for rejection, and require the person to choose a different password.
Generated passwords: Where technically feasible, passwords generated randomly by systems (rather than created by a person) must be at least eight characters in length and be generated using a university-approved random bit generator.
Password throttling: FSU does not implement password throttling due to compensating controls including the requirement for 2FA.
Password compromise: If a password has been improperly disclosed, accessed, or used by an unauthorized person, it must be changed immediately.
Password reset / change / expiration: Default and vendor-supplied passwords must be changed prior to use.
Password reuse: Passwords may not be reused when being renewed or changed for at least ten password changes and must not be the same as passwords used for other non-University accounts.
Password file access: Unauthenticated access is forbidden for all FSU file shares.
Password Protection: Passwords or encryption keys used to access confidential data must be protected as if the passwords and keys were confidential and, therefore, are subject to all requirements for confidential information.

General Security and Privacy Controls

Each CUU/University Unit bears the responsibility to protect the confidentiality (authorized access), availability, and integrity of university information through proper security and privacy controls, including but not limited to:

Control

Standard

User Identification & Credentials

The identification of authorized users of information systems and the specification of access privileges is fundamental to access control. Eligible FSU users are granted one enterprise-wide unique user identification (FSUID) and password for regular, day-to-day use to ensure accurate auditing of access and actions; Accounts that have administrator permissions must not be used as a user’s default account and must not be shared; FSUIDs or VPN accounts assigned to individuals must not be shared. FSU accounts, passwords, personal identification numbers, security tokens, smart cards, identification badges or other devices used for identification and authentication purposes must not be shared. Users are accountable for all activities performed by their account. Shared Service accounts shall log employees’ access and usage.

Multi-Factor Authentication (MFA)

Access to privileged accounts requires MFA. Duo is approved for this requirement. Use of any other MFA technology requires an approved exception via the 4-OP-H-25.20 Request for Exception to IT Security Policy.

Identifier Management

The organization manages information systems by receiving appropriate authorization, selecting the appropriate individual, group, role or device identifier; and disabling identifiers after the established time period.

Principle of Least Privilege

Individuals must be granted the minimum level of access sufficient to complete job responsibilities or other authorized activities. Individuals with multiple accounts or privileged access must use the least privileged account for day-today activities. Privileged service and process accounts are to be used only when the elevated privilege is required by the system or application.

Separation of Duties

A defined procedure must be in place for granting access that distinguishes between the person who has the authority to approve the access request and the person who fulfills the request. Audit functions must be performed by someone other than the person responsible for fulfilling the request.

Transfer of Data

The CUU/University Unit DDDH and/or Data Custodian must authorize the transfer of High Risk or Moderate Risk data to other CUUs, University Units, third-party vendors or to non-university owned portable storage, portable computing devices such as mobile memory devices, laptop computers, tablets or smartphones.

Unauthorized Access

Users must not attempt to gain access to university information systems or data for which they have not been granted authorization.

System Use Notifications

CUU/University Unit ISMs should implement a process to display an “Official Use Only” system use notification message (banner) for information systems prior to granting access or upon successful logon.

Remote Access

Remote Access systems that allow technical control by support staff to users’ workstations must require user permission before allowing remote access.

Access Revocation or Termination

Access must be updated appropriately, or removed altogether, after notification of a status change has been received, when an individual:

permanently leaves the University or when employment, student, or other status is separated/terminated for any reason.
transfers from one position to another, with different responsibilities and levels of access required.

Under normal circumstances, standard access must be removed as promptly as possible and within 3 hours of termination. Privileged, service and process account access must be removed as promptly as possible and within 1 hour of termination.

When an individual is separated from the University with cause, authorized access must be revoked in coordination with ISPO and the Office of Human Resources, or other responsible party, who will determine the appropriate timing based on the specific circumstances.

Note that revoking authorized access may be accomplished independently of disabling or removing an individual’s user account, depending on the security controls of the systems in use.

Upon termination, work products should be collected, and all access must be removed. The University Unit ISM or designee must maintain documentation of terminations of access including date and time.

Access Review

University Unit ISMs must review standard, privileged, and shared accounts regularly to ensure access revocation is taking place and the principle of least privilege is being followed, based on authorization provided by Data Custodians or their designated Data Manager. This is particularly important for privileged access, which must be reviewed at least quarterly. Access granted to standard, unprivileged accounts must be reviewed and modified accordingly upon receiving notification that a person’s status has changed. Reviews will be documented and retained by the ISM.

Session Termination

All users are required to logoff or lock their systems when they are finished with their current session or are expected to be away from their workstation. All FSU desktops, laptops and mobile devices must employ a screensaver or inactivity lock of no more than 30 minutes and must require a password or pin to unlock.

Privileged Accounts and Privileged Access Management

University units are responsible for authorizing and managing privileged accounts which provide privileged users with an elevated or enhanced level of access to university IT systems, applications, and data resources.
Authorization for privileged accounts must be based on a legitimate university business need, and the need to authorize privileged users to perform the routine duties required of their position. Privileged users shall not use their privileged access for unauthorized access, viewing, modification, copying, or destruction, of university systems or data.
In addition to the requirements in this standard and where relevant to privileged accounts or privileged access management, university units are required to meet applicable regulatory requirements in state and federal law, regulation, or contractual requirements. In the case of a conflict between such requirements, the more stringent requirements shall govern.
Requests for creation of privileged user accounts can be initiated by the individual’s supervisor or system owner and are required to be granted or rejected by the University Unit ISM, DDDH, or their designee.
Where feasible to do so, unique system administrator account names must be created for authorized privileged users. Vendor default or generic administrator account names shall not be used.
Access rights will be disabled or removed when a privileged user is terminated or ceases to have a legitimate business need for maintaining privileged access to university systems. Privileged accounts must be removed immediately and within 1 hour of termination.
- When a privileged user is separated from the university, authorized accounts must be removed in coordination with the Office of Human Resources, or other responsible party.
- Upon termination, privileged user work products must be collected, and all access must be revoked. The University Unit ISM or designee must maintain documentation of terminations of access including date and time.
- It is the responsibility of the privileged user’s supervisor and/or University Unit ISM to notify university unit IT personnel and, where applicable, Information Technology Services (ITS) to initiate the removal of privileged access rights or permissions.
University Unit ISMs are required to review privileged accounts assigned to users at least quarterly to validate the continued need for each active privileged account and ensure privileged accounts are removed or disabled when no longer necessary. Quarterly reviews shall also include accounts with unnecessary privileges or dormant accounts which may include:
- Accounts assigned to external contractors, vendors, third-parties, or employees that no longer work for or on behalf of the university.
- Accounts with access rights for which the user’s role and responsibilities do not require privileged access.
- System administrator rights or permissions granted to a user who is not a system administrator. Such rights may include permissions to change the system configuration, security, or performance settings of a computer system, network, application, or data base system.
- Unknown active and inactive accounts.
System administrator access to university systems, applications, and data must require Multi-Factor Authentication (MFA) where technically feasible to implement. Access to university systems storing, processing, transmitting, or receiving university High Risk or Moderate Risk data requires MFA. Use of any other MFA technology requires an approved exception via the 4-OP-H-25.20 Request for Exception to IT Security Policy.
University units shall establish and maintain dedicated computing resources, either physically or logically separated, for all administrative tasks or tasks requiring administrative access.
Where applicable, university units shall conduct a risk assessment to determine whether secure access to university IT systems and applications handling university High Risk or Moderate Risk data requires implementation of a secure bastion host, proxy server, or similar arrangement to enable privileged user access.
System and application sessions must automatically lock after 30 minutes of inactivity.
Where technically possible, university units shall ensure the use of privileged accounts will be logged for events including, but not limited to:
- The use of system administrator privileges.
- Successful and failed system administrator login or authentication attempts and privilege escalation attempts.
- Account lockout events.
- Changes to privileged access groups (e.g., addition of a user account to a privileged group).
- Actions of privileged account usage.
University Unit ISMs and System Administrators, or their designees, should monitor privileged accounts and access audit logs on a quarterly basis , unless there are more stringent regulatory compliance requirements the unit must meet. Access to such audit logs must be protected and restricted to authorized university personnel and, where applicable, to third parties who the university has authorized to access this information.
Use of a Privileged Access Management solution is required.

Additional Controls For Access To High Risk Or Moderate Risk Data

Access to FSU information classified as High Risk or Moderate Risk requires appropriate authorization by the Data Custodian or the designated Data Manager, as defined by the 4-OP-H-25.01 Data Security Standard. Data Custodians, in conjunction with application developers, are responsible for monitoring and maintaining documentation at the data element level for access privileges granted for High Risk or Moderate Risk data.

Each FSU position requiring access to High Risk or Moderate Risk information must be reflected in the employee’s position description. The employee’s signed Florida State Employee Memorandum of Understanding acknowledges security and privacy compliance requirements. Employees designated as having access to select High Risk or Moderate Risk information (e.g., HIPAA) may also be required to sign agreements acknowledging special confidentiality controls necessary to meet specific legal or contractual privacy requirements. Documents may be stored in digital or paper format by the unit and must be made available for audit upon request.

Each CUU / University Unit Privacy Coordinator must ensure that employees are trained on the requirements to safeguard High Risk and Moderate Risk information. This training must occur prior to employee access granted to High Risk or Moderate Risk information or as required by legislation or contractual obligation. In addition, employees handling High Risk or Moderate Risk information are required to take an annual privacy training update. As verification of participation, each University Unit Privacy Coordinator must maintain rosters of participants in online or in-person privacy training in an electronic or paper format.

Individuals not employed by FSU who are authorized to view High Risk or Moderate Risk information as part of a regulatory, academic, or business function must comply with security and privacy requirements covered by third-party contracts and agreements. Additionally, background checks may be required prior to granting access to FSU High Risk or Moderate Risk information. Legal or regulatory requirements may impact who is authorized to view FSU High Risk or Moderate Risk data. Additional requirements for authorization and access to High Risk or Moderate Risk data is defined in the 4-OP-H-25.02 Information Privacy Standard.

Additional Controls include, but are not limited to:

Control

Standard (High Risk/Moderate Risk Data Access)

Multi-Factor Authentication (MFA)

Access to High Risk and Moderate Risk FSU information requires MFA. Duo is approved for this requirement. Use of any other MFA technology requires an approved exception via the 4-OP-H-25.20 Request for Exception to IT Security Policy. Additionally, all current faculty, staff, and those performing work on behalf of the University, such as contractors, are required to use FSU’s MFA service when authenticating to web-based applications and Virtual Private Networks (VPNs).

Unsuccessful Logon Attempts

For any device that creates, stores, processes or accesses High Risk or Moderate Risk data, the device must be configured to disable the account after 10 failed attempts to enter the password.

Training

Prior to being granted administrative or other privileged access to any data or system, staff members must complete the appropriate training identified by the 4-OP-H-25.06 IT Security Training and Awareness Standard.

Encryption

Additional access enforcement mechanisms must be employed anytime data changes systems and at the application level for High Risk and Moderate Risk data. High Risk and Moderate Risk data must be encrypted during network transmission and must only be stored on approved systems for which FSU has a contractual agreement in place. High Risk and Moderate Risk data stored on mobile devices or removable media, must be encrypted, as defined by the 4-OP-H-25.14 IT Encryption Standard.

Administrative Access

The Data Custodian must approve access to system and network administrators for access to High Risk and Moderate Risk information to perform an approved action to mitigate a system problem or as part of an incident response to a privacy breach investigation.

Access Revocation or Termination

Accounts with access to High Risk or Moderate Risk data must be removed as promptly as possible and within 1 hour of termination.

Remote Access

Any system accessing High Risk or Moderate Risk information via a wireless network OR any remote, off-campus access to a system containing such data must use an encrypted communication method. Examples of encrypted network transport include ssh/sftp, ITS Service Catalog - Enterprise SSL, and ITS Service Catalog - VPN with encryption enabled.

Wireless Access

Any system storing or accessing High-Risk or Moderate Risk information that uses a campus wireless connection must use FSU-Secure, or a departmental wireless network with equivalent or stronger security (authentication required, encrypted transmission).

Access Control for Mobile Devices

Mobile devices used to store High Risk or Moderate Risk FSU data must be properly encrypted to protect the confidentiality and integrity of the information. High Risk and Moderate Risk data must be encrypted-at-rest.

Use of External Information Systems

No High Risk or Moderate Risk FSU data may be stored on personal devices or non-approved third-party information systems. FSU’s ITS-provided email system is the official means of communication for the university. Faculty, staff, and students are required to conduct FSU business from their FSU assigned email address containing the fsu.edu domain.

Incident Reporting

Incidents occur when an FSU student, staff, contractor, or faculty member violates this Standard, specific legal requirements, or contractual obligations. It is the responsibility of each FSU student, staff, contractor, or faculty member to immediately report suspected or confirmed Information Security and Privacy Incidents to the Chief Information Security Officer (CISO) at security@fsu.edu. The CUU ISM or University Unit ISM must inform the CISO of any suspected or confirmed incidents within 24 hours. Refer to the 4-OP-H-25.11 IT Incident Response Standard for more information.