Standard 4: Access Management

Proper management and use of computer accounts are basic requirements for protecting the University's information resources. All offices that create access accounts for applications, networks, or systems are required to manage the accounts in accordance with the University's access management processes. Access to an information resource may not be granted by another User without the permission of the owner or the owner's delegated custodian of that information resource. All accounts are to be created and managed using the following required account management practices:

1. Access Management Requirements
   1. All accounts that access non-public University information resources must follow an account creation process. This process shall document who is associated with the account, the purpose for which the account was created, and who approved the creation of the account at the earliest possible point of contact between the account holder and the University. All accounts accessing the University's non-public information resources must have the approval of the owner of those resources. These measures also apply to accounts created by/for use of outside vendors or contractors.
   2. All accounts must adhere to the UNF Account Management policy.
   3. All accounts must authenticate with SAML 2.0 or LDAP to centrally managed UNF accounts (UNFID). All externally accessible applications must use multi-factor authentication (MFA). Exceptions to this standard must be documented and approved by the Assistant Director of IT Security or their designee.
   4. All accounts must adhere to the university's password requirements.
   5. All accounts must be able to be associated with an identifiable individual who is authorized to use that account. In limited circumstances the University may create generic accounts for use by multiple individuals. These accounts must have an identified account owner that is responsible for tracking and recording who has access to those accounts and be approved by the Assistant Director of IT Security or their designee. All generic account passwords must be saved in the University password management system and changed at least every 30 days.
   6. Accounts of individuals who have had their status, roles, or affiliations with the University change must be updated to reflect their current status.
   7. Accounts must be reviewed at least annually to ensure their current state is correct.

2. Remote and Wireless Access. Remote and wireless access to the UNF network infrastructure must be managed to preserve the confidentiality, integrity, and availability of UNF data. Remote and wireless access must:
   1. Require the use of secure and encrypted connections when accessing information resources containing confidential data across the Internet, or across unsecured or public networks (e.g., use of VPN for access, SFTP for transfers, encrypted wireless); and
   2. Require monitoring for identifying and disabling of unauthorized (i.e., rogue) wireless access points.
3. Access to UNF Networks. All network hardware connected to the UNF network must be approved by the IT network engineering team, including any non-UNF owned computer systems or devices, to ensure that such access does not compromise the operations and reliability of the network, or compromise the integrity or use of information contained within the network.
4. Data Access Control Requirement. All owners and custodians must control and monitor access to data within their scope of responsibility based on data sensitivity and risk, and through use of appropriate administrative, physical, and technical safeguards including the following:
   1. Owners must limit access to records containing confidential data to those employees who need access for the performance of the employees' job responsibilities. An employee may not access confidential data if it is not necessary and relevant to the employee's job function.
   2. Owners and custodians must monitor access to records containing confidential data using appropriate measures as determined by applicable policies, standards, procedures, and regulatory requirements. Audits of access controls are to be done at least annually.
   3. Owners and custodians must ensure log capture and review processes adhere to UNF standards.
   4. Employees may not disclose confidential data to unauthorized persons or Institutions except:
      1. as required or permitted by law, and, if required, with the consent of the data owner;
      2. where the third party is the agent or contractor for the University and the safeguards described in Access for Third Parties (section 5) are in place to prevent unauthorized distribution; or
      3. as approved by the UNF Office of General Counsel.
5. Access for Third Parties.
   1. If UNF intends to provide University data to a third party acting as an agent of or otherwise on behalf of UNF (example: an application service provider) a written agreement with the third party is required. Such third party agreements must specify:
      1. the data authorized to be accessed;
      2. the circumstances under and purposes for which the data may be used; and
      3. that all data must be returned to the University or destroyed, in a manner specified by UNF upon end of the third party engagement.
   2. If UNF determines that its provision of data to a third-party will result in significant risk to the confidentiality, integrity, or availability of such data, the agreement must specify the terms and conditions for protecting the data, including appropriate administrative, physical, and technical safeguards.
   3. All new and existing data integrations that share UNF data must be documented according to the standards documented by Institutional Research. More information can be found on the data governance website. 
6. Multi-factor Authentication (MFA) Requirements. MFA is required in the following situations:
   1. when an employee or other individual providing services on behalf of the University (such as a student employee, contractor, or volunteer) logs on to a University network using an enterprise remote access gateway such as a VPN, Terminal Server, or similar service; or
   2. when an employee or other individual providing services on behalf of the University who is working from a remote location uses an online function (e.g. a web page) to modify or view confidential data.
   3. when an employee or other individual providing services on behalf of the University from a remote location uses administrator credentials to access another computing device or service.