User login

Close
 

Information Resource Access Control And Log Management Policy

Effective Date: October, 2013

Revised: November 2014

I. Introduction

This Policy describes the process of authorizing, establishing, documenting, reviewing and modifying appropriate access to Columbia University Information Resources that process, transmit and/or store Data (as each term is defined in the University’s Information Security Charter (the “Charter”) http://policylibrary.columbia.edu/information-security-charter
Such access is limited to faculty, staff, students and contractors of the University who have been properly authorized to carry out legitimate business or academic tasks.

 

A PDF of this policy is also available to the right.

Capitalized terms used herein without definition are defined in the Charter.

 

II. Policy History

The effective date of this Policy is November 1, 2013.  This Policy and the other Information Security Policies replace (A) the following University Policies:

  1. Acceptable Use of IT Resources (Network and Computing Policy), dated July 1, 2007
  2. Desktop/Laptop/Mobile Devices Security Requirements When Accessing Sensitive Data
  3. Electronic Information Server Administration Policy, dated March 1, 2007
  4. Remote Access Policy, dated February 1, 2008

and (B) the following CUMC Policies:

  1. General Information Security Policy, dated November 15, 2007
  2. Information Access Management and Control Policy, dated November 15, 2007
  3. Information Security: Audit and Evaluation Policy, dated November 15, 2007
  4. Workstation Use and Security Policy, dated November 2012.

 

III. Policy Text

A. Access Control Requirements for System Owners and IT Custodians

Each System Owner and IT Custodian must ensure that the following access controls are implemented for any Information Resource:

1.      Procedures for (a) establishing and describing different levels of User access, (b) authorizing User access and (c) granting, revising and terminating User access are documented and periodically reviewed and revised as required so that access is granted only to Users who are necessary to accomplish the intended and approved purpose of the use.

2.      The Information Resource is protected by authorization (access control) technology that employs unique User IDs and secret passwords unique to each User and password management procedures include the protections described in Section B below.  Use of a generic group identifier is not recommended and is prohibited for access to a System that contains Sensitive Data or Confidential Data.

3.    Each Information Resource has a different administrative account and password and access to the password is restricted to as few people as possible.  No unnecessary accounts are created on the Information Resource beyond those needed for administration and operation.

4.    Access to the Information Resource locks after no more than 15 minutes of inactivity through an automatic locking mechanism, such as the use of a password protected screen saver or an equivalent alternative mechanism, unless the immediate area
surrounding the Information Resource is physically secured or a waiver has been granted by the applicable Information Security Office.

5.    All unnecessary or unused accounts are disabled and removed.

6.    User access to any System that uses, stores or transmits Sensitive Data is reviewed on an annual basis.

B. Password Requirements

Each System Owner and IT Custodian must ensure that the following password protections are implemented for each Information Resource that processes, transmits or stores Sensitive Data:

1.      Passwords are changed every 45-180 days.

2.      Passwords may not be reused until two additional passwords have been used.

3.      Users select and change their own passwords.

4.      Passwords meet good password criteria, including:

  • Passwords at least 8 alpha and numeric characters long are used.  Any administrative or service accounts must be at least 16 characters long. 
  • Dictionary words or commonly known proper nouns are not used unless the password has more than 12 characters. 
  • Passwords include mixed case letters and numbers or special characters. 
  • Users are encouraged to use a passphrase such as a sentence that contains the above requirements.  In this case, dictionary words may be used.

5.      Passwords are not displayed in clear text when being input into the System.

6.      Default vendor or other pre-installed passwords are changed immediately following installation of a System.

7.      The System “save password” feature is disabled.

8.      Users are trained on good password practices.

It is recommended, but not required, that the foregoing password procedures be implemented for Information Resources other than those that process, transmit or store Sensitive Data.

C. Log-In Requirements

Each System Owner and IT Custodian must ensure that the following log-in protections are implemented for each Information Resource: 

1.      After a maximum of 6 unsuccessful attempts to enter a password, the User ID is either suspended until reset by an IT Custodian or temporarily disabled for no less than 3 minutes unless a waiver has been granted by the applicable Information Security Office.

2.      System identifying information is minimized prior to successfully completing the log-in process.

3.      The log-in process can (a) record failed log-in attempts and (b) upon completion of a successful log-in, record the date and time of the previous successful log-in.

4.      Each CUMC System that processes, transmits or stores Sensitive Data or Confidential Data has a login banner that states the following:

“The information in University Systems at Columbia University is private and confidential and may be used only on a need-to-know basis.  All access is logged.  Unauthorized or improper use of a University System or the data in it may result in dismissal and/or civil or criminal penalties.”

D. Log Management

Each System Owner and IT Custodian must ensure that the following protections are implemented for each Information Resource that processes, transmits or stores Sensitive Data:

1. Logging is activated on each Server.

2. Logging is configured to keep track of access to Systems, Data and the Server itself.

3. Logs are retained for as long as it is operationally necessary; 29 days is recommended.

4. A Syslog or similar function is used to store logs on a separate System.

5. Logs are reviewed by the IT Custodian on a regular basis for unusual activity.

6. A process is established so that Log monitoring software is installed where available.

7. Logs generate the following Data:

  • Date and time of activity;
  • Description of attempted or completed activity;
  • Identification of User performing activity; and
  • Origin of activity (i.e., IP address, workstation identifier, etc.)

8. Logs have audit mechanisms that generate reports of auditable events such as:

  • Failed authentication attempts;
  • Use of audit software programs or utilities (i.e., System logs);
  • Access to the System;
  • System startup or shut down;
  • Use of privileged accounts (i.e., System administrator accounts);
  • Security incidents;
  • Change of User’s security information (i.e., User privileges); and
  • Vendor and temporary account activities.

It is recommended, but not required, that the foregoing protections be implemented for Information Resources other than those that process, transmit or store Sensitive Data.

E. Access Control and Monitoring Procedures for EPHI

Each User of any Information Resource that processes, transmits and/or stores EPHI must follow the specific provisions relating to access control and monitoring in the CUMC Information Security Procedures https://secure.cumc.columbia.edu/cumcit/secure/policy/procedures.html.

F. Remote Access

Each User must ensure that the following controls are implemented to remotely connect to the University’s Information Resources:

1.      The controls meet or exceed the controls described in the Columbia University Registration and Protection of Endpoints Policy http://policylibrary.columbia.edu/registration-and-protection-endpoints-policy.

2.      The University’s approved VPN is used, or the Information Resource is configured for remote access in a manner approved by the applicable Information Security
Office. 

G. CUMC Emergency Access

In a clinical emergency (reasonably determined) at CUMC, if a health care professional who is treating the patient does not have access to a System storing EPHI relating to such patient, another health care professional who is able to access such EPHI from the System may do so on behalf of the treating health care professional. 

 

IV. Cross References to Related Policies

The Information Security Policies referred to in this Policy are listed in Appendix A hereto.

Appendix A 

Related Policies

CUMC Information Security
Procedures

https://secure.cumc.columbia.edu/cumcit/secure/policy/procedures.html

Information Security Charter

http://policylibrary.columbia.edu/information-security-charter

Registration and Protection of Endpoints Policy

http://policylibrary.columbia.edu/registration-and-protection-endpoints-policy