IT Services Authentication Services Policy
The purpose of this policy is to protect the University’s network and to protect the security and privacy of any data that is either critical to the business of the University or legally required to be protected by the University and whose access is controlled through IT Services supported authentication services.
All services that present plaintext passwords to an IT Services operated authentication service, e.g. LDAP or Active Directory, must collect and transmit these credentials over a secured communication channel that ensures end-to-end information integrity and confidentiality such as SSL or TLS.
Any service that uses an IT Services operated authentication service must not write users’ authentication secrets to any persistent store. A user’s authentication secret must not be maintained in memory beyond the end of the user’s session. Authentication secrets must not be used for any purpose beyond authenticating the user for the service the user is logging into.
Any service that uses an IT Services operated authentication service must have at least one active full-time benefits-eligible employee designated as the responsible party and one current technical contact person for the service. These could be the same person.
Applicability and Scope:
This policy applies to all services that use IT Services operated authentication services, whether managed by the University or by a third party with whom the University has contracted the service(s).
External, non-University, services may not use IT Services’ LDAP or Active Directory authentication service for authentication without review by IT Services and an IT Services approved contract.
IT Services reserves the right to review services to ensure they comply with these requirements, or appoint a third party to do so. Services found to be violating this policy may be disabled until they are brought into compliance with this policy. Before taking that step, IT Services will attempt to work with the service owner to determine whether mitigating controls can be put in place to remediate the identified issues until such time as the service can be brought into compliance.
If you have any questions as to whether or how this policy applies to your specific server or service, please contact IT Security at firstname.lastname@example.org.
Responsible Office: IT Services
Responsible Executive(s): Chief Information Security Officer
Last Update Date: February 18, 2013
Last Review Date: February 15, 2013
Next Review Date: February 18, 2014
Category: Account and Identity
Expiration Date: February 18, 2014
Policy Owner: tbarton