Standard for the Use of Two-factor Authentication for Administrator Access to University Systems, Applications and Services by Privileged Accounts

Purpose 

The purpose of this standard is to instruct systems, applications and services administrators on the appropriate use of two-factor authentication for administrative access to University of Oregon ("University") computing and information resources and to aid in the interpretation of requirements set forth in the University Minimum Information Security Controls Standard. 

Applies To 

This Standard applies to all University owned systems, applications and services that allow administrators, or any other individuals Administrator Access to University computing and information resources.  

Definitions 

Administrator Access is defined as a level of access above that of a standard end-user. This definition is intentionally vague to allow the flexibility to accommodate varying systems and authentication mechanisms. Under most circumstances this level of access is relegated to privileged accounts. The following are examples of administrator access: 

  • In a traditional Microsoft Windows environment, members of the Power Users, Local Administrators, Domain Administrators and Enterprise Administrators groups would all be considered to have Administrator Access. 
  • In a traditional UNIX or Linux environment, users with root level access or the ability to sudo would be considered to have Administrator Access.  
  • In an application environment, users with elevated privileges, ‘super-user’, system or database administrator roles and responsibilities would be considered to have Administrator Access.   
  • Network and other infrastructure systems administrators are also considered to have Administrator Access.  

Data Custodian is university personnel or designated third-party agent responsible for the operation and management of information systems which collect, manage, process, or provide access to University Data. See University Information Asset Classification & Management Policy for roles and responsibilities of Data Custodians. 

Privileged Account is a user account that has more privileges than ordinary users. Privileged accounts might, for example, be able to install or remove software, upgrade the operating system, or modify network, system or application configurations. They might also have access to files that are not normally accessible to standard users. 

System, Application, and Service can be loosely defined as any electronic environment that stores, processes or transmits information for the purpose of maintaining the operational functions of University. 

Two-factor Authentication is defined as a second layer of security to protect an account or system. Users must go through two layers of security before being granted access to an account or system. University provides a Two-Step Login service that uses DUO Security to manage the second factor authentication. 

University computing and information resource is a collection of systems, applications and services that are owned, leased and/or operated by University. 

Standard 

The University Information Asset Classification & Management Policy provides the University of Oregon’s approach for classifying data and information systems (“information assets”) according to their potential level of risk to the University.  The policy and associated procedures also assign roles and responsibilities for protecting information assets and detail how such assets must be protected based on their classificationsThe following provides the acceptable standard for privileged account authentication to University computing and information resources. 

ENABLE TWO-FACTOR FOR PRIVILEGED ACCOUNTS 

Two-Factor authentication for administrator access by privileged accounts is required and shall be used, at least once, in the path for all network-based access, and for all local (or console) access to all University computing and information resources. 

REQUESTING EXEMPTIONS 

In the event that two-factor authentication cannot be achieved by any reasonable means, you can request an exemption by completing the Standard Exemption Request form. Be ready to provide details as to why the standard can't be followed, the duration of the exemption request and mitigating controls being put in place to manage the security posture of the University computing and information resource. 

REPORTING INAPPROPRIATE USE OF ADMINISTRATOR ACCESS 

As stated in the University Information Asset Classification & Management Policy, any data custodian who suspects a violation of the policy should contact the Information Security Office at infosec@uoregon.edu. This includes suspected access by privileged accounts without the use of two-factor authentication.  

Additional Information 

If you have any questions or comments related to this Standard, please send an email to the University Information Security Office at infosec@uoregon.edu. 

Additional information can also be found using the following resources: 

  • Using two-factor Authentication

https://service.uoregon.edu/TDClient/2030/Portal/KB/ArticleDet?ID=127986

  • University Information Security Program Policy 

https://policies.uoregon.edu/vol-4-finance-administration-infrastructure/ch-6-information-technology/information-security-program 

  • University Acceptable Use Policy 

https://service.uoregon.edu/TDClient/KB/ArticleDet?ID=30997 

https://service.uoregon.edu/TDClient/KB/ArticleDet?ID=30999 

  • University Information Asset Classification & Management Policy 

https://policies.uoregon.edu/vol-4-finance-administration-infrastructure/ch-6-information-technology/information-asset 

  • Data Security Classification Table 

https://infosec.uoregon.edu/data-security-classification-table