Purpose  

The purpose of this  standard  is to instruct systems , applications  and services administrators on the appropriate use of  two-factor authentication  for administrative access to University of Oregon ("University") computing and information resources  and to aid in the interpretation of requirements set forth in the  University Minimum Information Security Controls Standard .  

Applies To  

This  Standard applies to all University owned systems , applications and services that allow administrators, or any other individuals Administrator Access to University computing and information resources.    

Definitions  

Administrator Access  is defined  as  a level of access above that of a standard end- user.  This definition is intentionally vague to allow the flexibility to accommodate varying systems and authentication mechanisms.   Under most circumstances this level of access is relegated to privileged accounts.  The following  are  examples of administrator access :  

  • In a traditional Microsoft Windows environment, members of the Power Users, Local Administrators, Domain Administrators and Enterprise Administrators groups would all be considered to have Administrator Access.  
  • In a traditional UNIX or Linux environment, users with root level access or the ability to  sudo  would be considered to have Administrator Access.    
  • In an application environment, users with  elevated privileges,  ‘super-user’ ,  system  or database  administrator roles and responsibilities would be considered to have Administrator Access.    
  • Network and other infrastructure systems administrators are also considered to have Administrat or  Access.   

Data Custodian   is  university personnel or designated third-party agent responsible for the operation and management of information systems which collect, manage, process, or provide access to University Data. See  University Information Asset Classification & Management Policy  for roles and responsibilities of Data Custodians.  

Privileged Account  is a user account that has more privileges than ordinary users. Privileged accounts might, for example, be able to install or remove software, upgrade the operating system, or modify   network,  system or application configurations. They might also have access to files that are not normally accessible to standard users.  

System, Application,  and  Service   can be loosely defined as any electronic environment that stores, processes or transmits information  for the purpose of maintaining the operational functions of University.  

Two-factor  Authentication   is defined as  a second layer of security to protect an account or system. Users must go through two layers of security before being granted access to an account or system. University  provides a  Two- S tep Login  service that  uses  DUO Security  to manage the second factor authentication.  

University computing and information resource   is a collection of systems, applications and services that are owned, leased  and/ or operated by University.  

Standard  

The  University Information Asset Classification & Management Policy provides the University of Oregon’s approach for classifying data and information systems (“information assets”) according to their potential level of risk to the University.  The policy and associated procedures also assign roles and responsibilities for protecting information assets and detail how such assets must be protected based on their classifications .  The following provides  the  acceptable standard for privileged account authentication to University computing and information resources.  

ENABLE TWO-FACTOR FOR PRIVILEGED  ACCOUNTS  

Two-Factor  authentication for administrator access by privileged accounts  is required and shall be used, at least once, in the path for all network -based  access, and for all local (or console) access to all University computing and information resources. In situations where a device or system acts as a bastion (examples include but are not limited to the tech pool VDI, adminVPN, or bastion hosts), the two factor re-authentication shall happen every time a user connects to the service.

REQUESTING EXEMPTIONS  

In the event that two-factor authentication  cannot  be achieved by any reasonable means, you can request an exemption by completing the Standard Exemption Request form . Be ready to provide details as to why the standard can't be followed, the duration of the exemption request and mitigating  controls being put in place to   manage the security posture of the  University computing and information resource.  

REPORTING INAPPROPRIATE USE OF ADMINISTRATOR ACCESS  

As stated in the  University Information Asset Classification & Management Policy , any data custodian wh o suspects a violation of the policy should contact the Information Security Office at  infosec@uoregon.edu .  This includes suspected  access  by privileged accounts  without the use of two-factor authentication .    

Additional Information  

If you have any questions or comments related to this  Standard , please send  an  email to the University Information Security Office at  infosec @uoregon.edu .  

Additional information can also be found using the following resources:  

  • Using two-factor Authentication

https://service.uoregon.edu/TDClient/2030/Portal/KB/ArticleDet?ID=127986 

  • University Information Security P rogram Policy  

https://policies.uoregon.edu/vol-4-finance-administration-infrastructure/ch-6-information-technology/information-security-program  

  • University Acceptable Use Policy  

https://service.uoregon.edu/TDClient/KB/ArticleDet?ID=30997  

https://service.uoregon.edu/TDClient/KB/ArticleDet?ID=30999  

  • University Information Asset  Classification & Management  Policy  

https://policies.uoregon.edu/vol-4-finance-administration-infrastructure/ch-6-information-technology/information-asset  

  • Data Security Classification Table  

Data Security Classification Table