• • • • • • • World Agroforestry Centre Policy Series MG/C/3/2009 ILRI Policy Series Network User Identification and Authentication Policy One of the policies on information security and business continuity which will be audited by the CGIAR Internal Audit Unit for all Centres given (a) their network inter-linkage through Active Directory and (b) the inter-reliance of many Centres for information backup and recovery of hosted outreach sites. Document Revision History Version Date Author(s) Revision Notes 1.0 18/09/2009 Ian Moore Final draft circulated to staff 1.1 10/11/2009 Ian Moore Added section on Systems and applications 1.2 30/11/2009 Ian Moore Revised following SLT guidance Document Control The ICT Manager of the common services unit providing ICT Services to the World Agroforestry Centre (ICRAF) and the International Livestock Research Institute (ILRI) will maintain control of the document which will be reviewed every two years in conjunction with the ICT Steering Group. Information Security – Network User Identification and Authentication Policy 1 • • • • • • • Proposed updates will be presented to the Centres’ senior management for adoption according to their organizational arrangements for approval of ICT policies. Upon acceptance by the Centres, the update will come into force. Any discretionary controls added by a Centre may be reviewed annually; however updates may occur more frequently if deemed necessary. Purpose The purpose of this document is to communicate the Centre’s policy, on user assignment, identification and authentication through the use of User IDs and passwords. This document incorporates the CGIAR Internal Audit Unit’s (IAU) recommended best practices. All Centres will be reviewed by the IAU to ensure that they have implemented the recommended best practices, in all their offices. A shared CGIAR electronic network exists (through the implementation of Active Directory) and which has, as a result, created an inter-dependency among the Centres with regard to network security. It is therefore important that all Centres are reviewed against a common set of ICT security guidelines. Scope This document covers the assignment, identification and authentication of users included in the CGIAR Directory Services that have access to the Centre’s information system network. It does not cover controls relating to visitor temporary access to unsecured segments of the network for the purpose of granting Internet or extranet access, or word processing/spreadsheet or presentation applications. Nor does it cover access to specific applications run on the system - these are subject to specific Centre policies which may provide for (a) “single sign on”, in which case the standards applied to network access will also apply to the application access or (b) additional access controls for particular applications. 1. User Identification and Administration of User Accounts The main principles are that: User IDs are used to identify and administer user accounts; they will only be assigned to those who are eligible to receive them; the person assigned the User ID is responsible for all tasks carried out under the User ID and all User IDs will be set to expire at the end of contract date or after a specified period of time. Exceptions will be implemented where a clear business benefit is submitted and approved in writing (E-mail). 1.1. Identification and authentication of users is required for all user access to the Centre networks. Unique User IDs will be assigned to all users so that activities performed can be linked to the responsible user. 1.2. Anyone with a contract to work for the Centre, (permanent, temporary, consultant, student etc) is entitled to a User ID in the Centre’s domain of the CGIAR directory service. 1.3. Anyone who has a contract to work for an organisation hosted by the Centre and whose duty station is at one of the Centres principal offices is entitled to a User ID in the Centre’s domain of the CGIAR directory service. Information Security – Network User Identification and Authentication Policy 2 • • • • • • • 1.4. Where a clear business benefit exists, a User ID will be created for a partner following a written request by the Manager responsible for the partner. The Manager will be responsible for ensuring that the partner complies with all policies and procedures of the Centre. Access will be limited to the local resources required to carry out the work and limited to a period not exceeding six (6) months. 1.5. Where a clear business benefit exists, the creation and use of a specifically named User ID (e.g. HR Recruitment) or shared User ID for a group of users (e.g. ICT Helpdesk) may be used. 1.6. Before a User Account is created the user should be made aware of, and should accept as a condition of network access, the Privacy and Acceptable Use policy. 1.7. Users are responsible and accountable for all actions including information retrieval or communication on the Centre’s network performed using their User ID and password. For specifically named or shared User IDs the manager that requested the creation of the User ID takes on this responsibility. The core principle is that security is everyone’s responsibility and everyone has a responsibility to protect their own “identity” on the Centre computer systems. 1.8. If a User ID has not been used for a period of six (6) months it is considered dormant and should be disabled until needed, then a new password will be created and issued. 1.9. Generic network accounts should be disabled or locked down where possible, any exceptions should be documented. 1.10. Privileged access rights (e.g. administrator) should be assigned to different user accounts than those used for day to day activities. 1.11. All User IDs will be set to expire on the end of the contract date. If contracts are for an indeterminate period the expiry date should be set to a date not greater than one (1) year from start date of the contract. Accounts will be extended on confirmation that a valid contract exists. 1.12. All User IDs specifically named or shared User IDs will be set to expire on a date not greater than one (1) year from the date they were requested. If the Manager confirms that the business benefit still exists the User ID will be extended for an additional one (1) year period. 2. Password Composition, Confidentiality and Administration The main principles are that: passwords are the sole means of protecting access to the network with a User ID; to prevent unauthorised access to the network it is important that passwords are kept secret and are strong enough to prevent hacking tools from deciphering them. 2.1. Strong passwords should be utilised for User Accounts. This means that the password should: • Be a minimum of eight (8) characters • Be changed at least every 90 days • Be different to the previous five (5) used • Contain at least three (3) of the following four (4) character types: upper case characters (A-Z), lower case characters (a-z), numeric characters (0-9) or special characters (!”@$%&*…). Information Security – Network User Identification and Authentication Policy 3 • • • • • • • 2.2. Stronger passwords should be utilised for System and Security Administrator accounts. This means that the password should: • Be a minimum of eight (8) characters, though twelve (12) characters is recommended • Be changed at least every 60 days. Service account passwords should be changed at least annually • Be different to the previous five (5) used • Contain at three (3) of the following four (4) character types: upper case characters (A-Z), lower case characters (a-z), numeric characters (0-9) or special characters (!”@$%&*…). 2.3. It is highly recommended that passwords should not be identifiable with the user (such as first name, last name, spouse name friends, relations, colleagues, or other easily guessed names). 2.4. The length and composition of passwords will be automatically enforced by the system at the time of construction. 2.5. The ability to set NULL passwords should be disabled. 2.6. It is recommended to use long passphrases rather than passwords. A passphrase uses a string of words rather than a single word, or randomised alpha and numeric characters (e.g. “rowRowRowYourBoat3times?”). 2.7. Users will maintain the secrecy of any passwords that give access to Centre information and Centre systems. 2.8. Passwords should be changed immediately if they become, or are suspected of having become, compromised. 2.9. Passwords shall not be shared with another user unless required for critical business, legal or emergency purposes. In such cases, responsibility for any misuse will remain with the owner of the User ID. 2.10. If knowledge of a password presents a single point of failure (i.e. only one person knows the password required for access to a system, and it is required for that system to operate), the password will be placed in a sealed envelop and placed in a fireproof safe that is only accessible to senior managers (i.e. not the data safe used by ICT staff in their daily work). 2.11. Passwords should not be written or stored either physically or electronically in plain text or unencrypted. If the password must be written down it should be stored in a secured storage unit accessible only by the password owner. 2.12. Passwords should be masked (i.e. should appear as ***** or similar) on the computer screen when users are entering them. 2.13. Initial passwords for all new User IDs, or reset passwords assigned when a user forgets their password or when they become, or are suspected of having become, compromised, shall be given to users in a secure manner. Passwords can be reset using the secure “AD Self Service” utility. The use of third parties or unprotected (clear text) e-mail messages should be avoided. 2.14. On the 5th of each month (or next working day) a review of all initial and reset passwords set during the previous month will be carried out. If the initial or reset password has not used Information Security – Network User Identification and Authentication Policy 4 • • • • • • • then that account will be disabled until needed, then a new password will be created and issued. 2.15. When provided a password, users are required to change it to a different password that they choose, immediately after they next log onto the system. 2.16. System and Security Administrator passwords (e.g., root, enable, Administrator, SYSTEM) should be reviewed and updated/revoked prior to any change in administrative responsibility, such as the current administrator leaving the organisation or changing roles. 2.17. Passwords should not be set to never expire. Where a business case exists, exceptions can be made, for example for system or service passwords that will affect the operation of services if they expire. All exceptions should be documented. 2.18. Default User IDs and passwords should be immediately altered following installation of systems or software. 3. Lockout of User ID after Failed Logon Attempts The main principles are that: to prevent automated tools configured by hackers from making continuous attempts to crack passwords and gain access to network systems it is necessary to lock accounts after a specified number of failed attempts. 3.1. User IDs should be locked and users prevented access to the network after a maximum of four (4) consecutive invalid login attempts for that User ID. 3.2. Locked out User IDs should be reactivated automatically after thirty (30) minutes. Alternatively a User can reactivate their account using the secure “AD Self Service” utility. 3.3. The User IDs for users with privileges such as root, administrator or supervisor should not be suspended as their suspension could create a denial of an essential service. 4. Login/Logout Processes The main principles are that: anyone attempting to logon to the network systems should be made aware that this is a corporate network that only authorised users should access, a form of warning/disclaimer; that unauthorised people should not be able to gain access to the network due to a computer being left logged into the network when it is left unattended or inactive for any period of time. 4.1. The login screen for multi-user computers (apart from those on a visitors or public network) should include a special notice that: • The system may only be accessed by authorized users • Users who login accept that they are authorized to do so • Unauthorized system usage or abuse is subject to disciplinary actions • System usage may be monitored and logged. 4.2. If there has been no activity on a computer terminal, workstation or desktop computer for at least thirty (30) minutes, the system should automatically blank the screen and suspend the session. Re-establishment of the session shall take place only after the user has provided the correct password. This suspension period can be shortened for administrators and users of confidential data or be lengthened for systems intended for broad use. Information Security – Network User Identification and Authentication Policy 5 • • • • • • • 4.3. Users should logout from the network or suspend the session manually if the computer terminal, workstation or desktop computer will be left unattended for any period of time. Re- establishment of the session shall take place only after the user has provided the correct password. 5. Termination of User Access The main principles are that: access to the Centre networks should be removed as soon as a user is no- longer eligible to receive these privileges. Access to information and network resources should be transferred to another responsible user if it is still required by the Centre. 5.1. In case of voluntary or scheduled termination of employment of a user, the Centre should immediately disable the User ID upon the departure of the user to remove their access to the network, unless extension of the account is required for Centre purposes. In cases where extension is required, authorisation is required from the Senior Manager and should not exceed a period of one (1) month. 5.2. In case of a user being subject to involuntary termination of employment, the Centre should disable the User ID, and access to the network, immediately that the decision on termination is made. The Centre should implement appropriate “end of employment” procedures to ensure the necessary authority is promptly communicated to the network administrator by the Head of Human Resources in such cases. 5.3. Redundant User IDs (i.e. an account of a staff member who has left the centre) should not be re-used by other users. After a user has left, their User ID should be deleted and any information or privileges attached to that account removed or transferred to another User ID. 6. Systems and Applications The main principles are that: access to the Centre business systems and applications should follow similar policies as access to the Centre’s network. Wherever possible, authentication should be linked to the Active Directory User ID. 6.1. Where the risks are within acceptable limits and where the Systems and Applications allow, the Active Directory User ID and password should be used to identify and authenticate access to the Systems and Applications used by the Centre using a Single Sign On (SSO) methodology. 6.2. Where SSO is not possible, Systems and Application identification and authentication should use the same criteria as defined for Systems Administrators, or the closest equivalent allowed by the System or Application. These exceptions should be clearly documented. 7. Related Documentation 7.1. Network Infrastructure Security Policy 7.2. ICT Privacy and Acceptable Use Policy 7.3. Workstation Security Policy 7.4. Internet and Email Security Policy Information Security – Network User Identification and Authentication Policy 6 • • • • • • • 8. Compliance and Waivers 8.1. Compliance with this policy by users, network administrators, information security officers or others responsible for implementation of the policy, is mandatory. The Centre shall implement procedures to monitor compliance with this policy. 8.2. Violations of this policy may result in disciplinary action in accordance with the human resources policies of the Centre. 8.3. Requests for waivers of this policy shall be formally submitted to the Senior Manager. The requests shall set out the justification, duration of the proposed waiver and how the increased risk arising from the waiver will be managed. Requests will be approved by the Senior Manager of the person making the request, in consultation with the ICT Manager and will be documented in the form of a management letter. 8.4. Approved waivers shall be monitored to ensure that the conditions of the waivers are being observed. Definitions • Curator: The person who is responsible for managing and administering a resource on the Centre’s network. This can be equipment, systems and applications or data and information. • Network: The system established by a Centre whereby workstations, servers and other data processing nodes are interconnected for the purpose of electronic data communication, storage and processing within and outside the Centre. Each CGIAR Centre network is connected through Active Directory, a directory services technology. • Secured Network segment: A network segment is a specially-configured subset of a larger network, bounded by devices capable of regulating the flow of packets into and out of the segment, including routers, switches, hubs, bridges, or multi-homed gateways (but not simple repeaters), and is secured by a firewall. • Unsecured Network segment: A network segment that is not secured by a firewall. • User: A person or process that is accessing any CGIAR centre information system who has a log-in account on the network. • Identification: The process that enables recognition of a user by a system, generally by the use of unique, machine-readable User IDs. • Authentication: The process of identifying an individual usually based on a username and password. Authentication is distinct from authorisation, which is the process of giving individuals access to system objects based on their identity. Authentication merely ensures that the individual is who he or she claims to be, but says nothing about the access rights of the individual. Three types of factors are used to provide authentication: a) something you know [eg a password], b) something you have [eg a certificate or card], and c) something you are [eg a fingerprint or retinal pattern]. Using any two in conjunction is known as two-factor authorisation. • User ID: A unique character string that is used by a system to identify a specific user. It may also be referred to as username, user account, profile, user profile, login name, or login account. • Password: A secret word, sentence, or code used to validate a user’s identity to access an information system or service. Passphrase differs from passwords only in length. Passwords are Information Security – Network User Identification and Authentication Policy 7 • • • • • • • usually shorter (from 8 to 12 characters) while passphrases are usually longer (up to 100 characters and more). • Senior Manager: The person on the Centre’s management committee (MC/SLT) who has responsibility for the person making the request. • UPN: The User Principal Name is linked to a User ID, in the Microsoft Active Directory configuration of the CGIAR the UPN can be global and used to give access to all Directory resources or local and used to restrict access to resources within the Centre’s domain. Information Security – Network User Identification and Authentication Policy 8