Account Security Standard
BackgroundFor questions about this standard, please open a ticket at Help.UNM or Help.Health.UNM
This standard is based on National Institute for Standards and Technology (NIST) Special Publication (SP) Digital Identity Guidelines 800-63B, and describes how UNM users, as well as system and application administrators must configure and use Passphrases and Multi-Factor Authentication (MFA) to protect accounts that provide access to UNM information and systems. This standard helps protect Personally Identifiable Information (PII), Personal Health Information (PHI), and Controlled Unclassified Information (CUI) for which UNM is responsible, by helping to ensure that only authorized users can access such information, or systems that contain such information. All members of the UNM community must follow and comply with this standard to be in compliance with UNM policies 2500 and 2520, among other UNM policies.
UNM Information Systems User Requirements
All users of UNM information systems, including system and application administrators when managing systems, are responsible for:
- Maintaining the security of their account credentials and never sharing their credentials
- Selecting strong passphrases for their UNM accounts
- Selecting a passphrase that has not been used on any other systems, but specifically, a passphrase that has not been used on non-UNM systems
- Selecting a passphrase that does not contain PII or other readily guessable details
- Changing their passphrases when passphrases are suspected or known to have been compromised
- Changing their passphrase immediately after a service desk passphrase reset
- Using Multi-Factor Authentication (MFA) on every UNM system on which MFA is available
- Using a “service account” and/or other separate “privileged account,” when managing IT services, or when needed to utilize elevated privileges on a system, but never for day-to-day activities, such as web browsing, reading email, etc.
- Being mindful when approving Multi-Factor Authentication (MFA) requests, so as to only approve requests that the authorized user has initiated
- Using secure password management software, where available
UNM System and Application Administrator Requirements
All system and application administrators, as well as account/identity management administrators are responsible for:
- Configuring information systems and applications for which administrators are responsible to comply with this standard
- Changing all default passphrases when implementing new or replacement products, technologies, or systems
- Creating and using separate “service accounts” and/or “privileged accounts” to manage information systems and applications, or when elevated privileges are otherwise needed
- Documenting ownership and retention requirements of all privileged/service accounts
- Differentiating user, privileged, and service accounts, and recording details including:
- User or department name, account name, purpose for account, creation and de-provisioning dates
- Differentiating user, privileged, and service accounts, and recording details including:
- Periodically audit the inventory of all accounts and ensure
- Access to the account is still needed
- Privileges for the account are still needed. If a role change results in different privileges for the account, the passphrase must be reset and active sessions reset
- Accounts that are inactive are locked after a reasonable period of inactivity.
- Due to regulatory and record retention requirements, inactive accounts should be locked and de-provisioned, but not deleted. The appropriate UNM Information Security Office can assist areas in determining what inactivity period is reasonable
- Accounts are created and authorized using the appropriate processes, especially for new and/or privileged accounts, ensuring accounts are associated with a valid department or user
- Ensuring that any non-employee/vendor accounts follow all UNM procedures for authorizing and securing such accounts
- Ensuring that service and/or privileged accounts, have complex passphrases that meet the passphrase requirements below
- Configuring all non-service account access to require MFA in order to access the application or system
- Configuring MFA to expire and require reauthentication after no more than thirty (30) days
- Configuring systems to disallow known, i.e., compromised and/or sample passphrases.
- Complying with the "MFA Requirements" section below
- Ensuring that passphrases are never re-used on an application, information system, or account management system
- Ensuring that known (i.e., published/sample) passphrases are not allowed by the system
- Ensuring that passphrases are changed at least annually for all service and/or privileged accounts
- Ensuring that passphrases are stored in a secure, unrecoverable manner (e.g. hashing)
- Ensuring that self-service passphrase resets can occur no more than once every day
- Configuring systems to lock user accounts after five (5) failed password attempts for at least fifteen (15) minutes
- Configuring systems to expire user and privileged account sessions after a reasonable pre-defined period. The appropriate UNM Information Security Office can assist areas in determining what session expiration period is reasonable
- Using Privileged Account Management (PAM) software that is approved and authorized by UNM, to securely manage account credentials, where available
- Enabling the “show passphrase” option, if the application or information system supports this feature
- Configuring systems so that passphrases are not composed of easily guessed characters, words, or terms, such as “Passwordpasswordpassword,” by utilizing a passphrase dictionary or similar tool to prevent weak passphrases from being selected
- Configuring systems so that passphrases do not contain the same character or phrase more than two (2) times in a row, (e.g., aaaa123456789asdfzxcv would not be allowable due to repeated “a” characters repeated in a row)
- Configuring systems to prevent password hints and other mechanisms that may leak information regarding the passphrase
- Configuring systems to de-provision accounts after employee role-change or separation in a timely manner
- Establishing manual procedures for emergency de-provisioning of accounts
Authorized UNM information security offices may periodically assess passphrase strengthby conducting brute-force, dictionary, or other passphrase guessing exercises, to validate that passphrases are not easily compromised, so as not to expose UNM accounts, applications,or information systems. Weak passphrases compromisedin such exercises must be locked and a stronger account passphrase selected.
UNM Passphrase Requirements
Passphrases requirements for UNM information systems must meet or exceed the following:
- Passphrase must contain at least fourteen (14) characters including a mix of upper and lower case
- Passphrases must be changed when compromise is suspected or if passphrase is found to be weak during information security passphrase testing. User account passphrases do not otherwise expire
- Passphrases may not
- Be composed of easily guessed words or terms, such as “Passwordpasswordpassword”
- Contain the same character or phrase more than two (2) times, (e.g., aaaa123456789asdfzxcv would not be allowable due to repeated “a” characters repeated in a row)
- Have been used by the account user before, and may not be used on any another system (for example, never use any UNM passphrases for your facebook account, or for your banking site)
- Other passphrase complexity rules are not enforced – passphrase does not need special characters, numbers, etc.
- All account access for all UNM applications and information systems must use at least two (2) “Factors,” to enforce Multi-Factor Authentication (MFA).
- Due to risks to Personally Identifiable Information (PII), UNM recommends not using biometric factors for authentication to UNM applications or systems
- Due to the ease of interception, SMS and other push technologies are the least secure MFA factor, and should not be used as a method for privileged or service account use
- Similarly, SMS and other push technologies should not be used for standard account use
If an application, account management system, or information system is not capable of technically enforcing any of these requirements, administrators must consult with the Information Security and Privacy Office to determine whether compensating controls can be implemented to protect the application or system. Exceptions to this standard must document the risks related to the information accessible through the system, and require CIO approval. Please open a ticket in the appropriate Cherwell ticketing system (Main and Branch Campuses; Health and Health Systems) to request an Information Security assessment.
- UNM Policy 2500: Acceptable Use Policy
- UNM Policy 2520: Computer Security Controls and Access to Personally Identifiable Information
- UNM Policy 2550, Information Security Policy
- Working With UNM Data standard
Glossary of TermsAccount Credentials – Account types may be local to an appliance or system, or may be provided by an account directory system, and may consist of the following, non-exhaustive attributes
- Account name or number (NetID, Banner ID)
- Personal Identification Number (PIN)
- Multi-Factor Authentication (MFA)
- Something you know (a passphrase)
- Something you have (a fob, a mobile device with an MFA application)
- Something you are (biometrics, such as hand geometry, finger prints, etc.)
- Privileged Account – An account that a person is used for accessing information where privileges greater than a standard user account are needed to complete work. Privileged accounts must not be used for non-administrative purposes (i.e., web browsing, email)
- Service Account – An account that is used specifically for running an application or IT service
- Standard Account – any account on any information system, that is used by an individual to access that information system
NOTICE: The ISPO's Information Security Operations area will update this document on a periodic basis in response to emerging trends and guidance from information security professional organizations.
The ISPO utilizes the University’s enterprise ticketing system Help.UNM and intake services provided by the UNM Information Technologies (UNM IT) Service Desk, the University's central support organization for information technology-related services and computer-related issues. All information security-related events, incidents, and requests are forwarded to the ISPO by UNM IT Service Desk Staff. If you have feedback or questions regarding this document, please use Help.UNM or call the UNM IT Service Desk at 505-277-5757 to ensure that your request is opened, tracked, and processed in a timely manner.