Versions Compared

Old Version 8

changes.mady.by.user Warren Curry (ufl.edu)

Saved on

compared with

New Version 9

changes.mady.by.user Warren Curry (ufl.edu)

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  • Account Information Management data saved
  • Provision Account to Authentication Store(s)
  • Confirm Change with User Email Communication

 

  • Password Composition Rule:  

...

    •  (Note: Password composition Rules can vary for an individual account based on attributes about the account,  in this example we call this Password Level.  An implementation can support 1 to N password levels.  The level is a reflection that controls and allows policy to be implemented based on access granted to the account.  An access permission granted to an account would set a value on the registry entry that binds the account to the user entity.  The levels control password parameters such as minimum password length, composition, days before expiration. The attributes may change over time based on access permitted to the account and can cause the need to change a password due to such a change. Example could be the account has an access to allow PCI access and thus must expire every 90 days.  This change would trigger the need to alter password if the current password duration expires in > than 90 days. Let’s say access is set in a manner of 5 levels.
    • Self service
    • Updates/view sensitive data for a department/college
    • Updates/view sensitive data for institution wide basis
    • Updates/configure an application, server/vm, middleware, network, PCI/FBI, standards.
    • FISMA Moderate controlled compliance

...

      • When: Invoked whenever collecting new value for password:
      •             Acceptable Characters set –
      •   (example: A-Z, a-z, 0-9, special(.,!#$%^&*()<>?/;:)
      • Dictionary Check (must be at least 50K words/patterns)
      • Length of Password based on LevelofStrength = min x character
      • Duration of Password based on LevelofStrength = n days
      • Or
      • If Passphrase of at least 18 characters.
      • Some patterns will need to be checked like (11111111111111111111111111111111111111 not allowed)
      • Uses Acceptable Character set
    •  Two Factor Authentication Rule:
      • EduPerson Faculty, Staff or Employee with info that included that includes them in the "Bronze level Access Group" may opt in to the TWO factor using self service.
      • EduPerson Faculty, Staff or Employee with Jobs that access PII or have Campus Wide access to Administrative Applications with restricted data will be in the group "Must have two factor auth" driven by the assigned access privileges.
      • If a person has been phished  and do not use the Two Factor Auth services, then the individual will be added to the "Once phished then two factor" group. 
      • All individual above will use the self service sign up for two factor service.
      • Weekly reports of individuals who should have two factor but have not enrolled will be produced and the Unit/college security administrators notified of the omissions.


 Account Credential Disable/Enable: 


      • Action entry to disable/enable account
      • Account Information Management data disable/enable
      • Provision Disable/Enable to Authentication Store(s)
      • Notify user via email to personal email (out of band)

 

Account Credential Expire/UnExpire: 

...