HUIT IAM Policies & Standards

This version of the HUIT IAM policies and standards has been optimized for printing. You may wish to view the interactive version here.
 

2.0 IAM Policies and Standards

Notes
  • The policies and standards outlined below only include people (not processes or devices).
  • The policies and standards outlined below only apply to non-anonymous identifiers (not, for example, self-assigned XIDs).
  • The policies and standards outlined below do not include requirements for systems protected by HUIT IAM services; such systems are covered by the University's IT security policy.
  • In all cases, the policies and standards outlined below prohibit the use as public identifiers of any HUIT IAM identifiers that have not been listed as FERPA directory elements (such as HUID and UUID).
  • The policies and standards outlined below assume adherence to the University's IT security policy; as such, requirements from that policy are not duplicated here.

2.1 Identification

(HU-IAM-ID-1) Policy: Identification

Policy
  • HUIT IAM systems that provide authentication or authorization services shall uniquely identify individuals authenticated or authorized by said systems.
  • HUIT IAM shall maintain HUIDs uniquely identifying those individuals who are approved to be assigned them.
Reason
  • Securely and uniquely identifying individuals who make use of University resources helps ensure that access to information and resources can be limited to those individuals who have a legitimate business reason.
  • Securely and uniquely identifying individuals also helps ensure that a proper audit trail can be maintained by recording who accessed resources or performed functions.
Controls
  • HUIT IAM shall enforce the University's password strength requirements in any IAM system that enables a user to change his or her password.
  • HUIT IAM shall require that individuals are uniquely identified and authorized prior to being authenticated.
  • HUIT IAM shall assign and maintain a HUID for all appropriate members of the Harvard community, as well as sponsored "other" individuals.
  • HUIT IAM shall assign and maintain a UUID for all individuals assigned a HUID in order to ensure uniqueness of a person across HUIT and the University.
  • HUIT IAM shall enable the selection of a HarvardKey for appropriate HUID holders.
  • HUIT IAM shall maintain the selected HarvardKey credentials.
  • HUIT IAM shall assign and maintain a University NetID for individuals assigned a HarvardKey.
  • HUIT IAM shall enable the assignment of XIDs to approved individuals.
  • HUIT IAM shall obtain and maintain at least a minimal set of personal information for all holders of HUIT identifiers (HUIDs and XIDs) to ensure that individuals can be properly identified.
  • The process used for initial enrollment in HUIT IAM services must ensure that the correct individual is being enrolled.
Notes
  • See the HUID assignment rules document for a definition of individuals approved to be assigned HUIDs.

(HU-IAM-ID-1.1) Standard: Password Strength

Standard
  • HUIT IAM systems that enable users to changing their passwords shall implement — at a minimum — the current University password strength requirements.
Reason
  • Weak or guessable passwords reduce our ability to ensure that users are properly identified, and may enable individuals without a legitimate business reason to access University information or resources.
Controls
  • The function for setting or resetting passwords in HUIT IAM systems shall not permit a user to set a password that does not meet the current University password strength rules.
  • HUIT IAM shall monitor the University password strength policy and update its password change software as needed to conform to current policy.
  • The function for setting or resetting passwords in HUIT IAM systems should provide direct access to clearly-written documentation to assist users in creating secure passwords.

(HU-IAM-ID-1.2) Standard: HUID Eligibility and Assignment

Standard
  • HUIT IAM shall assign unique HUIDs to individuals who meet the HUID assignment criteria.
  • HUIT IAM shall maintain records of all HUID assignments.
Reason
  • The Harvard University Identification Number (HUID) provides a foundation for uniquely and consistently identifying individuals with ongoing relationships to the University, and provides a linking mechanism to unite information associated with an identity across many distributed information sets and application-specific repositories across Harvard.
  • Improper assignment of HUIDs may result in duplicate identities; this could lead to unauthorized or inappropriate access, or loss or misuse of resources protected by HUIT IAM.
Controls
  • HUIT IAM shall assign a Harvard University Identification Number (HUID) to members of the Harvard community (employees, faculty, accepted or admitted students, alumni, etc.) and select affiliates (contractors, family members, etc.) as long as the individual meets the selection criteria and proper identity information is provided.
  • HUIT IAM shall also assign HUIDs to external users who register and supply sufficient identity information and who are sponsored by an officially recognized HUIT designee.
  • HUIT IAM shall require sponsorship by an officially recognized HUIT designee for non-University users to obtain HUIDs.
  • HUIT IAM shall maintain directory, role, and other information associated with the individuals assigned HUIDs.
  • HUIT IAM records shall clearly differentiate any unassured, self-registered users.
Notes
  • HUID assignment criteria are outlined in a separate document.
  • There are special situations where an individual may be assigned multiple HUIDs, either accidentally or intentionally.

(HU-IAM-ID-1.3) Standard: UUID Eligibility and Assignment

Standard
  • HUIT IAM shall assign a unique Harvard Universal Unique Identifier (UUID) to individuals who are assigned other HUIT IAM identifiers.
Reason
  • The Harvard UUID provides a foundation for uniquely and consistently identifying individuals, as well as providing a linking mechanism to unite information associated with an identity across distributed information sets and application-specific repositories across Harvard.
  • The absence of a UUID standard may result in duplicate identities that could lead to unauthorized or inappropriate access, or loss or misuse of resources protected by HUIT IAM.
Controls
  • Ensure that individuals who are assigned HUIDs also have or are assigned a UUID.
  • Ensure that individuals who are assigned XIDs are also assigned a UUID.
  • Maintain UUID assignments in IdDB.
  • Ensure that generated UUIDs meet the specifications defined in section 4.4 of RFC 4122.
  • Verify that the creation of UUIDs and associated information complies with UUID creation procedures.
Notes
  • HUIT IAM needs a document outlining UUID creation procedures.
  • There are special situations in which an individual may be assigned multiple UUIDs, either accidentally or intentionally.

(HU-IAM-ID-1.4) Standard: HarvardKey Eligibility

Standard
  • Most HUID holders shall be eligible to be issued a HarvardKey.
  • HUIT IAM shall support the use of HarvardKey for authentication to resources protected by HUIT IAM.
Reason
  • The HarvardKey is credential set, consisting of a login name and a secret password known only to a user, that is used by a user to authenticate to HUIT IAM authentication services.  
  • Improper assignment of HarvardKey credentials may result in duplicate identities; this could lead to unauthorized or inappropriate access, or loss or misuse of resources protected by HUIT IAM.
Controls
  • HUIT IAM shall require a unique HarvardKey login name to be associated with each individual in order to track authentication activity and reconcile accounts to individuals.
  • All HUID holders — except for some holders of HUIDs starting with the digit 0 — are eligible to claim a HarvardKey.
  • The HarvardKey login name shall be a functioning email address that is unique to the individual.
  • For individuals who have one or more Harvard email addresses (such as addresses ending in one of the official Harvard-registered domain names), the HarvardKey login name must be one of these email addresses. Other individuals may use non-Harvard email addresses for their HarvardKey login name.
  • HUIT IAM shall establish secure mechanisms for enabling HarvardKey holders to change their login names when their circumstances change.

(HU-IAM-ID-1.5) Standard: University NetID Eligibility

Standard
  • HUIT IAM shall assign University NetIDs to HarvardKey holders.
  • HUIT IAM shall support the use of University NetIDs only for authentication to HUIT IAM-protected resources that are not capable of supporting the use of HarvardKey for authentication.
Reason
  • A University NetID is a credential set, consisting of a login name and a secret password known only to a user, that is used by a user to authenticate to HUIT IAM authentication services. 
  • The University NetID is used for selected systems that cannot support HarvardKey.
  • Improper assignment of University NetIDs may result in duplicate identities; this could lead to unauthorized or inappropriate access, or loss or misuse of resources protected by HUIT IAM.
Controls
  • HUIT IAM shall assign a unique University NetID to individuals assigned a HarvardKey.
  • University NetIDs shall use the format of three letters followed by three to five numerals.
  • Where possible, the letter portion of the University NetID should not reflect the individual's name.
  • Authenticating a user via University NetID shall be supported only for applications that are not capable of supporting authentication using HarvardKey.
  • HUIT IAM shall manage the password-setting process for HarvardKey and University NetID credentials such that an individual uses the same password for both. 
Notes
  • The term "NetID" is used to refer to Active Directory IDs because the University FERPA directory element list includes "NetID" and, if this term might be used for any public purpose in the future, it should fit into the FERPA public list.

(HU-IAM-ID-1.6) Standard: Identity Proofing

Standard
  • HUIT IAM shall require a process for establishing levels of confidence in the identities used in HUID assignments, and for recording the level of confidence.
Reason
  • Since identity proofing and verification are frontline defenses in preventing identity fraud, HUIT IAM shall determine identity assurance processes and mechanisms, as well as map between these processes/mechanisms and the identity assurance levels maintained for HUID assignees.
Controls
  • Define detailed procedural guidelines and communicate them to business process owners involved with assigning HUIDs in order to facilitate a consistent understanding of and approach to identity proofing.
  • Periodically audit identity proofing processes to ensure compliance with established standards and procedures.
  • Maintain variables in the IdDB that directly or indirectly record the level of identity assurance related to each assigned HUID. For example, maintain variables indicating whether the assignee is a paid employee (which implies federal government-mandated identity proofing), whether he or she has picked up a Harvard ID card (during which process a photo ID is checked), whether a separate in-person verification of government-issued ID has been performed, or whether the user has changed his or her password using the account management portal (which verifies that the user's email address is valid).
Notes
  • This policy does not require that everyone be identity proofed; instead, it requires that the degree of identity proofing of an individual be understood and discoverable.

(HU-IAM-ID-1.7) Standard: Identifier Management

Standard

In managing information system identifiers for individuals, HUIT IAM shall:

  • Receive authorization from a designated official or system if HUIT IAM assigns an identifier to an individual person.
  • Select a HUIT IAM identifier that uniquely identifies an individual person, and that has not been assigned to another person.
  • Assign the HUIT IAM identifier to the intended party.
Reason
  • HUIT IAM identifiers provide the basis for authenticating individuals to University applications.
  • Improper assignment of HUIT IAM identifiers may result in duplicate identities; this could lead to unauthorized or inappropriate access, or loss or misuse of resources protected by HUIT IAM.
Controls
  • HUIT IAM identifiers shall be uniquely assigned to individuals.
  • HUIT IAM identifiers shall be assigned to those individuals only after a minimum set of information has been obtained (full legal name, plus date of birth or last four digits of a Social Security/national ID number) to ensure that individuals are not accidentally assigned multiple identifiers.
  • HUIT IAM will not delete IdDB entries relating to assigned identifiers.
  • HUIT IAM will manage the lifecycle of assigned identifiers, including updates to attributes and associated access authorizations.

(HU-IAM-ID-1.8) Standard: User Enrollment

Standard
  • The process used for initial enrollment in HUIT IAM services must ensure that the correct individual is being enrolled.
Reason
  • An insecure enrollment process could enable improper access to Harvard resources and attribution of actions to the incorrect user.
Controls
  • The HUIT IAM enrollment process must ensure the correct individual is being enrolled in adherence to InCommon Bronze or Silver levels of assurance.

2.2 Information Access Control

(HU-IAM-IA-1) Policy: Information Access

Policy
  • HUIT IAM shall limit access to the non-public information it maintains about individuals to those individuals and systems with a legitimate business requirement for such access.
Reason
  • HUIT IAM maintains considerable non-public information about Harvard-affiliated individuals. University and other policies require that access to this information be limited to those individuals and systems that have a Harvard-related business justification for access.
Controls
  • HUIT IAM will only provide access to non-public information it maintains about individuals to those individuals or groups who have provided business justification and specified the purposes for which they need the information.
  • HUIT IAM shall require that recipients of such information re-certify their business justification on a regular basis.
  • HUIT IAM shall require that recipients of such information agree in writing to refrain from using the information for purposes other than those specified.
  • HUIT IAM shall require that recipients of such information agree in writing to refrain from further distributing this information, except as needed to fulfill the specified purposes.
  • HUIT IAM shall require assurance that the Office for General Counsel has reviewed and agreed to contracts with any vendor that will receive any information HUIT IAM maintains about individuals.
Notes
  • This section covers access to the non-public information HUIT IAM maintains about individuals themselves. It does not cover logs of the activities of such individuals; this is covered under the privacy standards.
  • The non-public information maintained by HUIT IAM is not covered by the University's Policy on Access to Electronic Information. (See the Terminology section of the Policy for details.)

(HU-IAM-IA-1.1) Standard: Require Business Need

Standard
  • HUIT IAM will only provide access to non-public information it maintains about individuals to those individuals or groups who have provided business justification and specified the purposes for which they need said information.
Reason
  • University security and privacy policies require that individuals only access non-public information about other individuals if they have a legitimate Harvard business reason to do so.
  • HUIT IAM provides controls to help limit the opportunities for access to information when there is no legitimate Harvard business reason.
Controls
  • HUIT IAM will require individuals or groups to provide specific business justification before permitting access to non-public information it maintains about individuals.
  • Before permitting access to to non-public information it maintains about individuals, HUIT IAM will require individuals or groups to provide documentation describing specific business justification.
  • The HUIT IAM Product Manager shall be responsible for ensuring that business justifications are properly reviewed and that access is not granted if justification is not sufficient.
  • The HUIT IAM Product Manager shall be responsible for ensuring that proper records are maintained about any requests for access to non-public information it maintains about individuals, and of the decisions made about any such requests.

(HU-IAM-IA-1.2) Standard: Review Access

Standard
  • HUIT IAM shall require that recipients of such information re-certify their business justification on a regular basis.
Reason
  • Since business requirements change and individuals change jobs, it is important that HUIT IAM regularly re-certify that continued access to non-public information about individuals is still required and justified.
Controls
  • HUIT IAM shall obtain a statement from individuals or groups that have been granted access to non-public information about individuals maintained by HUIT IAM that this access continues to meet a proper business need.
  • The HUIT IAM Product Manager shall be responsible for ensuring that each individual or group granted access provides a statement on a regular basis justifying continued access to the information.
  • The HUIT IAM Product Manager shall be responsible for ensuring that proper records are maintained of such statements.

(HU-IAM-IA-1.3) Standard: No Other Use

Standard
  • HUIT IAM shall require that recipients of such information agree in writing to refrain from using this information for purposes other than those specified.
Reason
  • In order for HUIT IAM to maintain control over access to non-public information it maintains about individuals, it is important to ensure that HUIT IAM understands and agrees to the use(s) for this information.
  • If a recipient of information maintained by HUIT IAM were to decide to use that information for purposes other than the ones they disclosed when granted access, the uses he or she adds may not comply with HUIT IAM's view of business need.
Controls
  • HUIT IAM shall obtain written agreement that recipients of information maintained by HUIT IAM will not expand the use of such information without notifying HUIT IAM in advance.
  • Such agreements should be part of the regular access review process described above.

(HU-IAM-IA-1.4) Standard: No Unauthorized Forwarding

Standard
  • HUIT IAM shall require that recipients of such information agree in writing to refrain from further distribution of this information except as needed to fulfill the specified purposes.
Reason
  • In order for HUIT IAM to maintain control over access to non-public information it maintains about individuals, it is important to ensure that recipients of such information neither forward it to others nor enable access to the information by others.
Controls
  • HUIT IAM shall obtain written agreement that recipients of information maintained by HUIT IAM will not forward it to others without notifying HUIT IAM in advance.
  • Such agreements should be part of the regular access review process described above.

(HU-IAM-IA-1.5) Standard: Vendor Contract Review

Standard
  • HUIT IAM shall require assurance that the Harvard University Office of General Counsel has reviewed and agreed to contracts with any vendor that will receive any information HUIT IAM maintains about individuals.
Reason
  • Vendors must be contractually obliged to protect any information they receive, directly or indirectly, from HUIT IAM in order for HUIT IAM to properly discharge its responsibilities as custodian of said information.
Controls
  • Any University groups that request HUIT IAM provide to a vendor any of the information that it maintains about individuals must assure HUIT IAM that there exists a contract between the vendor and Harvard, and assure HUIT IAM that the Harvard Office of General Counsel has reviewed and approved the contract.
  • Any University group that will be providing to a vendor information HUIT IAM maintains about individuals (that the group has obtained from HUIT IAM) must assure HUIT IAM that there exists a contract between the vendor and Harvard, and assure HUIT IAM that the Harvard Office of General Counsel has reviewed and approved the contract.

2.3 Authentication Services

(HU-IAM-AU-1) Policy: Authentication Services

Policy
  • HUIT shall develop and maintain authentication services that securely identify specific individuals and minimize the chance of improperly authenticating an individual.
Reason
  • The basic services provided by HUIT IAM are authentication services.
  • These services are used by both University and non-University applications to securely establish the identity of individuals who attempt to access them.
Controls
  • HUIT IAM shall provide multiple types of authentication services.
  • The authentication services offered by HUIT IAM shall be secure.
  • HUIT IAM shall offer an optional multifactor function for each of its authentication services.
  • The activities of HUIT IAM authentication services shall be logged.
Notes
  • The above requirements to securely identifying individuals do not apply to self-assigned XIDs.

(HU-IAM-AU-1.1) Standard: Multiple Services

Standard
  • HUIT IAM shall provide multiple types of authentication services.
  • An individual shall be able to authenticate with each of the services using the same credentials.
Reason
  • Since new and existing applications do not all have the ability to use the same type of authentication service, HUIT IAM shall provide a variety of services.
  • For ease of use, all of the authentication services offered by HUIT IAM shall accept the same credentials.
Controls
  • HUIT IAM shall offer an authentication service compatible with the PIN/CAS interface.
  • HUIT IAM shall offer an authentication service compatible with an InCommon Shibboleth identity provider (IdP).
  • HUIT IAM shall offer an LDAP-based authentication service.
  • HUIT IAM shall offer a Microsoft Active Directory authentication service.
  • The authentication services offered by HUIT IAM shall accept the same login name and password credentials.
  • HUIT IAM shall offer a password management and change service that ensures that user credentials are synchronized between all of the authentication services offered by HUIT IAM.
  • Where technically feasible, the authentication services provided by HUIT IAM shall be resilient in design so to limit unplanned outages.
Notes
  • These requirements cover both anonymous (for example, self-assigned XID) and non-anonymous credentials.

(HU-IAM-AU-1.2) Standard: Authentication Security

Standard
  • The authentication services offered by HUIT IAM shall be secure.
Reason
  • Non-secure authentication services could allow improper authentication.
Controls
  • The HUIT IAM password management and change service shall ensure that passwords set by users meet University password strength standards.
  • When technically feasible, passwords stored in HUIT IAM systems shall be protected using password protection algorithms sufficient to meet InCommon Silver requirements.
  • Where necessary to meet InCommon requirements for advanced password entropy, HUIT IAM authentication systems shall ensure that user passwords are changed frequently enough to meet InCommon Bronze requirements (for InCommon Bronze service providers) and InCommon Silver requirements (for InCommon Silver service providers).
  • Services accessing HUIT IAM authentication services shall be individually authorized.
  • Services accessing HUIT IAM authentication services shall be properly authenticated.
  • Information exchange between servers accessing authentication services and HUIT IAM authentication services shall be protected by encryption that meets InCommon requirements.

(HU-IAM-AU-1.3) Standard: Multifactor Authentication

Standard
  • HUIT IAM shall offer a multifactor authentication option for use when authenticating individuals.
Reason
  • Traditional authentication (login name and password) is knowledge-based and depends entirely on the user's password not being shared, guessed, or compromised. 
  • Since passwords do get shared, guessed, and compromised, a higher level of confidence in a user's identity can be achieved through the use of an additional non-knowledge-based factor during the authentication process.
Controls
  • HUIT IAM shall allow application owners the ability to require that all users of their applications be authenticated with a second factor.
  • HUIT IAM shall allow application owners the ability to require that selected users of their applications be authenticated with a second factor.
  • HUIT IAM shall allow individual users the ability to require that all of their authentications require the use of a second factor.

(HU-IAM-AU-1.4) Standard: Authentication Logging

Standard
  • Activities of the HUIT IAM authentication services shall be securely logged.
Reason
  • Activity logs are valuable resources for resolving user problems, as well as determining the extent of compromise if a user "misbehaves" or a user's credentials are compromised.
Controls
  • HUIT IAM shall record information about authentication-related activities in a logfile.
  • Information recorded should include the identity of the user being authenticated, the source of the authentication request, the success or failure of the attempt, and the time at which the attempt was made.
  • Other authentication-related activities should also be logged, including (for example) lockouts that occur because of too many incorrect password attempts in a row.
  • Copies of the logfiles shall be maintained on a system other than the one that created the logfile.
  • Copies of the logfiles shall be maintained in a way that helps ensure the integrity of the logfile.
Notes

2.4 Privacy

(HU-IAM-PR-1) Policy: Privacy

Policy
  • HUIT IAM shall limit access to logs of authentication activity to those individuals who are properly authorized to access the information in accord with the University's Policy on Access to Electronic Information.
Reason
  • The University has established mandatory policies defining the conditions under which electronic information created by or about individuals can be accessed without the individual's permission or knowledge. As part of the Harvard Community, HUIT IAM must adhere to these policies.
Controls
  • HUIT IAM shall protect from improper access or modification the authentication activity logs it creates.
  • HUIT IAM shall retain the logs it creates for a defined period, then automatically and securely delete them.
  • HUIT IAM shall only provide access to logs of authentication activity needed for normal user assistance, problem debugging, or system or credential compromise investigation, except as authorized by the processes described in the University's Policy on Access to Electronic Information.
  • HUIT IAM shall maintain a log of all access to logs of authentication activity when the access is of a type that must be authorized under the University's Policy on Access to Electronic Information.
  • HUIT IAM shall maintain, in its database of information about individuals, fields that can be used to store an individual's personal preference about the public display of the information.
Notes
  • Policies to define the retention periods for logfiles are under development by the HUIT architecture decision group.

(HU-IAM-PR-1.1) Standard: Authentication Log Protection

Standard
  • HUIT IAM shall protect from improper access or modification the logs of authentication activity it creates.
Reason
Controls
  • Logs of authentication activity shall be considered Level 4 information under the University IT security policy, and protected as such.
  • Multifactor authentication shall be required to access authentication activity logs.
  • Read-only access to authentication activity logs shall be limited to specific authorized individuals.
  • Read-write access to authentication activity logs shall not be enabled.
  • Authentication activity logs shall be mirrored to a server that is outside the control of the individuals authorized to access the logs.

(HU-IAM-PR-1.2) Standard: Authentication Log Retention

Standard
  • HUIT IAM shall retain the logs it creates of authentication activity for a defined period, then automatically and securely delete them.
Reason
  • Authentication activity logs are useful for diagnosing system issues, as well as for determining the activities of someone with access to a person's credentials. In the latter case, log data can be useful to determine damage done when credentials have been compromised.
  • Logs of authentication activity should be retained for long enough to be useful in system debugging and/or investigations of potentially improper activity.
  • To reduce the chance of privacy issues, logs should not be retained for longer than necessary to fulfill the abovementioned debugging and investigation requirements.
Controls
  • Authentication activity logs created by HUIT IAM authentication services shall be retained for 90 days, after which time they should be automatically and securely deleted.
  • The automatic deletion function shall be capable of being disabled at the written request of the Office of General Counsel.
Notes
  • The 90-day window mentioned above is the current practice of HUIT IAM, but policies to define the retention periods for logfiles are under development by the HUIT architecture decision group.

(HU-IAM-PR-1.3) Standard: Log Access

Standard
  • HUIT IAM shall only provide access to logs of authentication activity in accordance with the processes defined in the University's Policy on Access to Electronic Information.
  • All access to such information other than for normal business reasons must be approved by the proper authorities and logged accordingly.
Reason
  • HUIT IAM, as a unit of Harvard University, must conform to the University's Policy on Access to Electronic Information. To do so, it must limit authentication log access to HUIT IAM personnel and others with approved business reasons for access. 
  • HUIT IAM personnel may access authentication logs during the course of normal activities, such as problem debugging; any access to these logs outside of said normal activities must be approved and recorded.
  • University security personnel may access authentication logs during the course of normal activities, such as problem debugging; any access to these logs outside of said normal activities must be approved and recorded.
Controls
  • HUIT IAM shall develop a clear description of what is included in "normal activities" during which HUIT IAM or University security personnel access logs of authentication activities.
  • HUIT IAM personnel shall not access authentication logs other than as part of these predefined "normal activities" unless instructed to do so under a process conforming to the requirements in the University's Policy on Access to Electronic Information.
  • HUIT IAM will log any access to authentication logs that they are instructed to access under the University's Policy on Access to Electronic Information.
  • HUIT IAM shall only provide access by individuals who are not HUIT IAM personnel to authentication logs after receiving written approval under the University's Policy on Access to Electronic Information.
Notes
  • The official logs of accessing authentication activity logs undertaken under the University's Policy on Access to Electronic Information are maintained by the University security office, but HUIT IAM should also maintain its own logs of access that it is requested to undertake.

(HU-IAM-PR-1.4) Standard: Information Display Control Fields

Standard
  • HUIT IAM shall maintain, in its database of information about individuals, display control fields that can be used to store an individual's personal preference about the public display of the information.
  • HUIT IAM shall use the display control fields to determine what information about an individual is displayed in directories operated by HUIT IAM.
  • HUIT IAM shall provide the display control fields as part of information feeds or database views.
Reason
  • Some individuals are sensitive to what information is displayed about them in directories. These display control fields provide a mechanism for recording these individuals' preferences.
Controls
  • HUIT IAM shall maintain separate display control fields for each major type of information that it maintains about individuals (for example, name, telephone number, and email address).
  • The display control fields shall be able to indicate at least the following display preferences: private (not to be included in directories), Harvard-only (included only in directories restricted to identified Harvard users or from within the Harvard network) and public (no restrictions on who can access the information). The display control fields are not designed to override the ability of authorized individuals (for example, human resources officers) to access such information.
  • HUIT IAM shall include the display control fields in data feeds it provides whenever the receiver of the feed has indicated that they might use the information as part of a directory.
  • HUIT IAM shall include the display control fields in any database views it offers that include the information covered by the display control fields.
  • HUIT IAM shall provide a mechanism for approved individuals to update the display control fields.
  • HUIT IAM shall provide a mechanism for approved applications to update the display control fields.
  • HUIT IAM shall use the display control fields to determine what information about an individual is to be included in directory services offered by HUIT IAM.

2.5 System Access Control
 

(HU-IAM-AS-1) Policy: System Access Policy

Policy
  • HUIT IAM access control policies and standards shall establish rules for HUIT IAM to use to control administrative access to its systems.
Reason
  • Administrative access to systems can be used to control the functionality of the operating system and can be used to disable or circumvent access controls. Users with unnecessary or inappropriate access could corrupt HUIT IAM systems or disrupt system operations.
Controls
  • HUIT IAM shall ensure that only individuals with proper and current needs obtain administrative access to HUIT IAM systems.

(HU-IAM-AS-1.1) Standard: Administrative User Access Management

Standard
  • HUIT IAM shall ensure, that, on an ongoing basis, only individuals who have a current business need have administrative accounts on HUIT IAM systems that contain, or have access to, confidential information about other individuals.
Reason
  • Administrative access to systems can be used to control the functionality of the operating system and can be used to disable or circumvent access controls. Users with unnecessary or inappropriate access could corrupt HUIT IAM systems or disrupt system operations. The risk would be particularly high if people who were no longer associated with the University or who had changed jobs within the University were to retain their access.
Controls
  • Suitable background and/or verification checks shall be conducted for all candidates for employment or consulting at HUIT IAM who will have administrative access to HUIT IAM systems.
  • HUIT IAM shall only establish administrative accounts on HUIT IAM system that contain or have access to confidential information about other individuals for those individuals who have a legitimate business reason for such an account.
  • Where feasible, such administrative accounts shall only have access to the information that the individual has a business need to access.
  • HUIT IAM shall periodically audit individuals with administrative accounts on HUIT IAM systems that contain or have access to confidential information about other individuals, to ensure that such accounts are limited to those individuals who have a current business need for them.

2.6 Operations Management

(HU-IAM-OM-1) Policy: Operations Management Policy

Policy
  • HUIT IAM systems shall be operated and administered using documented procedures in a manner that is efficient, effective and secure.
Reason
  • This policy establishes the requirement to ensure the correct and secure operation of IAM systems within HUIT. Without this policy, HUIT is at risk of potential misuse or mistreatment of HUIT IAM systems and data.
Controls
  • Managers shall ensure all security procedures within their areas of responsibility are conducted to achieve compliance with security policies and standards.
  • System documentation shall be required for all HUIT IAM systems. Such documentation must be kept up to date and be readily available.

(HU-IAM-OM-1.1) Standard: Documented Operating Procedures

Standard
  • HUIT IAM shall develop and implement documented standard operating procedure plans for HUIT IAM systems that:
    • Address roles, responsibilities, and configuration management processes and procedures
    • Define instructions for operating HUIT IAM systems
    • Establish means to identify procedures and configuration elements throughout the system development lifecycle, and processes for managing configurations.
Reason
  • Documentation of standard operating procedures is good practice to reduce the risk of incorrect actions that may result in the degradation of HUIT IAM services or a risk to confidential information maintained by HUIT IAM.
Controls
  • Operating procedures shall be documented, maintained, and made available to all users who need them.
  • HUIT IAM shall assign responsibility for developing the operating procedures and configuration management processes to personnel who are not directly involved in system development.
Notes
  • Documentation is on the HUIT IAM wiki.

(HU-IAM-OM-1.2) Standard: Segregation of Duties

Standard
  • Segregation of duties is employed to enhance control over procedures where a related HUIT IAM information security incident would likely result in reputational, financial, or other material damage to the University.
Reason
  • Segregation of duties is a primary internal control that prevents or decreases the risk of errors and irregularities and/or identifies problems by preventing an individual from having control over all phases of a transaction.
Controls
  • Duties of individuals shall be separated as necessary to prevent malevolent activity without collusion.
  • Separation of duties shall be implemented through assigned HUIT IAM system access authorizations.
Notes
  • Some issues relating to understanding this requirement in a DevOps environment.

(HU-IAM-OM-1.3) Standard: Separation of (Operations, Test and Development) Environments

Standard
  • HUIT IAM development, test, and operational facilities shall be separated to reduce the risks of unauthorized access or changes to operational IAM systems. HUIT IAM documents and maintains a current baseline configuration of separate HUIT IAM environments under configuration control.
Reason
  • HUIT IAM requires separation of environments, and also separation of duties across the environments, because:
    • Live data or software could be amended or modified by HUIT IAM staff, either accidentally or for vindictive or fraudulent reasons.
    • The running of test code will often contain "de-bug" code and possibly other error-trapping routines, which impose a substantially high overhead on the host system.
    • Development staff often operate with powerful privileges that are high-risk in an operational environment.
Controls
  • Employ a deny-all, allow-by-exception authorization policy to identify users allowed to execute/operate in each respective environment (commensurate with risk).
  • Retain older versions of baseline configurations as deemed necessary to support rollback.
  • Maintain a baseline configuration for development and test environments that is managed separately from the operational baseline configuration.
Notes:
  • Some issues relating to understanding this requirement in a DevOps environment.

2.7 Policy Exceptions and Maintenance

(HU-IAM-PM-1) Policy: IAM Policy Exceptions and Maintenance

Policy
  • HUIT IAM shall require approval for any exceptions to its policies.
  • HUIT IAM shall continually maintain the policies and standards it sets.
Reason
  • Situations may arise that were not anticipated in existing HUIT IAM policies, and these must be addressed effectively and in a timely manner.
  • Existing policies must evolve in response to changing conditions both within and outside of the University.
Controls
  • HUIT IAM shall institute a process for evaluating and, if warranted, approving exceptions to its policies.
  • HUIT IAM shall continuously update and maintain its policies and standards.

(HU-IAM-PM-1.1) Standard: IAM Policies and Standards Exception

Standard
  • Any request for an exception to HUIT IAM policies or standards must be submitted in writing for review by the HUIT IAM Product Manager.
Reason
  • There may be circumstances in which deviation from HUIT IAM policies and standards is required to maintain continuity of HUIT IAM operations.
  • This standard addresses the need for an exception process to be invoked in special circumstances in which deviation from HUIT IAM policies or standards is required.
Controls
  • HUIT IAM shall require that requests for deviations or exceptions from its policies and standards are submitted in writing to, and documented by, the HUIT IAM Product Manager. Such requests must include a justification for the requested exception.
  • The HUIT IAM Product Manager shall be responsible for granting exceptions to HUIT IAM policies and standards after consulting with those responsible for management, security, and privacy.
  • Deviation from the HUIT IAM policies and standards shall not be permitted without prior written approval from the HUIT IAM Product Manager.
  • The HUIT IAM Product Manager shall maintain a record of all requests for exceptions and their disposition.
  • In cases where human health or safety is at risk, HUIT IAM policies and standards may be overridden if doing so will assist in reducing the risk. In such cases, the individual overriding policies or standards must provide a written report to the HUIT IAM Product Manager, detailing the situation and the actions taken, as soon as practical after the incident.

(HU-IAM-PM-1.2) Standard: IAM Policies and Standards Maintenance

Standard
  • HUIT IAM shall continually update and maintain its policies and standards.
Reason
  • Existing policies must evolve to deal with changing conditions both within and outside of the University.
Controls
  • HUIT IAM shall update its policies and standards as required by changes in University policy, government regulations, and — when warranted — in response to incidents.
  • HUIT IAM shall adhere to a schedule for regularly reviewing its policies and standards.
  • HUIT IAM shall charge the HUIT IAM Program Manager with assigning responsibility for updates, creating a timeline for review, and verifying review completion.