1. Purpose
These guidelines recommend standards for access control and authentication to protect Institutional Information and IT Resources, ensuring compliance with UC’s IS-3 policy.
2. Scope
These guidelines should be followed by all faculty, staff, researchers, and students accessing Institutional Information and IT Resources, regardless of the platform or operating system used.
3. Access Control Standards
- Role-Based Access Control (RBAC): Access is granted based on job roles and the principle of least privilege.
- Account Provisioning: Access requests must be reviewed and approved by the Unit Head or designated IT administrator.
- Periodic Access Reviews: Access rights are reviewed at least semi-annually to ensure appropriate authorization.
- Inactive Accounts: User accounts inactive for 90 days are disabled and removed after 180 days unless justified.
- Privileged Accounts: Administrator or elevated access is restricted and requires additional approvals on devices locally storing P3 or P4 data.
- Guest Access: Temporary access must be approved, limited in scope, and reviewed regularly.
4. Authentication Standards
-
Password Policy:
- Minimum 12 characters, including uppercase, lowercase, numbers, and special characters.
- Passwords must be changed every 180 days and cannot be reused for 10 cycles.
- Account lockout after 5 failed login attempts, with a 30-minute cooldown period.
- Multi-Factor Authentication (MFA): Required for accessing sensitive systems, and VPN remote access.
- Single Sign-On (SSO): Implemented where feasible to improve security and usability.
- Session Lock: User sessions must lock the screen after 15 minutes of inactivity, and require a password to unlock.
5. Compliance and Review
- These guidelines will be reviewed annually and updated as necessary to align with IS-3 and other UC security policies. The more detailed and up to date official UC policy can be found here.
For questions regarding these guidelines, contact the Unit Information Security Lead (UISL) at itcontact@bren.ucsb.edu