6. User Management
This section of the toolkit adds further detail to the corresponding User Management sub-policy within the Information Security Policy.
There should be authentication and authorisation procedures in place to ensure users are only allowed to access services which are intended for them. Specifically for systems using techniques such as Single Sign On, controls should be in place to ensure that creating an account does not allow users access to services for which they are not authorised to use. It is also particularly important to ensure that the same password (or similar) should not be used to login to systems that are supposed to be kept secure. This applies especially to those systems that may contain sensitive personal information.
The following ruling from the Information Commissioner demonstrates that this could be considered a breach of the Data Protection Act 1998: Hampshire school breached data protection rules.
Registration and de-registration procedures should ensure that users are assigned unique IDs so accountability can be maintained and records should be kept of all registered users. All users should sign up to a conditions of use/access when they are assigned an account. There should also be means to remind users of such terms on a regular basis and ensure they are aware of any changes. Systems should be audited for unwanted/redundant accounts on a regular basis. When users leave access should be revoked and the user de-registered.
Inappropriate system privileges can be a major contributory factor in system failure and security breaches so, where possible, privileges should be kept to the minimum necessary and suitable permissions should be defined. In signing up to a conditions of use, users should be made aware of their own responsibilities.
Passwords should not be shared between users and it should be noted that sharing of University passwords such as SSO credentials is explicitly forbidden by the University ICT regulations. This includes giving out your password to IT support staff, OUCS or any other University department. OUCS will NEVER ask users for their passwords and so ANY correspondence (email, phone calls etc.) asking for such details should be treated with caution. Unfortunately, phishing scams are rife these days and users do fall for them. For more details on recognising fake emails please see How To Recognise Fake Emails.
In order to make life simpler when users leave or are temporarily away, role based accounts and access could be considered. Where shared access to accounts is needed other means should be implemented. Project accounts, for example can be set up for clubs and societies (see Registration for more details on different types of accounts) and, within Nexus, access to email accounts can be delegated so there is no need to share passwords (see Delegating access to email, calendar and other Nexus features using Outlook 2007). If passwords need to be written down, this should be done so in as secure a manner as possible. Password management tools can be useful in order to help keep multiple passwords stored in a secure manner. This can be particularly useful for users who have many passwords to remember. It is important to be aware of the fact that where password exposures are known about, user accounts will be temporarily disabled. This can cause significant disruption to users who need access to critical services. It is therefore imperative that all users are made aware of their responsibilities towards password security, and of the consequences of breaching these policies. More information on University passwords and guides to password security can be found at Registration.
Users may also be advised to protect against unauthorised access to their own machines, accounts and private information. Obviously this will depend on the specific environment. However some examples could include simply locking office doors, password protected screen locks (e.g. where locking doors isn't possible or offices are shared), logging out of sessions on public machines, and clear desk policies.
Visitor accounts should be specifically issued and the same University policies and practices (traceability, incident response etc.) are applicable to visitor accounts. The University has two services available for visitors which are Eduroam and OWL-Visitor. For more information on these services please see OUCS and efficient IT. Where individual units wish to provide their own network access for visitors, this should be provided using their own specific IP address space which is segregated from other networks within the unit. It is also important to be able to trace any abuse or misuse coming from such areas. Therefore authentication should be considered. In some circumstances this may be difficult or not desirable. In this case the risks should be assessed and, for example, controls put in place to prevent abuse/misuse in the first place. For example, it may be deemed an acceptable risk to have unauthenticated access to specifically assigned networks if physical access is controlled, physical monitoring is in place, network access is allowed only to specific known good destinations etc.