Multi-Factor Authentication Policy

Approved by Senior Administrators October 10, 2017

1. Purpose

The purpose of this policy is to define requirements for accessing Connecticut College's network and information systems from off campus.  These standards are designed to minimize the potential security exposure to Connecticut College from damages which may result from unauthorized use of Connecticut College resources. Multi-factor authentication adds a layer of security which helps deter the use of compromised credentials.

2. Scope

This policy applies to all members of the Connecticut College community, and College Affiliates with a college-owned or personally-owned computer or workstation used to connect to the campus network and technology resources. Many systems on Connecticut College’s campus may be protected by multi-factor authentication (“MFA”). This policy applies to any college system that requires an additional layer of protection, as determined by the Information Security Office (ISO) in collaboration with campus Data Stewards, such as: Central Authentication Service (CAS), G-suite access, VPN, Banner and system administration tools & privileged accounts.

3. Definitions and Authority

“Central Authentication Service (CAS)” is a single sign-on protocol for the web. Its purpose is to permit a user to access multiple applications while providing their credentials (such as user id and password) only once.

“College Affiliate” or “Contractor” is someone officially attached or connected to the College who is not a student or employee (e.g., contractors, vendors, interns, temporary staffing, volunteers.)

“Data steward” -  is a person responsible for the management and fitness of data elements (also known as critical data elements) - both the content and metadata.

“Duo” - A cloud hosted two factor authentication system, that works with several other information systems for an added layer of protection.

“Multi-Factor Authentication (MFA)”  is a method of computer access control in which a user is granted access only after successfully presenting multiple separate pieces of evidence to an authentication mechanism – typically at least two of the following categories: knowledge (something they know), possession (something they have), and inherence (something they are).

“VPN” or Virtual Private Network is a method employing encryption to provide secure access to a remote computer over the Internet.

4. Policy 

4.1 User Requirements

  • Register a device or alternative contact to provide a secure method for Connecticut College to contact you during the authentication (logon) process, such as a cellphone that can receive texts, a landline phone or a non-College email address. If you do not register,  you will not be able to use MFA— if MFA is required for that system or service, you will not be able to use the system.

  • When you attempt to log into a Connecticut College system protected by MFA, the system will “challenge” you by requesting a secret security code. This code will be provided through the secure method you selected during registration or as a confirmation request in the MFA application. If you enter the correct code, you will be allowed into the system. Failed attempts will be handled according to current College account policies and procedures referenced in the Network Connection Policy.

  • It is your responsibility to promptly report the theft, loss or unauthorized disclosure of proprietary or personally identifiable information (PII) to the IT Service Desk .

4.2 Registration

Users will use the MFA self-enrollment process to register their authentication device(s) and install the Duo Mobile MFA application. The process guide for registration is located here: http://guide.duosecurity.com/enrollment

4.3 Frequency of user challenges

Once a user has authenticated through the MFA process on a specific device, that user will not need to use the multi-factor authentication process again for the following time intervals:

 

Authentication To

Trust Period

Virtual Private Network (VPN)

None. MFA required for every new connection.

Central Authentication Service (CAS)

Includes G-Suite

Up to 1 day

Ellucian Banner (ERP)

Up to 1 day

Other services and applications, (e.g. Lastpass)

Consult application or service owner

4.4 Lost or stolen devices

If you have had a device or data stolen, have lost data, or believe that an individual has broken into your computer, please contact the IT Service Desk IMMEDIATELY at Help@conncoll.edu or 860 439 4357:

5. Exceptions

5.1 Request

There may be situations in which a User has a legitimate need to utilize Connecticut College technology resources outside the scope of this policy.  The Information Security Office may approve, in advance, exception requests based on balancing the benefit versus the risk to the College.   Exception requests should be made through a Web Help Desk ticket or contacting the IT Service Desk at x4357.

Include a brief description of the type of data you need to access. Please be certain to indicate if you handle Personally Identifiable Information (PII) or other confidential information, such as electronic protected Health Information (ePHI), financial data, student academic records (e.g. grades or test scores), credit card payments, Social Security numbers or work with children.

5.2 Periodic Review and Recertification

Due to the evolving nature of technology, cyber threats and the changing roles of users at the College all exemptions will be reviewed periodically and at the discretion of ISO in collaboration with Data Stewards. This review will verify that the need stated in the request is still valid and/or that the employee still requires the approved MFA exempted access.

6. Off-Hours and Emergency Access  to Protected Data

Enterprise & Technical Systems shall maintain internal procedures for processing emergency access requests if issues arise with the MFA authentication process. Users should contact the IT Service Desk for access in the event of an emergency at help@conncoll.edu or 860.430.4357

 

Related Standards, Policies and Processes