Description
Section 3 of this control is not intended to apply to workstation (desktop/laptop) operating system interactive (in-person) logons.
Applicability
-
This Control applies to all Texas A&M information resources. The intended audience for this Control includes all owners and custodians of information resources.
Implementation
-
1
Information resources shall be configured to uniquely identify and authenticate all users of university information resources (See Control AC-2, Account Management).
-
1.1
Users must be uniquely identified and authenticated before the information resource may grant that user access.
-
1.2
Unique identification of individuals in group accounts (e.g. shared privilege accounts) may need to be considered for additional accountability of activity.
-
1.1
-
2
Multi-factor authentication should be implemented based on documented risk management decisions for access to privileged or non-privileged accounts where one of the factors is provided by an asset separate from the information being accessed.
-
3
Multi-factor authentication is required for any information resource that stores or processes Confidential or Critical data.