Description

The capability for information resources to uniquely identify and authenticate university faculty, staff, students, and other approved users.

Applicability

  • This Control applies to all Texas A&M information resources. The intended audience for this Control includes all owners and custodians of information resources.

Implementation

  • 1

    Information resources shall be configured to uniquely identify and authenticate university faculty, staff and students who utilize the information resources (See Control AC-2, Account Management).

    • 1.1

      Users must be uniquely identified and authenticated before the information resource may grant that user access.

    • 1.2

      Unique identification of individuals in group accounts (e.g. shared privilege accounts) may need to be considered for additional accountability of activity.

  • 2

    Authentication of user identities is accomplished through the use of passwords, tokens, biometrics, smartphone authenticator applications, or in the case of multifactor authentication, some combination thereof.

  • 3

    Multifactor authentication should be considered based on documented risk management decisions for network access to privileged accounts where one of the factors is provided by an asset separate from the information being accessed (e.g. external token-based device or client-based certificate).

    • 3.1

      Multifactor authentication is required for all restricted and confidential data.