South Plains College

Information Services (SPC-IS)

 

Multi-Factor Authentication: I-D(b)

Overview
An individual could gain unauthorized access to the campus network and information system in many ways. The South Plains College Office of Information Services (SPC-IS) has enacted a standard method of protection against unauthorized access using multi-factor authentication (MFA). MFA is a security process whereby users must provide at least two different authentication factors to verify their identities and access their accounts. This process ensures better protection of a user’s personal information, credentials, and other assets while improving the security around the resources the user can access. MFA must be universal for all privileged or administrator accounts.

Purpose
This policy provides policies for MFA connections to South Plains College information systems on and off campus. These standards are designed to control the security risk to SPC systems from unauthorized use of college resources. MFA adds a layer of security that helps deter the use of compromised credentials.

Scope
This policy applies to all South Plains College community members, including affiliates, students, faculty, staff, and retired employees who maintain an SPC account credential. It also applies to all SPC systems where MFA can be utilized.

Definitions

  1. Multi-factor authentication: Using two or more factors to validate the identity of a user.
  2. Factor (of authentication): Five factors are used in combination, resulting in multi-factor authentication. They are:
    1. Something the user knows (username and password)
    2. Something the user has (an item the user physically carries with them)
  • Something the user is (biometrics: fingerprints, face scan, etc.)
  1. Somewhere the user is (geolocation, on-premises)
  2. Something the user does (keystroke patterns)
  1.  
  2.  
  3.  
  4.  

Policy

 

 

 

 

 

 

  1. All individuals are required to take one additional step beyond the normal login process to access campus resources and the campus network: registering a second approved device.
  2. MFA is required on all new accounts created.
  3. Enforcing MFA through a directory service or SSO provider is a satisfactory implementation of this safeguard.
  4. MFA is required for remote network access.
  5. MFA is required for all administrative access accounts, where supported, on all enterprise assets, whether managed on-site or through a third-party provider.
  6. Responsibilities
    1. It is the user’s responsibility to promptly report compromised credentials to the Information Security team.
    2. The user promptly reports a lost or stolen MFA device to the Information Security team.
  7. MFA Changes

The user must visit the SPC Help Desk to change MFA information. The User must provide valid identification with a Photo to make changes.

  1. Exemptions
    There may be situations in which an SPC member has a legitimate need to utilize college technology resources outside the scope of this policy. The Information Security team may approve exception requests in advance based on balancing the benefit versus the risk to the college.

Enforcement

 

 

 

 

 

 

    1. This policy regulates all MFA access to the South Plains College’s network, and users must comply with the Information Security Use.
    2. Services will be disabled immediately if suspicious activity is observed and will remain disabled until the issue has been identified and resolved.
    3. By using South Plains College’s services, the user agrees to the SPC Acceptable Use Policy (ID)

Related Policies, References and Attachments:

1 TAC § 202.74 (a)(2)

1 TAC § 202.75 (a)(2)

 

An index of approved SPC-IS policies can be found on the SPC Policies website at http://www.southplainscollege.edu/human_resources/policy_procedure/?%20.  The SPC Information Security Program and SPC Information Security User Guide are also available on the Information Technology Services Policies website.

 

Texas Security Controls Standards Catalog Control Group: AC7, IA2,

 

NIST Function Groups: ID.AM-1, ID.AM-2. ID.SC-2, ID.SC-4, PR.AC-1, PR.AC-4, PR.DS-3, PR.IP-1, PR.PT-1