Carnegie Mellon University

Guidelines for Data Protection - Electronic Access Controls

Electronic Access Controls

The following tables define baseline security controls for authentication, authorization and auditing of electronic access to Institutional Data and/or Information Systems that store, process or transmit Institutional Data. Controls in this section apply to user access as well as system and/or service access.

Authentication

ID Control Public Private Restricted
EA-1 Electronic access to Institutional Data and/or Information Systems is uniquely associated with an individual or system Optional for READ access to data. Required for all other access. Required Required
EA-2 Electronic access to Institutional Data and/or Information Systems is authenticated Optional for READ access to data. Required for all other access. Required Required
EA-3 Electronic access to Institutional Data and/or Information Systems is authenticated using multi- factor authentication Optional Recommended Recommended
EA-4 Electronic access to Institutional Data and/or Information Systems that traverses the Internet is authenticated using multi-factor authentication Optional for READ access to data. Recommended for all other access. Recommended Required
EA-5 Electronic access to Institutional Data and/or Information Systems is reauthenticated after a period of inactivity Optional for READ access to data. Recommended for all other access. Recommended Required
EA-6 Where username and password authentication is employed, passwords are managed according to the Guidelines for Password Management Recommended Recommended Required

Authorization

ID Control Public Private Restricted
EA-7 Electronic access to Institutional Data and/or Information Systems is authorized by a Data Steward or a delegate prior to provisioning Optional for READ access. Required for all other access. Required Required
EA-8 Electronic access to Institutional Data and/or Information Systems is authorized based on a business need Optional for READ access. Recommended for all other access. Recommended Required
EA-9 Electronic access to Institutional Data and/or Information Systems is based on the principle of least privilege Optional for READ access. Recommended for all other access. Recommended Required
EA-10 Electronic access to Institutional Data is reviewed and reauthorized by a Data Steward or a delegate on a periodic basis Optional for READ access. Recommended for all other access. Recommended Required
EA-11 Electronic access is promptly revoked when it is no longer necessary to perform authorized job responsibilities Optional for READ access. Required for all other access. Required Required

Access Logging

ID Control Public Private Restricted
EA-12 Successful attempts to access Institutional Data in electronic form are logged * Optional for READ access. Recommended for all other access. Optional for READ access. Recommended for all other access. Optional for READ access. Recommended for all other access.
EA-13 Failed attempts to access Institutional Data in electronic form are logged * Optional for READ access. Recommended for all other access. Optional for READ access. Recommended for all other access. Required
EA-14 Changes in access to Institutional Data in electronic form are logged * Required Required Required
EA-15 Electronic access logs are reviewed on a periodic basis for security events * Recommended Recommended Required
EA-16 Electronic access logs are protected against tampering * Required Required Required

Supplemental Guidance

EA-12 thru EA-16:  Auditing access to Institutional Data occurs at various levels.  As a result, similar requirements exist in the Application Security and the Information Systems Security sections.  In some situations, the same set of controls may fulfill all three sets of requirements.  For example, EA-12 is similar to AS-14 and IS-16. While all three deal with logging of successful access attempts, each deals with a unique type of access.  The Electronic Access Controls section deals with direct access to Institutional Data.    It is also important to note that audit logs should be classified and protected just like any other data set.  The type of data that exists in a log will help determine the appropriate classification for that log.  For example, if a log file contains passwords, security controls should be implemented consistent with the Restricted classification since Appendix A of the Guidelines for Data Classification defines Authentication Verifiers as Restricted information.