Last Updated: 10.24.13 by dglish Page 1of 6
Process Name: UAS System Security
Owner: Debbie Glish Publications Administrator
Document Title: Data Systems Security
Document No. UASDSS0001
Purpose: Ensure that all users of UAS student loan management systems are properly authenticated and identified prior to gaining access to data.

Revision Number / Date Revised by Revision Description
UAS New Berlin 4.17.2013 Debbie Glish Publications Administrator Initial Submission
UAS New Berlin 7.3.2013 Debbie Glish Update for User Access Review (v.2)
UAS New Berlin 10.24.2013 Debbie Glish Update for process
User ID: nspivey / Document ID: 310205438288 / eSignature: P2014042809595440000323676239855

Policy:
The policy covers the access security of all UAS owned student loan management systems.
Identification - All users of UAS student loan management systems must be properly identified.
Authentication – Users gaining access to UAS student loan management systems must be authenticated to confirm their identification before they are allowed access to data. Unauthorized users must not be allowed access. University Accounting Service, LLC requires that UAS Data Systems control system access through specific user credentials including User ID and password assigned by authorized UAS personnel.

Overview:
The purpose of UAS’ data systems policy is to document minimum control for obtaining and distributing user credentials.

Data System Components
Access to Systems Information

Required Practice:
Access permissions to student loan management systems will be granted for those employees, contractors, technicians, clients, or
vendors who have legitimate business responsibilities in appropriate areas. Authorization is based on the frequency and type of need for access.
To secure credentials for a UAS employee, the employee's immediate supervisor is responsible for approving the request for
access. For all other users, the eUAS Technical Team is responsible for approving requests for access prior to forwarding
them to the UAS employee responsible for assigning access credentials.

1. Access credentials are intended for the sole use of the person issued the credentials.
2. Each User must be identified and authenticated before performing any actions on the system.
3. Each user accessing a UAS student loan management system must have a unique User ID. Each User must be uniquely identified. For example, a system user ID must not be assigned to more than one person
4. Direct login to system-based accounts must be limited to those individuals authorized by management.
5. The User must immediately notify the eUAS Technical Team when the User knows or suspects the credentials have been
compromised.
6. Shared user IDs are prohibited.
7. A user identifier that has been inactive for a period of 60 days must be disabled.

Authentication
Authentication Requirements:
Users gaining access to UAS student loan management systems must be authenticated to confirm their identification. Authentication
requirements include:
1. Authentication information, e.g., password or PIN, must be kept confidential.
2. The following format restrictions are designed to help prevent passwords from being compromised.
Personal passwords must be a minimum of 8 characters.
Users must construct good passwords and manage them securely, keeping their passwords secret and not sharing them.
The password format must:

Not include any portion of the user's logon name or the user's first/last name or a word commonly found in any dictionary.

Incorporate at least 3 of the following:
Contain an upper case character (A through Z)
Contain a lower case character (a through z)
Contain at least 1 number
Contain non- alphanumeric characters (i.e.! $, # , %)
3. New or re-enabled User Identifiers must be assigned pre-expired passwords that force the User to change it after the first use.
4. The password must not appear on the screen during the log-in process.
5. The password change process must force re-authentication. The current password must be re-entered, followed by the forced creation of a new password. The new password must then be verified by re-entry.
6. The network authentication process is limited to three unsuccessful attempts after which the user is locked out.
7. In the event that a user suspects that another person knows an account password, the password must be changed immediately.

Access Controls
Access Control Requirements:
1. User access capabilities must be configured with least privilege, to ensure the confidentiality and privacy of data and information. Users must have only the minimum access rights and privileges needed to perform a particular function or transaction required to perform the functions of their job.
2. Access rights specified by an individual User take precedence over access rights associated with any group to which the User belongs. (This is also known as Discretionary Access Control.)
3. Access must be strictly controlled to restricted information including:
Limiting privileged access to appropriate personnel;
Security commands, programs, utilities, and databases;
Program libraries;
Job or process execution station files;
User authorized profiles;
Accountability tracking logs; and
Backup files containing any of the above.
4. Only authorized UAS personnel are granted access capabilities to add/change/remove overall system security or control configurations.
5. User access capabilities must be changed immediately upon transfer, change of job responsibilities, or leave of
absence (employee or third party).
6. When a user with access to a privileged account (such as supervisor or root) changes responsibility, passwords for that account must be changed immediately.
7. Human Resources must generate daily HR Reports and distribute these to the individuals that are responsible for terminating employee access to the applicable key systems. Termination requests are processed by the “IT Checklist for Terminated Employees”.
8. User access capabilities must be removed immediately upon termination of employment or business relationship (employee, third party, or client).
9. Data access must be periodically checked to ensure access is valid (including checking that terminated
employees are removed). (See User Access Review procedure.)
10. Remote access must be strictly controlled.
11. System must include an appropriate time-out parameter for idle, after which the User is forced to re-enter
credentials.

Creation of New Accounts, Password Resets, Account Deletions:
1. All requests for new account credentials, password resets, and credential deletions are routed through the eUAS Technical Team mailbox.
For requests associated with UAS employee credentials, the employee’s immediate supervisor sends an email request to the eUAS Technical Team mailbox.
For requests associated with non-employees, a supervisor, UAS representative assigned to the client, or the entity sends an email request to the eUAS Technical Team mailbox.
2. The Production Analyst confirms the identity of the user and the level of access required.
3. The Production Analyst creates a tracking ticket in the eUAS Project Tree detailing the request and attaches the email request to the Project.
4. In response to requests for new credentials, the Production Analyst:
Creates the credentials
Sends the information to the user in two separate emails
The first email contains the User ID and instructions to change the password on first login and create/confirm a secret question.
The second email contains the user’s initial password.
Marks the project as “complete” in the eUAS Project Tree.
Notifies the requestor of completion.
5. In response to requests for password resets, the Production Analyst advises the user to use the automated “forgot password” link” on the system login screen. If the user still can’t login, the Production Analyst follows the procedures for assigning new
credentials.
6. In response to deletion requests, the Production Analyst:
Deletes the credentials
Marks the project as “complete” in the eUAS Project Tree.
Notifies the requestor of completion.