Application Accounts Guidelines
This document summarizes application account guidelines for the Data Warehouse managed by the AITS Decision Support unit.
Application logons are defined as logons designated for a computer application or group of applications. They are often needed in units where a scheduled application retrieves data from the Data Warehouse. In many cases, there are multiple technical staff supporting the application. Use of individual logons in these situations involves sharing personal logon, in violation of University policy.
University policy indicates that responsibility for logons is generally assigned to an individual. The policy (http://www.obfs.uillinois.edu/cms/one.aspx?portalId=909965&pageId=914038#ff) says:
The purpose of the policy is to maintain information about the person responsible for use of a login, should there be a security/confidentiality violation.
Access to the network and servers and systems will be achieved by individual and unique logins, and will require authentication. Authentication includes the use of passwords, smart cards, biometrics, or other recognized forms of authentication.
As stated in the current campus policies on appropriate and acceptable use, users must not share usernames and passwords, nor should they be written down or recorded in unencrypted electronic files or documents. When limited access to university-related documents or files is required specifically and solely for the proper operation of University units and where available technical alternatives are not feasible, exceptions are allowed under an articulated unit policy that is available to all affected unit personnel. Each such policy must be reviewed by the unit executive officer and submitted to the CIO for approval. All users must secure their username or account, password, and system access from unauthorized use.
Logins and passwords should not be coded into programs or queries unless they are encrypted or otherwise secure.
AITS Decision Support will provide second logons for use with applications to individuals. The individual is accountable for all use of the application login, just as s/he is for use of a personal logon.
Where there will be multiple individuals supporting an application and using the application logon, each of those individuals must be identified to AITS Decision Support.
Unit Roles and Responsibilities
Each unit appoints a person to be responsible for security implementation, incident response, periodic user access reviews, and education of information security policies including, for example, information about virus infection risks.
Applications that access secured data in the Data Warehouse are expected to have a security plan and process to continue appropriate access for secured data as it moves from central database (Data Warehouse) to local use.
- As with personal logons, the individual assigned an application logon is accountable for all use of the application logon. This responsibility includes providing secured data to other individuals via the application and ensuring that the security classification of the data is maintained as it is distributed at the point of contact with the application. (This responsibility is the same as the expectation that individuals distributing data via reports, spreadsheets or other means.)
- Should the individual assigned an application logon leave the university, the logon name may be retained but responsibility must be reassigned to another individual. When the logon is reassigned to a new individual, the password must be changed. If an application logon is not reassigned, it may be suspended or terminated, just as other logons without employees may be, in the course of normal maintenance. Requests for reassignment are done through the Unit Security Contact (USC) for the unit.
- Those who are secondary users of another person’s application logon, as part of their assigned duties to support the application, have the same responsibilities for ensuring appropriate use of secured data.
- Those who are secondary users of another person’s application logon must be designated to AITS Decision Support and indicate they understand these responsibilities for use of another person’s logon.
- As with personal logons, the password for application logons should be changed on a periodic basis. Owners should document steps related to password changes for their own use that apply to their own local systems and perform these steps when the application logon password is changed.
Central Roles and Responsibilities
- AITS is responsible for answering questions on the security status of Data Warehouse data so that a) the unit may take appropriate security measures in the application’s security plan and b) those with application logons may ensure appropriate use of the data via the application.
- AITS may from time to time audit a unit's procedures for handling application logons that access the Data Warehouse in order to ensure their effectiveness; whether audited or not, units remain responsible for ensuring the effectiveness of their procedures.
- AITS will approve units having application logins (as defined) based on the general need of the unit; this approval of the need for the service and the general procedures and roles involved in the service normally takes place once, and is not reviewed when the specific individuals change. If a unit changes the number or names of individuals, AITS expects that the use and process already approved will not materially change. Review of applications themselves is not within the scope of this policy.
- Information Technology Leadership Team (IT LT) and AITS will consult on interpretations of the University Information Security Policy as it pertains to application logons for the Data Warehouse.
- In the course of fulfilling its auditing responsibilities for information security, the Office of University Audits may review management’s controls over system access and information use, disclosure, modification, or loss.
- Members of IT LT are responsible for procedures for appropriate training to data owners, data custodians, network and system administrators and users; for procedures to implement University Information Security policies and for monitoring compliance.