Title:	Multi-Factor Authentication Policy
Policy Owner:	Information Technology Services / Chief Information Security Officer
Applies to:	All employees, students
Campus Applicability:	All Campuses
Effective Date:	March 29, 2023
For More Information, Contact	UConn Information Security Office
Contact Information:	techsupport@uconn.edu or security@uconn.edu
Official Website:	https://security.uconn.edu/

PURPOSE 

To help prevent unauthorized access to University information systems.

DEFINITIONS  

DUO: A University–approved Multi-Factor Authentication (MFA) application That provides an added layer of protection to help prevent unauthorized access to university information systems. DUO can be loaded on individual devices including smartphones and tablets. It can also provide multi-factor authentication through the sending of SMS codes directly to phones and through the use of pre-generated codes.

Fob: A small hardware device that serves as a second authentication mechanism either in place of in addition to the DUO mobile app.

University Information System: Devices and/or components managed by the University for collecting, storing, and processing data and for providing information, knowledge, and digital products. For purposes of this policy, information technology devices and components managed exclusively by UConn Health are not considered University Information Systems.

 Multi-Factor Authentication (MFA): MFA is a method of system access control in which a user is granted access only after successfully providing at least two pieces of authentication, usually including knowledge (something the user knows such as a password), possession (something the user has such as a token generator), or inherence (something the user is such as the use of biometrics).

POLICY STATEMENT  

Users of University Information Systems must adhere to Multi-Factor Authentication requirements, where available, to ensure authorized access to University Information Systems and protected or confidential data.

PROCEDURES

User Requirements

1. Users must maintain a device that can receive DUO authentication requests in a secure manner via the DUO mobile app or another mechanism, such as SMS, phone, or token.
2. When an attempt is made to access a DUO enabled system or application, the system will challenge the user by requesting a second factor of authentication which may include an acknowledgement of a push notification via the DUO app, a 6-digit code via SMS, or a Fob.
3. If users receive a DUO notification when not conducting a recent authentication, the authentication should be denied and reported to the Technology Support Center

Frequency of User Challenges

The frequency with which a user may be challenged depends both on policy and use.

• Policy based – depending on information being accessed, more frequent authentications may be required.
• Usage based – While user challenges may be “remembered” for a period of time, use of other hardware, browsers, or other behaviors may trigger additional verification using a second factor.

Lost or Stolen Devices

If a user’s registered device is lost, stolen, or the user has reason to suspect their UConn NetID has been compromised, the user must contact the Technology Support Center immediately. As a precaution, they should change their NetID password at netid.uconn.edu

Off-Hours and Emergency Access to systems and applications

UConn Information Technology Services will maintain internal procedures for processing emergency access requests if issues arise with the multi-factor authentication process. Users should contact the Support Desk for additional information.

Use of Automated Systems

Automated systems that intend to interfere with the approval component of multi-factor authentication are hereby prohibited.

ENFORCEMENT 

Users may not attempt to circumvent login procedures, including DUO multi-factor authentication, on any computer system or otherwise attempt to gain unauthorized access. Attempts to circumvent login procedures may subject individuals to disciplinary action. Financial losses incurred due to the use of DUO multi-factor circumvention techniques are the responsibility of the user, and the University may seek financial restitution from users who violate this policy.

Violations of this policy may result in appropriate disciplinary measures in accordance with University By-Laws, General Rules of Conduct for All University Employees, applicable collective bargaining agreements, and the Student Code.

EXCEPTIONS

ITS will review and document any requests for exceptions to this standard. ITS will also have available solutions for the intermittent failure of various second factors, which may include the allowance of temporary access codes upon verification of an individual’s identity.

Questions about this policy or suspected violations may be reported to any of the following:

Information Technology Services Tech Support –  https://techsupport.uconn.edu (860-486-4357)

Information Security Office – https://security.uconn.edu

POLICY HISTORY 

Policy created:  March 29, 2023 (Approved by Senior Policy Council)

 

 

Title:	Mobile and Remote Device Security, Information Technology
Policy Owner:	Information Technology Services / Chief Information Security Officer
Applies to:	All faculty, staff, student employees, and volunteers
Campus Applicability:	All campuses except UConn Health
Effective Date:	August 30, 2021
For More Information, Contact	UConn Information Security Office
Contact Information:	techsupport@uconn.edu or security@uconn.edu
Official Website:	https://security.uconn.edu/

PURPOSE 

To ensure data and information systems security by establishing requirements for mobile and remote devices.  Mobile and remote devices are important tools for the University, and their use is supported to advance the mission of the university. Mobile and remote devices also represent a significant risk to information and data security. If appropriate security measures and procedures are not applied, mobile and remote devices can serve as a conduit for unauthorized access to University data and IT resources that can subsequently lead to data leakage and a path for compromise of other systems. 

APPLIES TO 

This policy applies to all University faculty, staff, student employees, and volunteers who use mobile or remote devices to access any non-public IT resources owned or managed by the University. 

DEFINITIONS 

IT Resources: Includes systems and equipment, software, and networks. Systems and equipment include but are not limited to computers, hard drives, printers, scanners, video and audio recorders, cameras, photocopiers, and other related devices. Software includes but is not limited to computer software, including open-source and purchased software, and all cloud-based software, including infrastructure-based cloud computing and software as a service. Networks include but are not limited to all voice, video, and data systems, including both wired and wireless network access across the institution. 

Mobile Electronic Device: Includes telecommunication and portable computing devices which can execute programs or store data, including but not limited to laptops, tablet computers, smartphones, and external storage devices. Generally, a device capable of using the services provided by a public/private cellular, wireless, or satellite network. 

Remote Device: Personal computer used off-site 

POLICY STATEMENT  

University of Connecticut faculty, staff, student employees, and volunteers who use mobile or remote devices are responsible for any institutional data that is stored, processed, and/or transmitted via a mobile or remote device and for following the security requirements set forth in this policy. 

To adequately protect the data and information systems of the University, all individuals covered under this policy are expected to meet the following requirements: 

All users of a mobile electronic device used to access non-public university systems must take the following measures to secure the device: 

• Configure the device to require a password (minimum of 10 characters), biometric identifier, PIN (minimum of 6 characters), or swipe gesture (minimum of 6 swipes) to be entered before access to the device is granted. Device must automatically lock and require one of the authentication methods after no more than 5 minutes of idle time. 
• Keep devices on currently supported versions of the operating system and remain current with published patches. 
• Enable the device’s remote wipe feature to permit a lost or stolen device to be securely erased. 
• Securely store electronic devices at all times to minimize loss via theft or accidental misplacement. 

Wherever practical, elements of these requirements will be enforced via centrally administered technology controls.  

STORAGE OF CONFIDENTIAL DATA 

In general, confidential data should not be stored on mobile devices, including laptops. However, in certain instances and depending on job responsibilities, this may be unavoidable. In these instances, confidential data must be stored on university-owned devices ONLY with the following requirements: 

• Except when being actively used, confidential information must at all times be encrypted on any device through a mechanism approved by the University. Alternatively, whole drive encryption software may be deployed to meet this requirement. 
• Mobile devices must have university-supported software enabled and running to identify, protect, and respond to any threats to the data or operating systems of the devices. 
• Devices must have Mobile Device Management software installed to facilitate device protection, including remote wipe and, if possible, device location technology for recovery. 

DEVICE DECOMISSION OR SEPARATION FROM UNIVERSITY 

When mobile devices, specifically personally owned devices that may have had access to University resources or data, are no longer used, and donated, or given to anyone, the device owner is responsible for ensuring that any University information is securely deleted from the device, including University-related e-mails/accounts, user ID and password, or other cached credentials used to access University systems. 

In the event of separation from the University, it is the employee’s responsibility to delete any University-related e-mail accounts or University licensed software that may have been installed on personal devices or computers. 

ENFORCEMENT 

Violations of this policy may result in appropriate disciplinary measures in accordance with University By-Laws, General Rules of Conduct for All University Employees, applicable collective bargaining agreements, and the Student Code. 

Questions about this policy or suspected violations may be reported to any of the following: 

Office of University Compliance –  https://compliance.uconn.edu (860-486-2530) 

Information Technology Services Tech Support –  https://techsupport.uconn.edu (860-486-4357) 

Information Security Office – https://security.uconn.edu 

 

POLICY HISTORY 

Policy created:  August 30, 2021 [Approved by President’s Senior Team] 

Title:	System and Application Security Policy
Policy Owner:	Information Technology Services / Chief Information Security Officer
Applies to:	All students, faculty, and staff
Campus Applicability:	All campuses except UConn Health
Approval Date:	August 30, 2023
Effective Date:	August 31, 2023
For More Information, Contact:	UConn Information Security Office
Contact Information:	techsupport@uconn.edu or security@uconn.edu
Official Website:	https://security.uconn.edu/

PURPOSE 

To ensure the security of university data and systems by establishing requirements for the proper maintenance and oversight of systems and applications used by university constituents.

APPLIES TO 

This policy applies to all individuals responsible for operating or overseeing any University system or application, whether on premise or in the cloud.

DEFINITIONS  

Academic / Research System: A system whose primary responsibility relates to individual academic work or research

Administrative System: Any system that is used in support of the operation of the university excluding individual Academic / Research Systems.

Client Network: A client network is a computer network where individual machines are connected. Client networks consume services and do not offer services to the general population

ITS: Information Technology Services

IT Professional: An individual (staff) who is trained and skilled in using technology to solve business problems coupled with assigned job duties in support of technology at the university. This must be a defined responsibility within the position job description and may not fall under “other duties as assigned.” Appropriate training, support, and budget must also be available in support of the IT Professional role.

Local Network: The local network is those computers logically located in the same subnet

SaaS: Cloud-based service that is delivered via the web based on either a monthly or annual subscription

PaaS:  Cloud-based service that provides a platform allowing for the development of software using an established framework to improve development time and management of cloud services

PII (Personally Identifiable Information):  Information that either singularly or in conjunction with other data elements could reasonably lead to the identification of specific individuals

Public Availability: Services offered publicly include services offered outside of the local network

Regulated Data: Any data that has regulations around its protection prescribed either by law or contract is automatically considered administrative data. Examples include: Personally Identifiable Information (PII), Payment Card Information (PCI), Personal Health Information (PHI) and FERPA (Family Educational Rights and Privacy Act)

System Owner: The individual who is responsible for the planning and operation of the service. All systems must have a designated system owner.

POLICY STATEMENT  

The proper management, maintenance and support of systems and applications is critical to protecting the data they store or process from a confidentiality, integrity, and availability perspective.

Basic Requirements (all systems including academic, administrative and research)

System Ownership

All systems including cloud-based systems supporting any aspect of the University must have an identified owner and responsible party for ensuring the controls specified in this policy.

All software and services used to process University information are subject to an Information Security review and sign off prior to their purchase or development. Information Security reviews will evaluate specific risks and controls available and necessary based on the information being processed. The system owner will be responsible for the deployment of the agreed upon security controls prior to enabling the production capability of the system or application.

System Access

Access to information in the possession of or under the control of the University must be provided on a need-to-know basis. Information must be disclosed only to individuals who have a legitimate and approved need for the information. For most applications, this requires the use of proper authentication methodologies and the use of Single Sign On (SSO) is encouraged.

Information may only be used for its intended purpose, and other uses of university information without the approval of the data owner is prohibited.

Patching and Maintenance

All system owners must ensure the timely implementation of operating systems and application patches to provide for the confidentiality, integrity, and availability of the systems or data. The ongoing maintenance of applications and the application of software updates is an activity that must be minimally scheduled on a quarterly basis.

System and Application Lifecycle Management

System owners are responsible for the planning of and budgeting for system maintenance and obsolescence. Any system or application that is no longer supported by the vendor or is replaced by newer technology should be decommissioned as soon as possible.  The decommissioning process must include the proper retirement of any physical hardware or virtual images and the proper destruction of any media (e.g., hard drives, tapes, etc.) that may have data. Cloud services that are decommissioned should ensure the proper handling of any data (return and/or destruction) in the cloud vendor’s possession as part of the contract cancellation.

Cloud based systems

Software as a Service / Platform as a Service

While patching and maintenance of Cloud-based SaaS and PaaS systems is typically handled by the vendor, identified individuals are responsible for proper security configurations and user management associated with providing the service. A Vendor Risk Management review is necessary for all newly procured services.

Infrastructure as a Service (IASS)

IAAS provides a significant amount of flexibility in the configuration and use of the platform. This requires additional expertise that requires management by an IT Professional and where applicable must meet the same requirements as Administrative Systems.

Administrative Systems

System and Application Security

Administrative systems due to their complexity must be managed by an IT Professional.

Administrative systems will be required to adhere to all regulatory requirements and meet security controls / standards as set forth by the Information Security Office based on institutional requirements.

Encryption

All systems housing administrative data are expected to have data encrypted in transit and at rest to protect data. Where available, encryption keys should reside outside of the application.

User Management

University of Connecticut Information Technology Services (ITS) provides centralized user identity and access management that supports identity validation and access management (IAM) using a NetID and password providing for single sign on (SSO) across multiple systems. Systems and applications that rely on the University IAM platform for authenticating individual access rights can forgo the need for user management outside that of assigning any roles within the system or application, as necessary. The use of SSO for all systems is highly recommended.

Systems and applications that do not use the central IAM solution must have a written plan and designated individual responsible for the creation, modification, and deletion of user IDs. User IDs, including student accounts, must be reviewed when faculty, staff, or students separate from the University at least annually. This includes a process for ensuring the secure creation of passwords and a secure password reset process for validating an individual’s identity prior to resetting the password.

Systems where individuals have access to a significant amount of the PII of other constituents, including but not limited to students, faculty, staff, alumni, and vendors, or significant amounts of regulated data require two-factor authentication wherever possible.

Software Maintenance

Only necessary software should be loaded on systems, and old versions of software removed. The use of web browsers and other individual productivity tools should be limited to the management of the system only.

Auditing of Systems and Application Logs

System and application logs must be reviewed for inappropriate access on a regular basis (at least monthly) or via automated systems capable of detecting misuse through the analysis of frequent password failures, geographic anomalies, or inappropriate access attempts. ITS maintains a centralized logging and reporting platform, which can assist in the analysis of large amounts of data often associated with system and application logs. All administrative systems must log to the centralized logging and reporting platform events related to login activity and security event data.

Mandatory Reporting

All suspected policy violations, system intrusions, and other conditions that might jeopardize University information or information systems must be immediately reported to the Information Security Office.

ENFORCEMENT 

Systems and applications that do not follow the standards set forth in this policy may be administratively shut down or have access restricted. Systems maintained at the departmental or individual level may incur costs in association with enabling the proper protections or in the event of data exposure.

Violations of this policy may result in appropriate disciplinary measures in accordance with University By-Laws, General Rules of Conduct, applicable collective bargaining agreements, and the Student Code.

PROCEDURES/FORMS 

Questions about this policy or suspected violations may be reported to any of the following: 

Office of University Compliance –  https://compliance.uconn.edu (860-486-2530) or UConn Reportline (1-888-685-2637)

Information Technology Services Tech Support –  https://techsupport.uconn.edu (860-486-4357) 

Information Security Office – https://security.uconn.edu 

POLICY HISTORY 

Policy created: August 30, 2021 (Approved by President’s Senior Team)

Revisions: August 30, 2023 (Approved by the Senior Policy Council and the President)

 

Title:	Firewall Policy
Policy Owner:	Information Technology Services / Chief Information Security Officer
Applies to:	All students, faculty, and staff responsible for configuring firewalls
Campus Applicability:	All campuses except UConn Health
Effective Date:	August 30, 2021
For More Information, Contact	UConn Information Security Office
Contact Information:	techsupport@uconn.edu or security@uconn.edu
Official Website:	https://security.uconn.edu/

PURPOSE 

To ensure a common set of firewall configurations across the organization to maximize their protection and detection capabilities in support of the security of the University. Firewalls provide a valuable protection and detection capability for the organization when properly configured, managed, and monitored.  

APPLIES TO 

This policy applies to all University faculty, staff, students, student employees, volunteers, and contractors who have responsibility for controlling or configuring firewalls. 

DEFINITIONS 

EOL: End of Life 

EOS: End of Support 

IANA: Internet Assigned Numbers Authority (iana.org)  

POLICY STATEMENT  

The University operates in a highly flexible and adaptive security environment to meet its academic, research, and administrative missions. While the ability to adapt to meet the ever-changing needs of the University is important, oversight and reporting of firewall activities are critical to the successful protection and operation of the University environment. The following firewall requirements must be met: 

Firewall Configuration Standards 

• All firewalls must be properly maintained from a hardware and software perspective. This includes proper lifecycle planning for EOL and EOS software/hardware and regular review (at least annually) of firewall rulesets. 
• All dedicated firewalls used in production must follow the University firewall management standard, which includes the ability to review currently configured firewall rules across the organization, identification of shadow or redundant rules and rules in conflict, and standardization of device/object names.  
• Firewall rulesets and configurations must be backed up frequently to alternate storage (not on the same device). Multiple generations must be captured and retained in order to preserve the integrity of the data, should restoration be required. Access to rulesets, configurations and backup media must be restricted to those responsible for administration and review. 

Firewall Rules 

Firewall rules specify (either allow or deny) the flow of traffic through the firewall device. Firewall rules are typically written based on a source object (IP address/range, DNS Name, or group), destination object (IP address/range, DNS Name, or group), Port/Protocol and action. 

• All firewall implementations should adopt the principal of “least privilege” and deny all inbound traffic by default. The ruleset should be opened incrementally to only allow permissible traffic. 
• Outbound traffic should be enumerated for data stores, applications, or services 
• Overtly broad rules may be allowed for specific groups of individuals (not systems). Approval must be granted by the Chief Information Security Officer or their designee. 
• The use of overly permissive firewall rules is prohibited (i.e., ANY/ANY/ALL rules). 
• Protocols defined in services and in the firewall must utilize Service Name and Protocol/Port information as assigned by IANA, unless there is a technical reason to do otherwise other than “security through obscurity” and must be commented appropriately in the ruleset.  

Firewall Logging 

Firewall log integrity is paramount to understanding potential threats to the network. Firewall devices must log the following data to a system outside of the physical firewall itself and must be regularly reviewed at least monthly or programmatically through automated means. Firewall logs may be forwarded to the ISO SIEM for retention and analysis. 

The following items must be logged as part of the operation of the firewall: 

• All changes to firewall configuration parameters, enabled services, and permitted connectivity 
• Any suspicious activity that might be an indicator of either unauthorized usage or an attempt to compromise security measures 

ENFORCEMENT 

Violations of this policy may result in appropriate disciplinary measures in accordance with University By-Laws, General Rules of Conduct for All University Employees, applicable collective bargaining agreements, and the Student Code.  

Questions about this policy or suspected violations may be reported to any of the following: 

Office of University Compliance –  https://compliance.uconn.edu (860-486-2530) 

Information Technology Services Tech Support –  https://techsupport.uconn.edu (860-486-4357) 

Information Security Office – https://security.uconn.edu 

 

POLICY HISTORY 

Policy created: August 30, 2021 [Approved by President’s Senior Team]