|
Scope:
Information Technology Services
|
Policy Administration:
Information Security Officer
|
|
Applies to:
Employees, Contractors, Third Party Service Providers and Students
|
Version:
2nd Draft as of 2022-02-16
|
|
Approved by:
Associate Vice President and Chief Information Officer
|
Approved on:
2022-02-17
|
1. PURPOSE
This policy establishes Multi-factor Authentication (MFA) as an additional layer of security beyond username and password credentials that may be required in order to access Framingham State University’s (FSU’s) protected information systems and communications network when necessary and if technically feasible. MFA makes it more difficult for unauthorized users to gain access to information systems, even if username and password credentials are obtained, which reduces the potential exposure from damages that may result from unauthorized access.
2. POLICY STATEMENT
Authorized users of FSU’s protected information systems and communications network will be required to use MFA in order to gain access to resources as determined necessary and technically feasible by the Information Security Officer consistent with compliance obligations of the University, in accordance with generally accepted best practices, and in consultation with the leadership team within Information Technology Services and the cross-functional administrative and student information management team.
3. ASSIGNED ROLES AND RESPONSIBILITIES
| Role |
Assigned Responsibilities |
| Authorized Users of MFA |
- Authorized users will be required to enroll a device to serve as the second authentication method as part of multi-factor authentication. This second device can be an office phone, cell phone, or supported authenticator app. Multiple authentication methods can be added to a single login account.
- Anyone who does not register will not be able to use MFA. Therefore, if MFA is required in order to access a system or service access will be denied until the registration has been completed and a sign-in method has been added to their account.
- The use of a personal cell phone for MFA is not required. It is a user’s choice if they wish to enroll a personal device as a method for MFA.
- When a user attempts to log into an FSU system protected by MFA, the system will “challenge” them by requesting a secret security code or authorization. This challenge will be provided through the secure method selected during registration or as a confirmation request in the MFA application. If the correct response is entered, login to the system will be allowed. Failed attempts will be handled according to FSU’s Information Technology Services policies and procedures.
- Suspicious activity or a compromised account must be reported to Information Technology Services as soon as it is detected.
|
| Director of Network Services and Systems Administration |
- Ensure Information Technology Services (ITS) network and systems administration staff grant, manage, deploy, and support MFA and technology in a manner consistent with this policy.
- Notify, and consult with, the Information Security Officer on any suspected significant instances or patterns of non-compliance.
- Notify, and consult with, the Information Security Officer of any network infrastructure or process changes that necessitate an update of this policy.
|
| Information Security Officer |
- Administers the documentation of this policy and provides recommended updates and changes as necessary.
- Raise awareness in the user community of this policy through various training, educational, and awareness activities.
- Ensure compliance with this policy and all related policies, programs, operational plans, and procedures based on an annual review.
- Document any patterns, or significant instances, of non-compliance and report them to the Chief Information Officer.
- Determines which protected information systems and communications networks are required to use MFA in order to gain access consistent with compliance obligations of the University, in accordance with generally accepted best practices, and in consultation with the leadership team within Information Technology Services and the cross-functional administrative and student information management team.
- Approves exceptions to this policy, in consultation with others as necessary, if needed.
|
| Associate Vice President and Chief Information Officer |
- Provides approval and oversight for the provisions set forth in this policy including any updates.
|
4. RELATED UNIVERSITY PROGRAMS, POLICIES, OPERATIONAL PLANS AND PROCEDURES
| Documentation Name |
Documentation Steward |
| Online Identity Management Policy |
Information Security Officer |
5. APPLICABLE LAWS, REGULATIONS, AND CONTRACTUAL OBLIGATIONS
| Statutory, Regulatorry, Contractual, Executive Order |
Authority |
| |
|
6. ENFORCEMENT OF POLICY VIOLATIONS
Failure to comply with this policy, intentionally or unintentionally, may result in one or more of the following:
• Termination, without notice, of access privileges to information and technology resources.
• Disciplinary action, up to and including termination of employment.
• Civil or criminal penalties as provided by law.
7. REVIEW AND REVISION HISTORY
Information security policies must be reviewed annually by the Information Security Officer. If a policy has been revised, then it must have all necessary approvals before being published. In the last column, indicate whether the activity was a review or a revision; if a revision, summarize the changes.
| Date |
Name and Title |
Summary of Review and Revision |
| 2022-11-21 |
Roy Galang, Information Security Officer |
1st Draft |
| 2022-02-16 |
Patrick Laughran, Chief Information Officer |
2nd Draft |
| 2022-02-17 |
Patrick Laughran, Chief Information Officer |
Approved following a joint review amount the ITS Leadership Team as part of the monthly information security management meeting. |