Sample Authentication Policy (UT Austin 1997 Draft)

Sample Authentication Policy
Incorporating Proper Safeguards:

Discussion Draft Only - 3/28/97

For the purposes of this document, the term "authentication system" means any combination of software, databases, hardware, administrative procedures, and audit procedures which are used to establish and verify the identity of individuals for the purpose of transmitting any personal or confidential information over electronic communications media, including, but not limited to, both digital networks and analog telephony.

Subject to the restrictions and guidelines contained in this document, it is the policy of [Component Institution] to allow offices and departments to conduct official business, including transactions involving confidential and personalized information, with University constituents based on processes which establish the identity of the constituents by means of approved authentication systems and which require neither face-to-face nor written verification.

Effective, [September 1, 1998], all authentication systems in use at [Component Institution] for the purposes of official business must have been reviewed and approved by the [Computer Security Committee] and the [Office of Internal Audits]. In conducting such reviews, the following criteria should be applied.

Separation of Duties

The administration, monitoring, and assessment of any authentication system must be the responsibility of a different office or offices than the ones which designed, developed, and support the software and hardware necessary for the technical functioning of the system.

Guidelines for Verification Standards

The [Computer Security Committee] should establish written and specific guidelines which define the standards by which electronic authentication systems must verify the actual identity of individuals at the time those identifies are assigned or changed, and relate those standards to the categories of business which may be conducted using that authentication system. Approved authentication systems must meet these standards and incorporate measures to ensure they are used in compliance with these standards.

Bias toward Standards-based Systems

In reviewing existing authentication systems and in approving proposed new authentication systems, the [Computer Security Committee] should apply greater scrutiny to systems which are not based on generally accepted technical standards and protocols as recognized by the applicable standards committees and by the information technology industry generally. Non-standard authentication systems may receive approval, but they should be held to a greater level of scrutiny in the review process.

Avoidance of Redundant Systems

It is the policy of [Component Institution] to limit the number of different approved authentication systems to the minimum technologically feasible while still meeting the business needs of the institution. The review and approval process should encourage 1) the development of scalable, multi-use/multi-purpose authentication systems and 2) the consolidation of existing authentication services into a progressively smaller set of systems.