Multi Factor Authentication (MFA) Policy

Policy

Liberty University utilizes multi-factor authentication for network access to privileged accounts and non-privileged accounts.

 

Standards

Secure all individual non-console administrative access and all remote access to sensitive data using multi-factor authentication for every session.

Incorporate multi-factor authentication for all network access, both regular users and administrators, and including third-party access for support or maintenance originating from inside or outside Liberty’s network.

  1. The multi-factor authentication should be device specific and need not be required at every login, but on the first login of any new device, and again every 30 days after initial device multi-factor authentication, or upon suspicious changes to the login session.

  2. Passwords must still be required at every login or after a session timeout.

 

Scope

All University Students, Faculty, Staff.

 

Purpose

The purpose of this policy is to define requirements for accessing Liberty University’s network and information systems whether on or off campus. These standards are designed to minimize the potential security exposure to Liberty University from damages that may result from unauthorized use of the university’s resources. Multi- factor authentication adds a layer of security which helps deter the use of compromised credentials. Cyber criminals and hackers are becoming more clever in their efforts to not only steal information, but also modify data, remove data entirely, or spread malicious code, propaganda and spam. No organization is too big or small for such an attack. Password theft has also been on the rise with the use of methods such as key logging, phishing, and pharming. Requiring an additional layer of authentication will help alleviate the risk of a breach.

 

Defintions

Key logging - Recording a log of keystrokes on a computer in order to gain access to passwords and other confidential information

Multi-factor authentication (MFA) - Requiring two or more authentication methods for a secure login. Authentication factors are typically something you know (knowledge factor), something you have (possession factor) and something you are (inherence factor)

Phishing - Sending emails appearing to be from a reputable company in an effort to acquire personal information under false pretenses

Pharming - Sending internet users to a false website that mimics a legitimate one

National Institute of Standards and Technology Cybersecurity Framework (NIST CSF) - Provides a policy framework of computer security guidance for how private sector organizations in the United States can access and improve their ability

 

References

NIST 800-171 More Information here

3.5.3 Use multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts.

3.7.5 Require multi-factor authentication to establish nonlocal maintenance sessions via external network connections and terminate such connections when nonlocal maintenance is complete.

 

Signed by: