YALE-MSS-9.1: All accounts must be uniquely authenticated

Standards Group:
YALE-MSS-9: Authentication and Authorization

YALE-MSS-9.1: All accounts must be uniquely authenticated

Low Risk Endpoint Required Moderate Risk Endpoint Required High Risk Endpoint Required Low Risk Server Required Moderate Risk Server Required High Risk Server Required Low Risk Mobile Device Required Moderate Risk Mobile Device Required High Risk Mobile Device Required Low Risk Network Printer Required Moderate Risk Network Printer Required High Risk Network Printer Required

Details

Authentication verifies the identity of a user, process, or device. Uniquely identifying who accesses a user account or elevates their privileges to that of an administrator is critical to audit logging and the incident response capability.

This control applies to the following account types.

  • User accounts - grant individuals non-privileged access to a system (including guest accounts)
  • Administrative accounts - grant individuals privileged access to a system
  • Service accounts - used by a system for automation to run applications or services

For all accounts, if you suspect your password is compromised, contact information.security@yale.edu.

User accounts

Shared user accounts are not permitted.

Users are responsible for maintaining the security of their own IT system accounts and passwords. Keep your passwords private. Do not share them with anyone including, but not limited to, your supervisor, family, co-workers, or IT support provider.

Administrative accounts

Shared administrative accounts are not permitted.

Instead, elevate privileges from a user account when feasible. Elevation of privilege must be logged.

Service accounts

Shared service accounts (i.e., both ID and password) are not permitted across systems or services. Unique service accounts are required.