Identity and Access Standard Operating Procedures

For the original PDF version of this document, see:

--How do I upload PDF? Kelly 22:17, 2 January 2011 (UTC)

Introduction
The Early Detection Research Network (EDRN) runs public websites that comprises a portal, knowledge environment, and members-only access to biomarkers, funding opportunities, news, protocols, publications, and other information of interest to EDRN members, prospective members, and the general public.

This document captures the standard operating procedures for identification, authentication, and managing access to the EDRN site and its related applications, codifying a policy consistent with the National Cancer Institute’s and the National Institutes of Health’s policies for identity and access management.

Purpose
The purpose of this document is to establish the password policy and standards for the administration of accounts that facilitate access or changes to EDRN’s information systems and data. An EDRN account, at a minimum, consists of an EDRN username and password. Supplying account information to approved end users will grant specific role based access to some set of services and resources within EDRN. This document establishes guidelines for issuing accounts, creating password values, and managing accounts throughout the account life cycle.

Scope
This guide is applicable to those responsible for the management of EDRN user accounts, including all user accounts provided by the EDRN Data Management and Coordinating Center as well as the Informatics Center.

Password Policy and Procedures
This section details the policy, requirements, and procedures to follow with regard to EDRN passwords.

User Passwords
The EDRN policy for passwords meets NCI’s requirements on strength and complexity, but exceed NIH’s by requiring four classes of characters. That is, users must choose passwords that consist of eight or more Unicode characters from all four of the following character classes:


 * Uppercase letters, Unicode class Lu (A B C)
 * Lowercase letters Unicode class Ll (a b c)
 * Numerals, Unicode class Nd (3 4 5)
 * Special characters, Unicode classes Pe Pf Pi Po Ps Sc Sm So (# % &)

Changing and Resetting Passwords
The EDRN policy for password lifetime matches that of NCI, to whit:
 * Users must change passwords every 90 days
 * New passwords must continue to comply with the above requirements on length and complexity.
 * System-assigned passwords must be changed at first time log on.
 * Minimum password lifetime is one day.

Unsuccessful Login Attempts and Lockouts
The EDRN policy for invalid logins matches that of the NCI policy. Specifically, a user may attempt to log in no more than 6 times with an incorrect password in a 15 minute period. At such time, the account must be locked for at least 60 minutes or until manually reset by an authorized administrator or by using a self-registration/reset utility.

Forgotten or Compromised Passwords
Compromised passwords must be reported to the EDRN Informatics Center at edrn-ic@jpl.nasa.gov. Forgotten passwords may be reset by the Informatics Center or by using a self-service user profile utility. Password reset links may be sent to the email address on file for the user. In no case shall passwords be sent via email; only links to web utilities that allow for resets.

Sharing Accounts
Sharing of accounts is prohibited in all cases. This policy matches that of NCI’s and NIH’s policies. Exceptions may be made for autonomous devices and services (network appliances, application servers, databases) that provide a single administrative username+password. Such exceptions must be documented with the EDRN Informatics Center’s encrypted keychain.

Inactivity Timers and Idle Sessions
EDRN’s policy on idle sessions does not match that of NCI as the EDRN applications are web based. Users do not log into their workstations or consoles with EDRN credentials. Rather, users log into EDRN web-based applications and establish sessions with them. To provide convenience to EDRN members, web-based application sessions are tracked with a 4 hour session cookie. The session’s expiration is renewed for non-idle users.

Caching Passwords
EDRN’s policy on caching of passwords is identical to NCI’s policy: password caching (also known as automatic saving or password remembering) is forbidden in all cases.

Separation of Duties and Principle of Least Privilege
Users’ access to the EDRN site shall be assigned and restricted based on role or function within the system. Further, it shall be limited to the minimum level of access necessary to perform assigned duties within the system. Security-related user roles shall be divided between various tasks (system administration, configuration management, biomarker review, etc.) through the use of role-based access control. Users shall be assigned to groups assigned appropriate roles which have permission and privileges to carry out tasks.

Account Lifecycle Policy and Procedures
This section details the period in which an account may be activity and the procedures for assigning, identifying, and retiring accounts.

Device Identification and Authentication
Control may not be inherited from a parent application (or GSS subsystem) outside of the purview of EDRN.

Identifier Management
Identifiers within EDRN are assigned by two entities: The EDRN Data Management and Coordinating Center (DMCC). The DMCC assigns principals (usernames) to EDRN member investigators and staff based on application to the EDRN “Secure Site”.

The EDRN Informatics Center assigns principals (usernames) to administrative staff for the EDRN site and other applications. In either case, identifier principals are then emailed to members along with instructions on logging in and setting an initial password. Identifiers may resemble applicants’ names or may not at the whim of the individual handling the application. Identifiers are unique per user. A single user may not have more than one principal, nor more principals be assigned to groups of users for convenience.

A user who leaves EDRN does not relinquish the assigned identifier for a period of one year. A user who returns to EDRN may re-assume the previous identifier within that year period, or may be assigned a new identifier if it is retaken.

A user who does not authenticate with an assigned identifier for over 60 days is automatically disabled. The user must contact the Informatics Center in order to have the account re-enabled.

Authenticator Management
Before an account may be created, the DMCC or the Informatics Center verifies the identity of the individual making application for the EDRN account, including the user’s institutional email address. A system-generated message is sent to that address that contains a custom link prompting the user to select an initial password. The initial (and all subsequent) passwords have a maximum lifetime of 60 days.

Users may (and are encouraged to) change passwords more frequently.

Account Management
There is a single account type within EDRN: an individual account. Individual accounts are assigned to individual users. (For implementation purposes, a “anonymous” account or other case of an anonymous user class may be created to satisfy specific implementation needs. No logins are permitted as “anonymous”.)

Groups are established by the Informatics Center to reflect real-world organizations and the roles they require. Individuals may belong to zero or more groups. Groups are assigned roles which comprise permissions to create, update, view, or delete privileged information within specific subsets of the EDRN site and related applications.

Members of the EDRN Super User group may create accounts and groups, as well as assign users to groups and edit, update, and delete accounts and groups. Such members are also responsible for monitoring the security of accounts and preemptively disabling or deleting compromised accounts if system controls fail to automatically do so. Members are also required to review audit logs and disable inactive (60 day) and former (one year) member accounts, as well as delete accounts of former members older than one year.

System Use Notification (Warning Banners)
The EDRN site and related applications provide login screens requesting the username and password of the EDRN principal member. Such screens must display the following approved banner:

★★★ WARNING ★★★ You are accessing a U.S. Government web site which may contain information that must be protected under the U. S. Privacy Act or other sensitive information and is intended for Government authorized use only. Unauthorized attempts to upload information, change information, or use of this web site may result in disciplinary action, civil, and/or criminal penalties. Unauthorized users of this web site should have no expectation of privacy regarding any communications or data processed by this web site. Anyone accessing this web site expressly consents to monitoring of their actions and all communication or data transiting or stored on or related to this web site and is advised that if such monitoring reveals possible evidence of criminal activity, NIH may provide that evidence to law enforcement officials.

Permitted Actions without Identification and Authentication
Non-authenticated, public users are permitted anonymous access to a select subset of information presented by the EDRN. Such information includes but is not limited to:
 * The EDRN home page
 * News, press releases, events, and other announcements
 * Information about EDRN’s composition, programs, funding opportunities, sites, and member information that’s already publicly available elsewhere
 * De-identified specimens
 * Reviewed and publicly released biomarkers and science datasets
 * Information specifically for cancer sufferers, their advocates, and the health-conscious public
 * Members’ released publications that are already publicly available elsewhere
 * EDRN annual reports, reference sets, standard operating procedures
 * Standard site administrative information (accessibility statement, Section 508 information, file-specific formats, Freedom of Information Act, and so forth)

Publicly Accessible Content
Under no circumstances shall unauthorized users be permitted to post any content, information, comments, imagery, files, or any data to the EDRN site and related applications. Further, this requires disabling of “social features” such as link exchange, “trackbacks”, comment boxes, “guestbooks”, and so forth. Any content posted from compromised authorized accounts must be promptly removed.

Related Policies
For further information, please see the following related policy documents: The NIH password policy, http://goo.gl/oZFPL The NIH account lifecycle policy, http://goo.gl/GquP6 The NIH warning banner policy, http://goo.gl/bP5Hs