Skip to main content

IA-2 Identification and Authentication (Organizational Users)

Description

Uniquely identify and authenticate organizational users and associate that unique identification with actions performed on the system.

Guidance

Section 3 of this control is not intended to apply to workstation (desktop/laptop) operating system interactive (in-person) logons.

Applicability

  • This Control applies to all Texas A&M information resources. The intended audience for this Control includes all owners and custodians of information resources.

Implementation

  • 1 - Information resources shall be configured to uniquely identify and authenticate all users of university information resources (See Control AC-2, Account Management).

    • 1.1 - Users must be uniquely identified and authenticated before the information resource may grant that user access.
    • 1.2 - Unique identification of individuals in group accounts (e.g. shared privilege accounts) may need to be considered for additional accountability of activity.

  • 2 - Multi-factor authentication should be implemented based on documented risk management decisions for access to privileged or non-privileged accounts where one of the factors is provided by an asset separate from the information being accessed.

  • 3 - Multi-factor authentication is required for any information resource that stores or processes Confidential or Critical data.