IA.L1-B.1.V
Identification

FCI Data

Security Requirement

Identify information system users, processes acting on behalf of users, or devices.

USU Policy, Procedures, and Standards

University Policy 5200: Information Security and Appropriate Use

States that access is tied to a user’s role and managed via credentials. IT staff (central or department) are responsible for enforcing role-based access and device security controls.

NIST Cybersecurity Framework v2

  • Protect (PR): PR.AA-01 - Identities of authorized users, processes, and devices are created and managed.
  • Protect (PR): PR.AA-02 - Identities are proofed and bound to credentials.

Implementation Details

Documentation should include details to meet the Security Requirement for this control. Complete this list for each system or systems that process or access FCI data:

  • List your process for assigning unique user identifiers to individuals who require system access.
  • List how service accounts or processes acting on behalf of users are identified and differentiated.
  • List your method for identifying and approving devices that may connect to FCI systems.
  • List any additional procedures in place to track user, device, or service account identities.

Document How

  • system users are identified
  • processes acting on behalf of users are identified
  • users are uniquely identified before being granted system access

Example

quote block

Each USU employee is issued a unique A# that serves as their NetID. This identifier is used across all institutional systems for authentication and role assignment. Entra ID (Azure AD) and Active Directory are used to enforce identity policies. MFA is required for access to all SSO-enabled services. Devices accessing FCI must be USU-managed and registered in device compliance systems. Service accounts are clearly labeled and reviewed quarterly.

quote block

Entra ID (Azure AD) & Active Directory

What it does:
  • Provides centralized identity and access management for users and devices.
How it helps a researcher:
  • Research staff are assigned unique A#-based user accounts managed through Entra ID and USU Active Directory. Access to research systems, files, and software can be granted only to specific users or groups using security groups, preventing anonymous access.
Example:
  • Access to project files can be restricted to only accounts which are members of the USU-FCI-ProjectAlpha group.

Microsoft Authenticator (MFA)

What it does:
  • Provides multi-factor authentication integrated with Entra ID, requiring a second verification factor during login.
How it helps a researcher:
  • Protects digital identities and research data by reducing the risk of credential theft and unauthorized access, especially for off-campus access to services like Box, Office 365, or VPN.
Example:
  • A researcher signing in to Box.com or VPN is prompted to approve the sign-in via a push notification from the Microsoft Authenticator app, preventing access even if the password is compromised.

USU Group Management

What it does:
  • Allows creation and maintenance of security groups used to manage access to systems and data.
How it helps a researcher:
  • Enables IT or project managers to create project-specific groups and automate access to shared drives, Box folders, VPN routes, or software tools based on group membership.
Example:
  • A PI creates a group named USU-FCI-DOE-2024, adds team members, and uses it to control access to a secure file share and email distribution list.

Web SSO

What it does:
  • Allows users to authenticate once using their USU A# credentials and access multiple connected services without re-authenticating.
How it helps a researcher:
  • Provides secure, streamlined access to research tools while enforcing consistent authentication controls and reducing password fatigue.
Example:
  • A researcher logs into Outlook with their A# and password, approves the MFA prompt, and gains access to OneDrive, Teams, and Box without re-entering credentials.

Endpoint Management Tools (e.g., Intune, Jamf)

What it does:
  • Allows USU IT to remotely configure, secure, and manage university-owned endpoints, enforce security policies, deploy updates, and maintain compliance.
How it helps a researcher:
  • Ensures research devices are secured and compliant, automating tasks like patching, antivirus enforcement, and encryption across Windows and macOS systems.
Example:
  • A macOS laptop in a research lab is managed through Jamf, receiving updates, enforcing FileVault encryption, and restricting unapproved software. Non-compliant devices are flagged and restricted from accessing sensitive systems.

Institutional VPN Solution

What it does:
  • Provides encrypted remote access to USU’s internal network and restricts access to university-managed devices.
How it helps a researcher:
  • Ensures only approved USU accounts and compliant devices can access internal systems containing FCI, with encrypted data-in-transit for off-campus users.
Example:
  • A researcher connects via VPN using a USU-issued laptop. The system verifies endpoint protection and updates before granting access to the lab network.

USU Services that could be leveraged to meet control requirements include*:

*List of services may not be complete or applicable for a given configuration. The use of a given service does not necessarily satisfy control requirements or may require specific configuration to meet control requirements. Documentation should include how the service is implemented to meet the control requirements.
Back to content

How might an auditor assess this control?

Method

  • Examine:
    • Review account provisioning policies, system configuration, user lists, and device registration records.
  • Interview:
    • Ask administrators how they manage unique user identifiers, service accounts, and approved devices.
  • Test:
    • Attempt to access a system using an unregistered or shared account or an unauthorized device.

Objects (examples of items you could present to the auditor)

  • User Provisioning Policy: Describes how new user accounts are created and assigned.
  • User Account Listings: Exports from Entra ID or Active Directory showing account details.
  • Service Account Documentation: Listing of non-user accounts and their purpose.
  • Device Inventory: List of approved and managed devices connected to FCI systems.
  • Authentication Configuration: Screenshots or settings showing required identity validation.
  • MFA Logs: Showing identity enforcement at time of login.