Password Protection Standard
- Standard Compliance
- Version History
The purpose of this document is to establish a standard for creation of strong passwords, the protection of those passwords, and the frequency of change.
This Standard applies to all individuals associated with Albany State University (hereinafter referred to “ASU”), including faculty, staff, student assistants, and contractors. This Standard applies to anyone accessing or utilizing ASU’s network or data. This use may include, but is not limited to, the following: personal computers, laptops, ASU-issued cell phones, and hand-held computing devices (e.g., iPad’s, Xyboards, USB memory keys, etc.), as well as ASU electronic services, systems and servers. This Standard covers departmental resources as well as resources managed centrally.
Passwords are a primary means to control access to systems and should therefore be selected, used, and managed to protect against unauthorized discovery or usage. ASU maintains electronic information resources which are essential to performing University business. Similar to any other capital resources owned by the University, these resources are to be viewed as valuable assets over which the University has both rights and obligations to manage, protect, secure, and control. University employees, students, and other affiliates are expected to utilize these resources for appropriate purposes, protect access to them, and control them appropriately. Examples of information resources include computer systems, network systems, and data.
All user-level and system-level passwords must conform to the University System of Georgia Information Technology (USGITS) Handbook Section 5.12 and the ASU Password Construction Guidelines Standard. Where possible, users must not use the same password for various ASU access needs. User accounts that have system-level privileges granted through group memberships or programs such as sudo must have a unique password from all other accounts held by that user to access system-level privileges. Where Simple Network Management Protocol (SNMP) is used, the community strings must be defined as something other than the standard defaults of public, private, and system and must be different from the passwords used to log in interactively. SNMP community strings must meet password construction guidelines as defined in USG ITS Handbook Section 5.12 and the ASU Password Construction Guidelines Standard
All system-level passwords (for example, root, enable, Active Directory administrators, application administration accounts, and so on) must be changed every ninety (90) days. All user-level passwords (e.g., email, web, desktop computer, etc.) shall be changed every one hundred and eighty (180) days. Password cracking or guessing may be performed on a periodic or random basis by the ASU Information Security Team or its delegates. If a password is guessed or cracked during one of these scans, the user will be required to change it to be in compliance with the ASU Password Construction Guidelines.
- All passwords should be treated as sensitive, confidential information. Users should not write passwords down and store them anywhere in their office. Nor should they store passwords in a file on ANY computer system (including Personal Computing Devices or similar devices) without encryption.
- Passwords should not be inserted into email messages or other forms of electronic communication.
- Passwords must not be revealed over the phone to anyone.
- Do not reveal a password on questionnaires or security forms.
- Do not hint at the format of a password (for example, “my family name”).
- Users should not share passwords with anyone, including administrative assistants, secretaries, managers, co-workers while on vacation, and family members.
- Do not write passwords down and store them anywhere in your office. Do not store passwords in a file on a computer system or mobile devices (phone, tablet) without encryption.
- Users should not use the “Remember Password” feature of applications (for example, web browsers).
- If an account or password is suspected of being compromised, the incident should be reported to the appropriate access administrator and the user should change the password.
- Users Should Not Employ Any Automatic Log-In Actions
- ASU information system users should refuse all offers by software and/or Internet sites to automatically login the next time that they access those resources.
- Besides the authorized user, passwords should never be shared or revealed to anyone. Temporary or “first use” passwords should be changed the first time that the authorized user accesses the system. Failure to change a temporary or “first use” password leaves the authorized user liable for all actions performed under the assigned account. If users need to share computer resident data, they should use approved network services or any other mechanisms that do not infringe on any ASU or USGITS standards.
Application developers must ensure that their programs contain the following security precautions:
- Applications must support authentication of individual users, not groups.
- Applications must not store passwords in clear text or in any easily reversible form.
- Applications must not transmit passwords in clear text over the network.
- Applications must provide for some sort of role management, such that one user can take over the functions of another without having to know the other’s password.
The Information Security team will verify compliance to this policy through various methods, including but not limited to, periodic walk through, video monitoring, business tool reports, internal and external audits, and feedback to the policy owner. Information Technology Services will, whenever reasonably possible, configure accounts for automatic password expiration and set other options to encourage or remind individuals to change their passwords.
Exceptions must be justified in writing and accepted by the CISO of Albany State University or his/her designee. In the case of an information system managed by a third party, the University CISO can, in concurrence with the information owner, make a determination that the third party’s security controls meet or exceed this standard. This exception must be based on an assessment of the third party’s controls and documented in writing.
Violations of this Standard may be referred to appropriate administrative offices for disciplinary action. Violators may be subject to disciplinary outcomes as outlined in the Student Handbook and/or Employee Handbook. In addition to the other sanctions outlined in the handbooks, improper use of administrative accounts may result in immediate suspension and loss of privileges.
The Chief Information Officer is charged with the responsibility to periodically review the policy and propose changes as needed.
- ASU IT Security Website: https://www.asurams.edu/technology/information-security/
- USGBOR Handbook: http://www.usg.edu/information_technology_handbook/section5
- National Institute for Standards and Technology: http://www.nist.gov
- SANS Institute: http://www.sans.org
- COBIT 5.0: http://www.isaca.org/
|June 2007||1.0||ASU ITS|
|October 9, 2013||1.3||ASU Information Technology Governance Committee|
|June 2015||2.0||Major re-write by Information Security Team|