Cal State Fullerton Account and Password Guidelines



Similar documents
CAPITAL UNIVERSITY PASSWORD POLICY

THE PENNSYLVANIA STATE UNIVERSITY OFFICE OF HUMAN RESOURCES PASSWORD USAGE POLICY

ICT Password Protection Policy

Ex Libris Group Password Management Policy

Boston University Security Awareness. What you need to know to keep information safe and secure

PASSWORD MANAGEMENT POLICY OCIO TABLE OF CONTENTS

Password Standards Policy

CITY OF BOULDER *** POLICIES AND PROCEDURES

CYBERSECURITY POLICY

Information Security Policy. Policy and Procedures

Document Control Policy & Procedure 15

Password Expiration Passwords require a maximum expiration age of 60 days. Previously used passwords may not be reused.

e-governance Password Management Guidelines Draft 0.1

DHHS Information Technology (IT) Access Control Standard

1 Purpose Scope Document Owner Information Security Standard Document Review Cycle Revision History...

Windows Operating Systems. Basic Security

Office of Information Technology Desktop Security and Best Practices

Account Management Standards

The City of New York

The Security Behind Sticky Password

IT ACCESS CONTROL POLICY

ICT USER ACCOUNT MANAGEMENT POLICY

Network and Workstation Acceptable Use Policy

PREPARED BY: AUDIT PROGRAM Author: Lance M. Turcato. APPROVED BY: Logical Security Operating Systems - Generic. Audit Date:

Musina Local Municipality. Information and Communication Technology User Account Management Policy -Draft-

AIR FORCE ASSOCIATION S CYBERPATRIOT NATIONAL YOUTH CYBER EDUCATION PROGRAM UNIT FIVE. Microsoft Windows Security.

Defense Security Service Office of the Designated Approving Authority Standardization of Baseline Technical Security Configurations

HIPAA Assessment HIPAA Policy and Procedures

SPICE EduGuide EG0015 Security of Administrative Accounts

RSA Authentication Manager 7.1 Security Best Practices Guide. Version 2

RemotelyAnywhere. Security Considerations

Egress Switch Best Practice Security Guide V4.x

Network Password Management Policy & Procedures

ProgressBook CentralAdmin User Guide

User Management Guide

INET1005 May 2009 Getting Started with MyUH

Achieving PCI COMPLIANCE with the 2020 Audit & Control Suite.

NeoMail Guide. Neotel (Pty) Ltd

DocuShare User Guide

Information Security

Identification and Authentication on FCC Computer Systems

Online Banking. Customer Information

Procedure Title: TennDent HIPAA Security Awareness and Training

CREDIT CARD SECURITY POLICY PCI DSS 2.0

FINAL DoIT v.8 APPLICATION SECURITY PROCEDURE

Common Cyber Threats. Common cyber threats include:

Hang Seng HSBCnet Security. May 2016

11 NETWORK SECURITY PROJECTS. Project Understanding Key Concepts. Project Using Auditing and Event Logs. Project 11.3

Cyber Security: An Introduction

State of South Carolina Policy Guidance and Training

Cloud Services. Anti-Spam. Admin Guide

Digital Signatures on iqmis User Access Request Form

NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS

How do I contact someone if my question is not answered in this FAQ?

Password Management FAQ

FortiOS Handbook - Hardening your FortiGate VERSION 5.2.3

RSA Authentication Manager 7.1 Security Best Practices Guide. Version 5

Pension Benefit Guaranty Corporation. Office of Inspector General. Evaluation Report. Penetration Testing An Update

Fus - Exchange ControlPanel Admin Guide Feb V1.0. Exchange ControlPanel Administration Guide

GENEVA COLLEGE INFORMATION TECHNOLOGY SERVICES. Password POLICY

The Internet and 2 Acceptable use 2 Unacceptable use 2 Downloads 3 Copyrights 3 Monitoring 3. Computer Viruses 3

Security+ Guide to Network Security Fundamentals, Fourth Edition. Chapter 10 Authentication and Account Management

INFORMATION SECURITY GOVERNANCE ASSESSMENT TOOL FOR HIGHER EDUCATION

GFI White Paper PCI-DSS compliance and GFI Software products

University of California, Riverside Computing and Communications. IS3 Local Campus Overview Departmental Planning Template

A brief on Two-Factor Authentication

How To Secure An Emr-Link System Architecture

2: Do not use vendor-supplied defaults for system passwords and other security parameters

DigiCert User Guide. Version 4.1

Acceptable use policy

8/17/2010. Over 90% of all compromised merchants are PCI level 4 (small) merchants or merchants with less than 1 million transactions per year

Pine Exchange mini HOWTO

Security, Audit, and e-signature Administrator Console v1.2.x

Information Security Operational Procedures Banner Student Information System Security Policy

NetIQ Identity Manager

Manual. Netumo NETUMO HELP MANUAL Copyright Netumo 2014 All Rights Reserved

ISLAND COUNTY SECURITY POLICIES & PROCEDURES

PA-DSS Implementation Guide for. Sage MAS 90 and 200 ERP. Credit Card Processing

Transcription:

Cal State Fullerton Account and Password Guidelines Purpose The purpose of this guideline is to establish a standard for account use and creation of strong passwords which adheres to CSU policy and conforms to NIST Level of Assurance 2 requirements. User Account Usage, Deletion, Suspension or Termination Accounts assigned to employees are subject to deletion immediately upon termination of employment unless prior arrangements have been made and approved by the former employee s supervisor. Accounts assigned to students are subject to deletion one hundred eighty days after graduation or withdrawal from the University unless specific arrangements have been made and approved by the Office of Student Affairs. Assigned accounts may be suspended (i.e., inaccessible to the user) immediately and temporarily under three circumstances: Upon recommendation of the appropriate judicial body in writing or email sent to the Vice President of Information Technology or Information Security Officer; When Information Technology staff responsible for systems management have credible evidence that continued use of an account constitutes a threat to the integrity, security, or functionality of computing systems, or to protect the University from liability. Every reasonable effort will be made to notify the Vice President of Information Technology as soon as possible of any such suspension. When the account is inactive for 180 (one hundred and eighty) days or more.

Assigned accounts may be terminated immediately and permanently upon the recommendation of the appropriate judicial body in writing or email sent to the Vice President of Information Technology. An individual whose assigned account has been permanently terminated may not seek to have a new account assigned to them without approval of the appropriate judicial body. Use of shared accounts is not allowed. However, in some situations, a provision to support the functionality of a process, system, device (such as servers, switchers or routers) or application may be made (e.g., management of file shares). Such exceptions will require documentation which justifies the need for a shared account; a copy of the documentation will be shared with the Information Security Office. Each shared account must have a designated owner who is responsible for the management of access to that account. The owner is also responsible for the above mentioned documentation, which should include a list of individuals who have access to the shared account. The documentation must be available upon request for an audit or a security assessment. Password Creation, Maintenance and Configuration Based on security best practices and audit requirements the campus password expiration, in the administrative domains, will be based on forced password changes occurring every year in February, May and September respectively. Additionally, the default domain password policy will be set to enforce password changes every 180 days to assure all passwords meet this expiration requirement All system-level (non-service accounts) passwords (e.g., root, enable, NT admin, application administration accounts, etc.) must be changed on at least a quarterly basis. Service accounts set to never expire must be approved by the Information Security Officer. Changed passwords are remembered 24 times and cannot be re-used. Minimum password length is 12 characters. Maximum password length is 20 characters. Password must meet complexity requirements. Password must contain at least 3 of the following 4 character types: o a lower case letter ( a b c d...) o an upper case letter ( A B C D...) o number (0 1 2 3 4 5 6 7 8 9 ) o a special character ( = + * $? ) (!,. @ ) Account lockout duration is 60 minutes. Account lockout threshold is 20 invalid login attempts.

Passwords must not be inserted into email messages or other forms of electronic communication, with the exception of initial One Time Passwords (OTP). All user-level and system-level passwords must conform to the guidelines described below. General Password Construction Guidelines Examples of good passwords that can be remembered: A pet s name = Skippy!3Z A favorite toothpaste = C0lg@t3! A favorite movie = Br@ve_heart! It is a good idea to use a different password at the campus than you use at other web sites on the Internet. It is also best if it contains NO dictionary words that can be found in ANY multi-national language. The followings are characteristics of poor, weak passwords: The password contains less than 12 characters The password is a word found in a dictionary (English or Non-English) The password is a common usage word such as: o Names of family, pets, friends, co-workers, fantasy characters, etc. o Computer terms and names, commands, sites, companies, hardware, software. o The words "<Company Name>", "sanjose", "sanfran" or any derivation. o Birthdays and other personal information such as addresses and phone numbers. o Word or number patterns like aaabbb, qwerty, zyxwvuts, 123321, etc. o Any of the above spelled backwards. o Any of the above preceded or followed by a digit (e.g., secret1, 1secret) Strong passwords have the following characteristics: Is not a word in any language, slang, dialect, jargon, etc. Is not based on personal information, names of family, etc. Passwords should never be written down or stored on-line. Try to create passwords that can be easily remembered. One way to do this is create a password based on a song title, affirmation, or other phrase. For example, the phrase might be: "This May Be One Way To Remember" and the password could be: "TmB1w2R!" or "Tmb1W>r~" or some other variation. NOTE: Do not use either of these examples as passwords! Password Protection Standards Do not use the same password for Cal State Fullerton accounts as for other non-cal State Fullerton access (e.g., personal Facebook, Twitter, Instagram accounts, option trading, benefits, etc.).

Where possible, don't use the same password for various Cal State Fullerton access needs. For example, select one password for the p-card system and a separate password for Office Max system. Use a separate password to be used for an Windows, Apple or UNIX accounts. Do not share Cal State Fullerton passwords with anyone, including administrative assistants or secretaries. All account and account passwords are considered by the California State University as Level 1 protected data. Here is a list of "dont's": Don't reveal a password over the phone to ANYONE Don't reveal a password in an email message Don't reveal a password to your supervisor Don't talk about a password in front of others Don't hint at the format of a password (e.g., "my family name") Don't reveal a password on questionnaires or security forms Don't share a password with family members Don't reveal a password to co-workers while on vacation If someone demands a password, refer them to this document or have them call someone in the Information Security Office. Do not use the "Remember Password" feature of applications (e.g., Eudora, OutLook, Netscape Messenger). Again, do not write passwords down and store them anywhere in your office. Do not store passwords in a file on ANY computer system (including Mobile or similar devices) without encryption. Change passwords at least once every 3 months If an account or password is suspected to have been compromised, report the incident to Information Security Office and change all passwords. Application Development Standards Application developers must ensure their programs contain the following security precautions. Applications: Should support authentication of individual users, not groups. Should not store passwords in clear text or in any easily reversible form. Should provide for some sort of role management, such that one user can take over the functions of another without having to know the other's password. Should support LDAP or Windows Authentication security retrieval wherever possible.

NIST 800-63 Token Requirements This worksheet will compute the assurance level of a memorized secret token for the given password parameters. Password parameters meet requirements of Assurance Level: 2 Bits of Entropy Password Minimum Length 12 24 Dictionary Check FALSE 0 Password Composition Rules TRUE 6 Password Total Bits of Entropy 30 Password Lifetime (in days) 120 Number of failed authentication attempts before locking account 20 Duration of account lock (in minutes) 60 Number of Authentication Attempts Available 57600 Maximum allowed probability of successful in-band password guessing attack Level 1 Level 2 1 in X 1024 16384 2^X -10-14 Decimal 0.000976563 6.10352E-05 Number of Authentication Attempts Allowed 1048576 65536

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information