Credential Management
Date of Current Revision or Creation:泭December 1, 2020
The purpose of an Information Technology Standard is to specify requirements for compliance with 圖朸厙 Information Technology policies, other University policies, as well as applicable laws and regulations. Standards may include business principles, best practices, technical standards, migration and implementation strategies, that direct the design, deployment and management of information technology.
Purpose
The purpose of this standard is to define the Credential Management requirements used by 圖朸厙.
Definitions
ITS is the acronym for the official name of Information Technology Services.
Passwords are a secret used to gain access to an account.
Access Tokens serve as an authentication "cookie" that can be shared between browsers, clients, or connections so that each interaction does not require reauthentication.
Standards Statement
Credential use is required on all accounts on systems classified as sensitive, including local, remote access and temporary accounts.
Passwords
Password length and complexity requirements are based on sensitivity and risk. (See MIDAS Standard):
- User accounts must follow "ITS Guideline for User Account Password Complexity" to the extent possible based on technical and operational constraints.
- System and service accounts must follow "ITS Guideline for System and Service Account Password Complexity" to the extent possible based on technical and operational constraints.
Transmission of identification and authentication data (e.g., passwords) without the use of industry accepted encryption standards is prohibited.
IT system users are required to maintain exclusive control and use of their passwords.
For non-MIDAS controlled systems, users must be allowed to change their passwords.
Users determined to have access to sensitive data are required to change their passwords after a pre-determined period (ex., 90 days) as defined by the System Owner, based on sensitivity and risk.
IT system users are required to immediately change their passwords and notify the Information Security Officer (ISO) if they suspect their passwords have been compromised.
Password history files are to be maintained to prevent the reuse of the same passwords, commensurate with sensitivity and risk.
For non-MIDAS controlled systems, unique (non-MIDAS) passwords must be created per system.
Forgotten initial passwords are to be replaced rather than reissued.
Group account IDs and shared passwords on sensitive IT systems are discouraged. Group account IDs or shared passwords required for optimal administration of systems should be noted in the system risk assessment and accepted by the System Owner.
Inclusion of passwords as plain text is discouraged. Passwords required for system usage should be encrypted where possible. Exceptions should be noted in the system risk assessment as an identified risk with accepted compensating controls.
Access to files containing passwords is to be limited to the IT system and its administrators.
Hardware password requirements are to be based on sensitivity and risk.
Hardware passwords are to be documented and stored securely.
Procedures shall be implemented to handle lost or compromised passwords and/or tokens.
Access Tokens
Access tokens should be generated using industry standard mechanisms.
Access token expiration should be configured based on sensitivity and risk but should not be configured to never expire.
Access tokens should be limited in scope to required authorized resources.
Access tokens should only be shared among services with similar purpose within the same system and, if possible, should be unique per instance of the application.
Procedures, Guidelines & Other Related Information
- Federal and State Law
- University Policy 3501 - IT Access Control
- University Policy 3502 - Information Infrastructure, Architecture, and On-going Operational
- University Policy 3505 - Information Technology Security
History
Date |
Responsible Party |
Action |
October 2008 |
ITAC/CIO |
Created |
October 2010 |
ITAC/CIO |
Reaffirmed |
October 2011 |
ITAC/CIO |
Reaffirmed |
February 2014 | IT Policy Office | Minor rewording for clarity |
May 2014 | IT Policy Office | Added references to Password Guidelines |
September 2014 |
IT Policy Office | Updated to reflect recommendations from APA |
December 2017 | IT Policy Office | Minor rewording for clarity |
December 2020 | IT Policy Office | Rewording for clarity to reflect current naming and practices and to add Access Tokens to the standard |