08:13:00 Computer Passwords

1. Introduction:

Passwords are an important aspect of computer security. They are the front line of protection for user accounts. A poorly chosen password may result in the compromise of ChSCC’s entire corporate network and loss of data. As such, all ChSCC staff and faculty (including contractors and vendors with access to ChSCC systems are responsible for taking the appropriate steps, as outlined below, to select and secure their passwords.

2. Purpose:

The purpose of this policy is to establish a standard for creation of strong passwords, the protection of those passwords, and the frequency of change.

3. Scope:

The scope of this policy includes all students, staff (including contractors and student workers), faculty and adjuncts who have or are responsible for an account (or any form of access that supports or requires a password) on any system that resides at any ChSCC facility, has access to the ChSCC network, or stores any non-public ChSCC information.

4. Minimum Compliance Requirements:

Passwords are the most basic security protection. All users of ChSCC IT networks, laptops, desktops, servers, etc., will ensure their passwords are within the requirements listed below. Requirements for audit purposes require that actions taken on a computer system can be traced back to a specific user-id, so users are responsible for any action taken by their user-id.

4.1. User Password Management:

4.1.1.

Users are required to select a new password immediately after their initial logon.

4.1.2.

All system-level passwords (e.g., root, enable, application administration accounts, etc.) must be changed on at least a 90 day basis, where feasible. Vendor supplied defaults for system passwords will not be used and will be changed before system is installed upon the network.

4.1.3.

All user-level passwords (e.g., email, web, desktop computer, etc.) should be changed at least every 120 days, where feasible.

4.1.4.

Administrative account passwords will be changed promptly upon departure of personnel (mandatory or voluntary) or suspected compromise of the password. User accounts will be disabled promptly upon departure of personnel (mandatory or voluntary.) Users should immediately change their password if they suspect it has been compromised.

4.1.5.

User accounts that have system-level privileges granted through group memberships or programs must have a unique password from all other users on that account.

4.1.6.

Passwords must not be inserted into email messages or other forms of electronic communication, unless encrypted.

4.2. Password Rules:

All passwords, (user, administrative or technical support staff) should contain a minimum of eight (8) characters and a maximum of fifteen (15) characters and should be a combination of alpha, numeric, and special characters, where feasible. They should not be a word found in a dictionary (English or foreign), slang, dialect, jargon, etc.

4.2.1.

They should not be a common usage words such as names of family, pets, friends, co-workers, fantasy characters, sports teams, schools, etc.

4.2.2.

They should not contain words like Chattanooga State, “Chatta,” or “Chattstate,” etc.

4.2.3.

Passwords should not be comprised of birth dates or other personal information such as addresses and phone numbers.

4.2.4.

Don’t use word or number patterns like “aaaabbbb,” “12qwerty,” or “12345678,” etc.

4.2.5.

Any of the above spelled backwards, or preceded or followed by a digit, (e.g. “secret1” or “1secret.”

4.3. Strong passwords have the following characteristics:

Contain both upper and lower case characters. Have digits and punctuation characters as well as letters and are between 8 and 15 characters long, when feasible. 

5. Password Protection Standards:

Do not share ChSCC passwords with anyone, including administrative assistants or secretaries. All passwords are to be treated as sensitive, confidential ChSCC information.

5.1. A list of don’ts:

Don’t reveal a password over the phone to anyone.
Don’t reveal a password in an email message.
Don’t talk about a password in front of others.
Don’t hint at the format of a password (e.g., “my family name.”)
Don’t reveal a password on questionnaires or security forms.
Don’t share a password with family members.
Don’t reveal a password to co-workers while on vacation.
Don’t reveal a password to the boss.
Don’t use the “Remember Password” feature of applications (e.g., Outlook, etc.)
Don’t write passwords down and store them anywhere in your office. Don’t store passwords in a file on ANY computer system (including mobile devices) without encryption. Passwords should not be visible on a screen or hardcopy.
Don’t embed passwords in automated programs, utilities, or application, such as: autoexec.bat files, batch job files, terminal hot keys.

6. Password Maintenance:

Password cracking or guessing may be performed on a periodic or random basis by Computer Services. If a password is guessed or cracked during one of these scans, the user will be required to change it. If Computer Services’ technicians need to perform work on your computer they will provide the user with an initial password that will have to be changed before the user is allowed to log-on.

6.1. Password Lockout:

Individual user ID’s will be revoked after five (5) consecutive attempts to login with an invalid password. Once a password reaches maturity, the user cannot log-on until a new password is entered and accepted. Temporary or default passwords assigned by system administrators or the operating system must be changed immediately.

6.2. Disabling Password Accounts:

Password accounts not used for 180 days will be disabled and reviewed by CS and appropriate supervisor for possible deletion. Accounts disabled for 60 days will be deleted. Accounts for contractors/vendors etc., will be initially set up to expire on the ending date of their work contract. See policy IT 08:17:00 Computer Access for further information on access requirements.

6.3. Automated Security Time-Out:

All desktops/laptops (except public use machines) will be set with an automated ten (10) minute time out to prevent unauthorized viewing of information. This automated time-out will take the screen back to the logon point only if the desktop/laptop isn’t used again within that 10 minute time span. Individuals wishing to continue working on the desktop/laptop, after the 10 minutes time span has expired will have to login to resume work.

7. Application Development and IT Support Password Standards Guidelines

 Application developers and IT support personnel must ensure their programs contain the following security precautions. Passwords must allow support authentication of individual users, not groups, where feasible. Passwords should not be stored in clear text or in any easily reversible form. User-ids/Passwords will not be hardcoded. Passwords should provide for some sort of role management for Help Desk personnel, such that one user can take over the functions of another user’s PC/Laptop without having to know the other’s password. Passwords should ensure auditing to the individual level for any system/root command. Generic or group passwords will not be used unless the auditing can be tracked at the individual user-id level.

References:

1. State of Tennessee Department of Finance and Administration Office/Office for Information Resources Aug 2007/Apr 2008

2. Tennessee Board of Regents (TBR) Information Technology Policy 1:08:00:00

3. Payment Card Industry (PCI) Compliance, 07/01/2001

Approved by:

President’s Cabinet, 2/1/2012                                                                                              

Approved by:

Dr. James L. Catanzaro, President 5/7/2012

Implemented by: Computer Services, 09/30/08
Reviewed and Revised by: Computer Services, 03/27/09 Rev 1                                                                                                                                         

Reviewed and Revised by: Computer Services, 12/1/2011 Rev 2

Revision 2 Changes

Page 1. Scope: Contractors and student workers were added to the scope of the policy. Added per Reference #3.

Page 1.  4.1.2  User Password Management - Vendor supplied defaults for system passwords will not be used and will be changed before system is installed upon the network. Added per Reference #3.