Last Revision Date: March 16, 2012
Approval Date: October 16, 2008
Approval Authority: Case Chief Information Officer
Case Western Reserve University relies significantly upon the use of university-provided credentials (Case "Network ID" and password) to provide authentication for access to online IT resources. In particular, passwords constitute the first line of a layered defense program as the 'keys' users have to gain access to university information and information systems. The risk of compromise of these authentication credentials used by the university community leads to an increased impact on the confidentialiy, integrity, and availability of IT systems and information. All users are bound by the Acceptable Use of IT and Computing Resources Policy (AUP) to take appropriate measures, as described in this policy, to create and secure thier passwords.
The purpose of this policy is to establish minimum standards for protection, complexity (strength), protection, and refresh interval for university passwords. The applicaton of individual accountability and the principle of least privilege are applied in this policy.
This policy applies to all university users who have or are responsible for user and system accounts in Case IT systems that store or process Internal Use or Resricted information.
This policy applies to all IT systems managed and operated by the Case faculty, students, staff, term staff under contract employment, and affilates. This policy may apply to certain non-ITS systems accounts that provide access to sensitive University information and information systems where the exposure to impact would have significant negative impact on University operations.
This policy does not apply to password-protected files, encryption key passphrases, or local accounts that do not interface with Case authentication systems.
All users of Case IT systems are individually assigned a Credentials (Case Network ID and password) for the purpose of identification for access to online systems. In accordance with the Case Acceptable Use Policy, users are individually accountable for activities performed with their credentials.
All production system level passwords for Internal Use or Resricted data must be part of the University's centrally administered account management system (e.g. integrated into LDAP or Case Active Directory). Passwords for Case systems should not be identical to those used for personal online accounts.
User and system level passwords shall be constructed in a manner that minimizes the likelihood of password guessing or brute force attacks.
Passwords with strength and complexity have the following characteristics:
Passwords shall be refreshed periodically to reduce the impact of disclosure due to undected theft of passwords or the sharing of passwords.
The maximum password age for system level passwords (e.g. root, domain administrator, application administrative accounts, local admin accounts, etc. ) is 365 days. This applies to all information Tiers (Tier I, II, and III).
For systems that support password history management, the minimum standard is for 5 generations of password changes in the password change cycle.
Passwords may be changed on a more frequent basis depending upon departmental practices and risk to the information managed, processed, or stored. The recommended minimum password age is 1 day.
Upon turnover of staff (change of personnel, rotation of job duties, etc.), system level passwords that are affected by such turnover will be changed within 30 days of the staff turnover. If extenuating circumstances exist, a risk-based decision will be coordinated between the appropriate Department Manager/Business Officer and the Chief Information Security Officer.
If the account credentials of a user or system are suspected to have been disclosed or otherwise compromised, the user shall immediately take steps to change and protect the password.
Technical measures may be implemented to ensure compliance with password lifetimes.
If a policy conflict occurs between various Case departments, the smaller value of the maximum password age shall apply.
User accounts that have system-level privileges granted through group memberships or programs such as "sudo" must have a unique password from all other accounts held by that user.
Authentication mechanisms shall use encryption (e.g. SSL or TLS) to protect the login session.
Passwords must not be inserted into email messages or other forms of electronic communication without adequate protection (e.g. end-to-end encryption) of the credentials.
Where SNMP is used, the community strings must be defined as something other than the standard defaults of "public," "private" and "system" and must be different from the passwords used to log in interactively. A keyed hash must be used where available (e.g., SNMPv2).
Applications that request a user ID and password shall not display the password in the data entry field.
Do not use the same password for Case accounts as for other non-Case access (e.g., personal ISP account, online stock trading, benefits, etc.). Where possible, don't use the same password for various Case access needs. The use of Case Single Sign On will reduce the number of accounts you need to track, but will make your Case account more valuable to protect.
Do not share Case passwords with anyone, including administrative assistants or secretaries.
All passwords are to be treated as sensitive, Tier III information.
Here is a list of "dont's":
If someone demands a password, refer them to this policy or refer them to the Case Information Security Office(firstname.lastname@example.org).
Do not use the "Remember Password" feature of applications (e.g., Eudora, OutLook, Netscape Messenger).
Notifications of Changes: Case IT staff will notify potentially affected end-users of IT systems approximately 10-30 days prior to the implementation of a system level password change.
Auditing: An audit cycle will be initiated within 30 days of the close of the password change cycle on selected events to identify the level of compliance and potential risk mitigation.
Compromise- when anyone other than the assigned user knows the users's credentials.
Credentials- the combination of a Network UserID (e.g. abc123) and a password
Kerberos principal- the underlying Network authentication mechanisms in the ITS authentication infrastructure that the credentials use for authentication.
Password lifetime- the time, in days, that a password is in effect. A minimum password lifetime of one day will mean that a user must wait until the next calendar day before it can be changed (a technical control to prevent password 'recycling'). A maximum password lifetime of 180 days is the time interval after which the password must be changed.
Policy conflict- when one policy counters another policy. In this case, if localized requirements demand changing passwords on a 30 day maximum password lifetime, this shorter time frame will take precedence over the 180 day requirement.
Managers and supervisors are responsible for implementation, adherence, and feedback regarding this policy.
All faculty, staff, students, and affiliates are responsible for the protection of their credentials. The standard which Case sets in this policy speaks to the educational community in general about the importance of stewardship and protection of the Tier II data.
This policy will be reviewed every two years on the anniversary of the policy effective date, at a minimum. The policy may be reviewed on a more frequent basis depending on changes of risk exposure.