Last Revision Date: March 16, 2012
Approval Date: CANCELLED
Approval Authority: Case Chief Information Security Officer
Case Information Technology Systems (ITS) staff are assigned privileged (root/administrative) access to IT systems and infrastructure as appropriate to their assigned duties. The risk of compromise of the university-provided credentials (Case "Network ID" and password) used by ITS staff leads to an increased impact of disclosure to information managed on behalf of the University by ITS staff.
The purpose of this policy is to establish minimum standards for the frequency of change of passwords.
This policy applies to all ITS personnel who have or are responsible for user and system accounts in Case ITS systems that rely upon or are deemed to interface with the Case authentication systems to connect to Case network-based services. This policy applies to all IT systems managed and operated by the Case ITS department, either by University staff, term staff under contract employment, or student employees. This policy may apply to certain non-ITS systems accounts that provide access to sensitive University information and information systems where the exposure to impact would have significant negative impact on University operations.
This policy does not apply to password-protected files, encryption key passphrases, or local accounts that do not interface with Case authentication systems.
The maximum password age for passwords associated with the 'Network ID' of Case users within the Scope statement will be 180 days. Passwords may be changed on a more frequent basis depending upon departmental practices.
The maximum password age for system level passwords (e.g. root, domain administrator, application administrative accounts) is 365 days.
Upon turnover of staff (change of personnel, rotation of job duties, etc.), system level passwords that are affected by such turnover will be changed within 30 days of the staff turnover. If extenuating circumstances exist, a risk-based decision will be coordinated between the appropriate ITS director and the Chief Information Security Officer.
If the account credentials of a user or system are suspected to have been disclosed or otherwise compromised, the ITS user shall immediately take steps to change the password.
If a policy conflict occurs between various Case departments, the smaller value of the minimum password age shall apply.
Guidelines for password attributes such as strength, composition, protection standards, and password management guidelines are defined in a separate policy.
Appropriate steps will be taken by ITS staff in the password change process to ensure the availability of ITS systems during the password change.
ITS staff should compile a list of applications which may cache passwords to be aware of their potential impact on operations if the network passwords have been changed. Examples include:
A password change window is an 15-day interval during which ITS staff may schedule and implement password changes. As a password lifetime approaches its expiration date, the password change window will be appended to the password lifetime. The password age begins counting the day after the password change date.
Technical means may be implemented to ensure compliance with password lifetimes.
Notifications of Changes: Case ITS staff will notify potentially affected end-users of ITS systems approximately 30 days prior to the password change.
Auditing: An audit cycle will be initiated within 30 days of the close of the password change cycle on selected events to identify the level of compliance and potential risk mitigation.
Initial implementation of this policy will take place between October 1 and October 15, 2006, and the 30 day advanced notification is waived for the initial password changes.
Credentials- the combination of a Network UserID (e.g. abc123) and a
Kerberos principal- the underlying Network authentication mechanisms in the ITS authentication infrastructure that the credentials use for authentication.
Password lifetime- the time, in days, that a password is in effect. A minimum password lifetime of one day will mean that a user must wait until the next calendar day before it can be changed (a technical control to prevent password 'recycling'). A maximum password lifetime of 180 days is the time interval after which the password must be changed.
Policy conflict- when one policy counters another policy. In this case, if localized requirements demand changing passwords on a 30 day maximum password lifetime, this shorter time frame will take precedence over the 180 day requirement.
ITS managers are responsible for implementation, adherence, and feedback regarding this policy.
The ITS staff are responsible for the protection of their credentials. The standard which ITS sets in this policy speaks to the Case IT community in general about the importance of stewardship and protection of the critical IT infrastructure and data.
This policy will be reviewed every two years on the anniversary of the policy effective date, at a minimum. The policy may be reviewed on a more frequent basis depending on changes of risk exposure.