Case ITS Password
Change Policy
Overview
Version 1.0
Last Revision Date: September 5, 2006
Approval Date: September 18, 2006
Approval Authority: Case Chief Information Security Officer
Case Information Technology Systems (ITS) staff
are
assigned privileged (root/administrative) access to IT systems and
infrastructure as appropriate to their assigned duties. The risk of
compromise of the university-provided credentials (Case "Network ID"
and password) used by ITS staff leads to an increased impact of
disclosure to information managed on behalf of the University by ITS
staff.
Purpose
The purpose of this policy is to establish minimum
standards for the frequency of change of passwords.
Scope
This policy applies to all ITS personnel who have
or are
responsible for user and system accounts in Case ITS systems that rely
upon or are deemed to interface with the Case authentication systems to
connect to Case network-based services. This policy applies to all IT
systems managed and operated by the Case ITS department, either by
University staff, term staff under contract employment, or student
employees.
This policy may apply to certain non-ITS systems accounts that provide
access to sensitive University information and information systems
where the exposure to impact would have significant negative impact on
University operations.
This policy does not apply to password-protected
files,
encryption key passphrases, or local accounts that do not interface
with Case authentication systems.
Cancellation
Not applicable.
Policy Statement
General
The maximum password age for passwords associated
with the 'Network ID' of Case users within the Scope statement will be
180 days. Passwords may be changed on a more frequent basis depending
upon departmental practices.
The maximum password age for system level passwords (e.g. root, domain
administrator, application administrative accounts) is 365 days.
Upon turnover of staff (change of personnel, rotation of job duties,
etc.), system level passwords that are affected by such turnover will
be changed within 30 days of the staff turnover. If extenuating
circumstances exist, a risk-based decision will be coordinated between
the appropriate ITS director and the Chief Information Security Officer.
If the account credentials of a user or system are suspected to have
been disclosed or otherwise compromised, the ITS user shall immediately
take steps to change the password.
If a policy conflict occurs between various Case departments, the
smaller value of the minimum password age shall apply.
Guidelines
Guidelines for password attributes such as strength, composition,
protection standards, and password management guidelines are defined in
a separate policy.
Appropriate steps will be taken by ITS staff in the password change
process to ensure the availability of ITS systems during the password
change.
ITS staff should compile a list of applications which may cache
passwords to be aware of their potential impact on operations if the
network passwords have been changed. Examples include:
- email clients
(desktops and PDAs)
- Oracle Calendar
client
- Oracle Instant
Messenger
A password change window is an 15-day interval during which ITS staff
may schedule and implement password changes. As a password lifetime
approaches its expiration date, the password change window will be
appended to the password lifetime. The password age begins counting the
day after the password change date.
Technical means may be implemented to ensure compliance with password
lifetimes.
Notifications of Changes: Case ITS staff will notify potentially
affected end-users of ITS systems approximately 30 days prior to the
password change.
Auditing: An audit cycle will be initiated within 30 days of the close
of the password change cycle on selected events to identify the level
of compliance and potential risk mitigation.
Initial implementation of this policy will take place between October 1
and October 15, 2006, and the 30 day advanced notification is waived
for the initial password changes.
Definitions
Credentials- the combination of a Network UserID (e.g. abc123) and a
password
Kerberos principal- the underlying Network authentication mechanisms in
the ITS authentication infrastructure that the credentials use for
authentication.
Password lifetime- the time, in days, that a password is in effect. A
minimum password lifetime of one day will mean that a user must wait
until the next calendar day before it can be changed (a technical
control to prevent password 'recycling'). A maximum password lifetime
of 180 days is the time interval after which the password must be
changed.
Policy conflict- when one policy counters another policy. In this case,
if localized requirements demand changing passwords on a 30 day maximum
password lifetime, this shorter time frame will take precedence over
the
180 day requirement.
Responsibility
ITS managers are responsible for implementation, adherence, and
feedback regarding this policy.
The ITS staff are responsible for the protection of their credentials.
The standard which ITS sets in this policy speaks to the Case IT
community in general about the importance of stewardship and protection
of the critical IT infrastructure and data.
Policy Review Cycle
This policy will be reviewed every two years on the anniversary of the
policy effective date, at a minimum. The policy may be reviewed on a
more frequent basis depending on changes of risk exposure. |
