Shared Network Resource Password Policy

Executive Memorandum 01-004

February 23, 2001

From: Manuel A. Esteban, President

Subject: Shared Network Resource Password Policy

SHARED NETWORK RESOURCE PASSWORD POLICY

Background

The Office of the University Auditor of the California State University is responsible for reviewing and reporting on campus compliance with the Financial Integrity and State Manager's Accountability Act (FISMA) passed by the California Legislature in 1983. One of the recommendations from the FISMA review performed at CSU, Chico in early 2000 was that current password policies be strengthened to reduce the risk of unauthorized access to campus systems. CSU, Chico has developed a policy to address this recommendation and to implement procedures to enhance the password security on these shared resources.

Policy

On the recommendation of the Office of the Vice Provost for Information Resources, and after discussion with Cabinet, I accept the specific recommendations shown in Attachment A. Information Resources has developed procedures to ensure that password security is maintained at an acceptable level, and the procedures shall serve as official university policy. Information Resources is responsible for implementing new procedures, which will be reviewed annually and updated when appropriate.

ATTACHMENT A

One of the recommendations of the biennial FISMA audit of CSU, Chico performed in early 2000 was that current password policies on the IBM and NT enterprise platforms be strengthened to reduce the risk of unauthorized access to systems and confidential data. As a result, the audit report included a recommendation that security for these systems be enhanced by

  • Increasing the minimum length of the password
  • Increasing the frequency of periodic changes to the password
  • Preventing password reuse, revoking user identification after failed password attempts, and signing off users after a period of inactivity.

INFORMATION RESOURCES RECOMMENDATION IN RESPONSE TO THE FISMA AUDIT

  • The password policy for both the IBM and NT enterprise platforms will be the same in an effort to reduce confusion on the user's part and to reduce to some degree the Faculty/Staff Help Desk support burden.
  • IBM and NT account passwords will be increased to a minimum of 8 digits.
  • Three of four character classes (upper case alpha, lower case alpha, numeric, special character) will be needed in a valid password. (Note: the IBM only recognizes #, $, @ as special characters).
  • Passwords will be forced to change every six months before a user can successfully log in.
  • A forced logout on the IBM will occur after 60 minutes of inactivity.
  • Passwords may not be reused.