ATTACHMENT A

 One of the recommendations of the biennial FISMA audit of CSU, Chico performed in early 2000 was that current password policies on the IBM and NT enterprise platforms be strengthened to reduce the risk of unauthorized access to systems and confidential data. As a result, the audit report included a recommendation that security for these systems be enhanced by

• increasing the minimum length of the password
• increasing the frequency of periodic changes to the password
• preventing password reuse, revoking user identification after failed password attempts, and signing off users after a period of inactivity.

INFORMATION RESOURCES RECOMMENDATION IN RESPONSE TO THE FISMA AUDIT

• The password policy for both the IBM and NT enterprise platforms will be the same in an effort to reduce confusion on the user's part and to reduce to some degree the Faculty/Staff Help Desk support burden.
• IBM and NT account passwords will be increased to a minimum of 8 digits.
• Three of four character classes (upper case alpha, lower case alpha, numeric, special character) will be needed in a valid password. (Note: the IBM only recognizes #, $, @ as special characters).
• Passwords will be forced to change every six months before a user can successfully log in.
• A forced logout on the IBM will occur after 60 minutes of inactivity.
• Passwords may not be reused.

Back to EM 01-04