- 08:13:05 INFORMATION TECHNOLOGY SERVICES
- Tennessee Board of Regents GuidelineG-51 Password Management-requires all institutions to control user access to information assets based on three separate areas: individual accountability, need to know, and least privilege. A combination of a personal user login ID or identification and a unique password for authentication will be required of all users before they are allowed access to institutional networks and systems. At Chattanooga State Community College, this is referred to as your TigerID and password.
- Any computer, laptop, printer or device that an authorized user connects to the campus network is subject to this policy. Authorized users accessing institutional computing resources and network with their own personal equipment are responsible for ensuring the security and integrity of the systems they are using to establish access.
- Guest, unauthenticated access may be provisioned commensurate with usage and risk.
- The purpose of this policy is to establish a minimum standard for creation of strong passwords, the protection of those passwords, and the frequency of change to ensure protection of institutional information assets.
- The scope of this policy includes all students, staff (including contractors, temp workers and student workers), faculty and adjuncts who have or are responsible for an account (or any form of access that supports or requires a password) on any system that resides at any ChSCC facility, has access to the ChSCC network, or stores any non-public ChSCC information.
- Everyone (students, faculty, staff, adjuncts, contractors and vendors, etc.) that require this access is provided an individual user-id and password. This individual user ID is referred to as your Tiger ID. Through SSO (single sign-on) capability, this Tiger ID and its accompanying password is the same logon credentials for Microsoft initial logon; Tiger Web, D2L and email. It's the same for whether you access these systems through hardwired systems and/or mobile devices.
- Reference ITS Web Site for a process guide and the web form(s) required to request initial Tiger ID access. http://itservices.chattanoogastate.edu/index.php.
- Minimum Compliance Requirements:
- All user access must be authenticated. Authentication is the means of ensuring the validity of the user identification. All passwords used to access information assets must conform to certain requirements relating to password composition, length, expiration, and confidentiality.
- Requirements for audit purposes require that actions taken on a computer system can be traced back to a specific user-id, so users are responsible for any action taken by their user-id. All users of secure systems must be accurately identified, a positive identification must be maintained throughout the login session, and actions must be linked to specific users. Only in specific designated areas are general use user-ids and passwords permitted. Please review the Information Technology Services (ITS) Web Page for further information. http://itservices.chattanoogastate.edu/index.php.
- User Password Management:
- The effectiveness of passwords to protect access to the institution's information directly depends on strong constructions and handling practices. All users must construct strong passwords for access to all institution networks and systems. For specific password management, review ITS using the following criteria where technical feasible:
- Users are required to select a new password immediately after their initial logon.
- All user-level passwords (e.g., email, web, desktop computer, etc.), especially those users who process or access restricted data (such as protected health information, student FERPA data, Social Security Numbers, Payment Card information or other personally identifiable information) should change their passwords at least every 120 days.
- Student passwords should be changed every 365 days, at a minimum.
- Administrative account passwords will be changed promptly upon departure of personnel (mandatory or voluntary) or suspected compromise of the password. Supervisors should notify ITS to disable user accounts upon departure of personnel (mandatory or voluntary.)
- Users should immediately change their password if they suspect it has been compromised. ITS will remove access as required upon receipt of termination letter from President's office.
- User accounts that have system-level privileges granted through group memberships or programs must have a unique user-id and password from all other users on that account.
- User passwords will be automatically locked out after five (5) attempts to log-in. Users will need to call and have password unlocked. Each password reset due to the 5 failed log-in attempts must be entered into the daily log.
- Passwords must not be inserted into email messages or other forms of electronic communication, unless encrypted. The following requirements apply to end-user password management.
- Passwords must not be stored in a manner which allows unauthorized access.
- Passwords will not be stored in a clear text file.
- Passwords will not be sent via unencrypted e-mail.
- Passwords must not be stored in a manner which allows unauthorized access - including writing them down and storing them in your office.
- Never use the "Remember Password" feature of applications (e.g., Outlook, etc.)
- Don't store passwords in a file on ANY computer system (including mobile devices) without encryption. Passwords should not be visible on a screen or hardcopy.
- Don't embed passwords in automated programs, utilities, or application,
- such as: autoexec.bat files, batch job files, terminal hot keys.
- Password Construction:
- All users must construct strong passwords for access to all institution networks and systems, using the following criteria where technically feasible:
- Must be a minimum of 8 characters in length.
- Must be composed of a combination of at least three of the following four types of characters:
- Upper case alphabetic character;
- Lower case alphabetic character;
- Numeric character;
- Non-alphanumeric character.
- Disabling Password Accounts:
- Password accounts not used for 180 days will be disabled and reviewed by ITS and appropriate supervisor for possible deletion. Accounts disabled for 60 days will be deleted. Accounts for contractors/vendors etc., will be initially set up to expire on the ending date of their work contract. See policy IT 08:17:00 Computer Access for further information on access requirements. For Adjuncts - please review this specific link on the ITS Web Page for specific adjunct policies and access web forms. http://itservices.chattanoogastate.edu/forms.php.
- Automated Security Time-Out:
- User desktops have an automated 20 minute time out feature that has been implemented to restrict unauthorized viewing of information. Users will need to log back onto their desktop after the timeout.
- Compliance and Enforcement
- Persons in violation of this policy are subject to a range of sanctions determined and enforced by ChSCC. Justifications for exceptions to this policy must be documented by requestor and sent to ITS for approval.
1. State of Tennessee Department of Finance and Administration Office/Office for Information Resources Aug 2007/Apr 2008
2. Tennessee Board of Regents (TBR) Information Technology Policy 1:08:00:00
3. Tennessee Board of Regents (TBR) Password Management G-051, 9/26/2014
4. Payment Card Industry (PCI) Compliance, 07/01/2001
5. ChSCC 08:17:05 08/31/2015
6. Information Technology Services Web Page, 02/01/2016
Approved: President 8/25/2016
Implemented by: Information Technology Services, 06/30/08
Reviewed and Revised by: Information Technology Services, 03/27/09 Rev !
Reviewed and Revised by: Information Technology Services, 12/1/2011 Rev 2
Reviewed and Revised by: Information Technology Services, 5/7/2015 Rev 3
Reviewed and Revised by: Information Technology Services, 12/19/2013 Rev 4
Reviewed and Revised by: Information Technology Services, 2/28/2016 Rev 5
Revision 5 Changes:
Pages All. Change made from Computer Services to Information Technology Services.
Page 1. Section - Introduction. Added the following information per Reference #3, "TBR Guideline G-51-Password Management...."
Page 1.Section - Scope. Added the following information per Reference #3, "....Link to ITS Web site provided. Contractors and student workers were added to the scope of the policy."
Page 2. Section - 4. Minimum Compliance Requirements. Added the following information, "All user access must be authenticated. Authentication is the means of ensuring the validity of the user identification. The minimum...." And, "Please review the Information Technology Services (ITS) Web Page for further information. http://itservices.chattanoogastate.edu/index.php."
Page 2, Section 4.1 Password Management. Added the following information, "User's password will be automatically...."
Page 3. Section 4.2. Password Construction. Added the following information, "All users must construct ...."
Page 3. Section 4.3 Disabling Password Accounts. Rewrote entire para.
Page 4. Section 4.4.Automated Security Time-Out. Rewrote entire para.