08:13:00 Computer Passwords
- Introduction: Tennessee Board of Regents Guideline G-51 Password Management requires all institutions to control user access to information assets based on three separate areas: individual accountability, need to know, and least privilege.The purpose of this policy is to establish a minimum standard for creation of strong passwords, the protection of those passwords, and the frequency of change to ensure protection of institutional information assets.
- A combination of a personal user login id or identification and a unique password for authentication will be required of all users before they are allowed access to institutional networks and systems. Everyone, (students, faculty, staff, adjuncts, contractors and vendors, etc.), that require this access is provided an individual user-id and password. At Chattanooga State Community College, this is referred to as the user's TigerID and password.
- Through SSO (single sign on) capability, this Tiger ID and Technology Division accompanying log in on password is the same logon credentials for Microsoft initial login; Tiger Web and email. It's the same for whether the user accesses these systems through hardwired systems and/or mobile devices.
- Any computer, laptop, printer, or device that an authorized user connects to the campus network is subject to this policy. Authorized users accessing institutional computing resources and network with their own personal equipment are responsible for ensuring the security and integrity of the systems they are using to establish access.
- Guest, unauthenticated access may be provisioned commensurate with usage and risk. For specific instructions on obtaining access for a guest, please technology web page and click on "Access."If group access is needed for classes for other than Chattanooga State students, etc., go to the technology web page and click on Sponsored Accounts.
- All user access must be authenticated. Requirements for audit purposes require that actions taken on a computer system be traced back to a specific user-id, so users are responsible for any action taken by their user-id. All users of secure systems must be accurately identified, a positive identification must be maintained throughout the login session, and actions must be linked to specific users. Only in specific designated areas are general use user-ids and passwords permitted.
- The effectiveness of passwords to protect access to the institution's information directory depends on strong construction and handling practices.
- Users are required to select a new password immediately after their initial login.
- All user level passwords, (e.g., email, web, desktop computer, etc.), especially those users who process or access restricted data, (such as protected health information, student FERPA (Family Educational Rights and Privacy Act) data, Social Security Numbers, PCI (Payment Card Information) or other personally identifiable information), will be required to change their passwords at least every 120 days. This is an automated access change request.
- Users should immediately change their password if they suspect it has been compromised.
- User accounts that have system-level privileges granted through group memberships or programs must have a unique user-id and password from all other users on that account.
- User passwords will be automatically locked out after five attempts to login. Banner system allows only three (3) attempts before locking out. Users will need to enter a service request through the technology service request system. Service tickets are found on the servicedesk ChattanoogaState.edu webpage. Each password reset due to the five (5) failed log-in attempts or three (3) failed log-in attempts (Banner) must be entered into the daily log by anyone resetting the password. Each password reset due to the five (5) failed log-in attempts or three (3) failed log-in attempts (Banner) must be entered into the daily log by anyone resetting the password. Password accounts not used for 365 days will be disabled and reviewed by Technology and appropriate supervisor for possible deletion.
- Passwords must not be inserted into email messages or other forms of electronic communication, unless encrypted. The following requirements apply to end-user password management.
- Passwords must not be stored in a manner, which allows unauthorized access.
- Passwords will not be stored in a clear text file.
- Passwords must not be stored in a manner that allows unauthorized access - including writing them down and storing them in the user's office.
- Do not use the "Remember Password" feature of applications (e.g., Outlook, etc.)
- Don't store passwords in a file on ANY computer system (including mobile devices) without encryption. Passwords should not be visible on a screen or hardcopy.
- All user passwords that allow access to all institution networks and systems must be constructed using the following criteria where technically feasible.
- Must be a minimum of 8 characters in length
- Must be composed of a combination of at least three of the following four types of characters:
- Upper case alphabetic character;
- Lower case alphabetic character;
- Numeric character;
- Non-alphanumeric character. (If feasible as some systems do not recognize certain non-alphanumeric characters.)
- Automated security time-out is required on user desktops. An automated time out feature has been implemented to restrict unauthorized viewing of information. Passwords will need to be entered to reconnect.
- State of Tennessee Department of Finance and Administration Strategic Technology Solutions 2:01, 12/15/2016
- Tennessee Board of Regents (TBR) Information Technology Policy 1:08:00:00, 9/26/2014
- Tennessee Board of Regents (TBR) Password Management G-051, 9/26/2014
- Tennessee Board of Regents (TBR) Policy G-052 Access Control, 9/26/2014
Division Name: Technology Division
Policy Number and Title: 08:13:00 Computer Passwords
- Reformatted the whole policy to new format.
- All pages - Information Technology Services was changed to new division name - Technology Division.
- Section B, para 3 was added:
- Guest, unauthenticated access may be provisioned commensurate with usage and risk. For specific instructions on obtaining access for a guest, please Technology Web Page and click on "Access." If group access is needed for classes for other than Chattanooga State students, etc., go to the Technology Web Page and click on Sponsored Accounts.
- Section D, para 2 added:
- All user level passwords, (e.g., email, web, desktop computer, etc.), especially those users who process or access restricted data, (such as protected health information, student FERPA data, Social Security Numbers, Payment Card information or other personally identifiable information), will be required to change their passwords at least every 120 days. This is an automated access change request.
- Section D, para 5 added: 3 attempts before lockout for Banner; added instructions for requested password change...notify someone in Server and Storage group....; added log requirement....must be entered...
Dr. Rebecca Ashford, President October 24, 2017
Signature Date Approved