File code: TECH.PASSWORD.POL
Approval Date: 2/23/2009
Revision Date: 4/13/2010
Approved By: President
This policy provides password guidance intended to maintain control over access to WIU systems and data as well as enumerates authentication requirements necessary for compliance with Payment Card Industry (PCI) Data Security Standards (DSS) that governs university use of credit cards as payment. This policy must be reviewed annually and updated as appropriate.
- All WIU owned or operated computers, which are permanently or intermittently connected to the network, must have an approved password-based access control system.
- All in-bound non-ecommerce connections to WIU computers from external networks (Internet, dial-up lines, etc.) must, at a minimum, be protected with a password.
- All vendor-supplied and or default passwords must be changed before any computer or communications system is used in production or hosts any WIU data.
- Users are prohibited from logging into any system or network anonymously (guest). All Users must be positively identified by a unique ID and password. When non – administrative users need to elevate to administrative level privileges, they must have initially logged-in using their personal User-ID that clearly indicated their identity. Public systems such as those found in the Library and the Student Union are exempt from this requirement.
- Systems should require re-authentication after 30 minutes of inactivity.
- Where SNMP is used, the community strings must be defined as something other than the standard defaults of "public", "private" and "system" and must be different from the passwords used to log in interactively.
- Passwords used on WIU Systems should NOT be:
- The same password as for other non-WIU access (e.g., personal ISP account, option trading, benefits, etc.);
- Shared with anyone, including administrative assistants or secretaries. All passwords are to be treated as sensitive, confidential information;
- Revealed over the phone;
- Revealed in an email, IM, chat rooms, blogs or text message;
- Discussed in front of others or online;
- Revealed on questionnaires or web forms;
- Shared with family members, friends or acquaintances; or
- Revealed to co-workers.
- It is strongly recommended, unless there are mitigating circumstances, that passwords are not shared. They represent sensitive, confidential information.
- Group or shared accounts are allowed strictly to support the universities external outreach mission. These accounts can only be used by non-university entities. University areas sponsoring these arrangements are responsible for documenting and annual review of these arrangements to ensure continued appropriateness. General password controls apply to these arrangements.
- Vendor accounts must only be enabled during a maintenance window and with proper & approved change control.
- If someone requests a user id and password, refer the individual to this policy and have him or her call the Support Center (309.298.2704).
- Do not use personal information (e.g. name, birthday, phone, address, etc.) or your username as part of your password.
- Do not use the "Remember Password" feature of any application (e.g., Internet Explorer, Outlook, Netscape, Mozilla’s Firefox, etc.).
General Password Controls
The following password controls must be implemented on WIU controlled network and systems:
- Passwords must be changed every one hundred & twenty (120) days or less to coincide with the university business model based on semesters.
- Up to two (2) grace logins are allowed to support users that do not use a system as often as every one hundred & twenty (120) days
- All accounts are disabled after fifteen (15) months of inactivity except accounts having access to credit card which must be disabled after ninety (90) days or less of inactivity.
- STARS & TeleSTARS are targeted to support a password change policy during the fall semester 2009.
- Passwords must be a minimum of eight (8) characters in length.
- STARS & TeleSTARS currently only support four (4) characters but planned support for eight (8) characters is targeted for fall semester 2009.
- Long passwords of up to fifteen (15) characters should be supported.
- WIUP can only support up to eight (8) characters; STARS & TeleSTARS can currently only support four (4) characters but planned support for eight (8) characters is targeted for Fall semester 2009.
- All passwords must contain one or more numbers and one or more alphabetic characters.
- STARS & TeleSTARS currently only support numeric characters but planned support for alphabetic characters is targeted for fall semester 2009.
- Planned support on all systems for upper case letters is targeted for fall semester 2009.
- Users must not be able to reuse the ten (10) previous passwords.
- User accounts are locked after six (6) invalid logon attempts or less.
- Lock out accounts for 30 minutes or until administrator enables the user ID;
- Unsuccessful logon attempts should be logged.
Additional Password Controls Specific to Roles Having Administrative Rights (complete and unrestricted access) on Systems or Networks
- All administrative-level passwords (e.g., root, enable, NT admin, application administration accounts, etc.) must be changed every 60 days. Areas may choose to change passwords more often but never less.
- No more than six (6) logon sessions should be supported.
Additional Password Controls for Areas Taking Credit Cards as Payment
When PCI DSS requirements and university policy do not match the most restrictive policy applies:
- Have account additions, deletions and modifications managed centrally;
- Have a users identity verified before performing password resets;
- Have first time passwords set to a unique value for each user and must require the password to be changed immediately after the first use;
- Have access immediately revoked upon termination of employment;
- Be disabled after ninety (90) days of inactivity (overrides university policy of fifteen months of inactivity);
- Not be shared, generic or group accounts;
- Have their corresponding passwords changed every ninety (90) days or less. (overrides user level access policy of one hundred & twenty days but is overridden for administrative-level access by university policy which states that administrative passwords must be changed every 60 days or less);
- Have passwords with a minimum password length of seven characters (is overridden by university policy which states eight character minimum);
- Have passwords that contain both numeric and alphabetic characters;
- Have passwords that are different from any of the last four (4) previous passwords (is overridden by university policy which states the previous ten passwords);
- Require all access to any database containing cardholder data to be authenticated (includes access by applications, administrators and all other users).