Information Security Identity Management
Identity management is an important aspect of information technology security. Employee logins are requested by Human Resources at the time of hire and are terminated when Human Resources notifies ITS the person is no longer employed. Accounts will not be created without Human Resources requesting them.
All users, whether internal, external, or temporary, and their activity on all IT systems should have User Ids that:
- are uniquely identifiable
- are enabled through appropriate authentication mechanisms
- are assigned access rights to all systems and data in line with defined and documented business needs and job requirements
- are only requested by user management, approved by system owners, and implemented by the appropriate local security administrator.
System Owners are responsible for maintaining user identification and access rights in a centrally managed repository.
Passwords shall be the minimum acceptable mechanism for authenticating users and controlling access to information systems, services and applications unless specifically designated as a public access resource. All users (students, employees, contractors, and vendors shall take the appropriate steps to select and secure their passwords. Failure to use a strong password or using a poorly chosen password when accessing information assets may result in the compromise of those assets.
This standard is designed to comply with applicable laws and regulations. However, if there is a conflict, applicable laws and regulations will take precedence.
Secure your device
All devices permanently or intermittently connected to CSU networks must have password access controls
Secure your data
Restrict access based on the need-to-know; privileges must not be extended unless a legitimate business-oriented need for such privileges exists
Secure your Password
All passwords shall be treated as sensitive, confidential information and shall not be shared with anyone including, but not limited to, administrative assistants, system administrators and/or helpdesk personnel or other members of ITS
Select Strong Passwords
Strong passwords shall be constructed with the following characteristics:
|Secure from external access||
Username and Passwords
You should never share your password with anyone. Nor should anyone allow someone else to use your ID and password. In many cases, log files are maintained and you are responsible for activity by your user account.
A user must be verified before they can gain access to files on a machine. This means that they must login to the machine and not be able to bypass the login. Windows XP or later OS should not be used.
Group passwords are any password and userid that is used by more than one person, such as 5 people logging into Banner using the same userid and password. Each person accessing a resource should have their own userid and password on that resource.
- All computers permanently or intermittently connected to CSU networks or with access to sensitive information must have password access controls.
- Multi-user systems must employ user-IDs and passwords unique to each user, as well as user privilege restriction mechanisms.
- Network-connected single-user systems must employ hardware or software mechanisms that control system booting and that includes a no-activity screen saver that requires a password to reopen the screen. If the machine is left unattended by the person logged in, the screen must be locked before leaving. This is not a requirement for student machines but is recommended.
- Computer and communication system access control must be achieved via passwords that are unique to each individual user. Access control to files, applications, databases, computers, networks, and other system resources via shared passwords or logins (also called "group passwords" or “group logins”) is prohibited.
- Wherever systems software permits, the display and printing of passwords must be masked, suppressed, or otherwise obscured such that unauthorized parties will not be able to observe or subsequently recover them.
- Written passwords will not be stored in the proximity of the machine unless secured.
- Wherever systems software permits, the initial passwords issued to a new user by a security administrator must be valid only for the new user's first on-line session. At that time, the user must be forced to choose another password. This same process applies to the resetting of passwords in the event that a user forgets a password.
- All vendor-supplied default passwords must be changed before any computer or communications system is used for CSU business. This policy applies to passwords associated with end-user user-IDs, as well as passwords associated with systems administrator and other privileged user-IDs.
- To prevent “password guessing” attacks, where systems software permits, the number of consecutive attempts to enter an incorrect password must be strictly limited. If dial-up or other external network connections are involved, the session must be disconnected after the unsuccessful attempts.
- The computer and communications system privileges of all users, systems, and independently-operating programs (such as "agents") must be restricted based on the need-to-know. This means that privileges must not be extended unless a legitimate business-oriented need for such privileges exists. System Administrator or superuser privileges should only be extended to those persons who have the primary responsibility for that system.
- Users should not give out passwords to any other user, even if requested by a member of OITS. If a user needs help and a support person needs to login as that user, the password should be reset by OITS and then reset for the user once support is done.
- Employee logins are requested by Human Resources at the time of hire and are terminated when Human Resources notifies OITS the person is no longer employed. Accounts will not be created without Human Resources requesting them.
- Non-CSU employees will have to fill out a Third Party Network and VPN Access Agreement form.
- If you are using a contractor for web development, they will not be able to place the files on the web server. They must submit the files to the CSU user (floppy, e-mail, CD-ROM, etc...) and then the CSU user can place the files on the web server.