Last Revision Date: March 16, 2012
Approval Date: CANCELLED
Approval Authority: CWRU Chief Information Security Officer
CWRU University Technology, UTech staff are assigned privileged (root/administrative) access to IT systems and infrastructure as appropriate to their assigned duties. The risk of compromise of the university-provided credentials (CWRU "Network ID" and password) used by UTech staff leads to an increased impact of disclosure to information managed on behalf of the University by UTech staff.
The purpose of this policy is to establish minimum standards for the frequency of change of passwords.
This policy applies to all UTech personnel who have or are responsible for user and system accounts in CWRU UTech systems that rely upon or are deemed to interface with the CWRU authentication systems to connect to CWRU network-based services. This policy applies to all IT systems managed and operated by the CWRU UTech department, either by University staff, term staff under contract employment, or student employees. This policy may apply to certain non-UTech systems accounts that provide access to sensitive University information and information systems where the exposure to impact would have significant negative impact on University operations.
This policy does not apply to password-protected files, encryption key passphrases, or local accounts that do not interface with CWRU authentication systems.
The maximum password age for passwords associated with the 'Network ID' of CWRU users within the Scope statement will be 180 days. Passwords may be changed on a more frequent basis depending upon departmental practices.
The maximum password age for system level passwords (e.g. root, domain administrator, application administrative accounts) is 365 days.
Upon turnover of staff (change of personnel, rotation of job duties, etc.), system level passwords that are affected by such turnover will be changed within 30 days of the staff turnover. If extenuating circumstances exist, a risk-based decision will be coordinated between the appropriate UTech director and the Chief Information Security Officer.
If the account credentials of a user or system are suspected to have been disclosed or otherwise compromised, the UTech user shall immediately take steps to change the password.
If a policy conflict occurs between various CWRU departments, the smaller value of the minimum password age shall apply.
Guidelines for password attributes such as strength, composition, protection standards, and password management guidelines are defined in a separate policy.
Appropriate steps will be taken by UTech staff in the password change process to ensure the availability of UTech systems during the password change.
UTech staff should compile a list of applications which may cache passwords to be aware of their potential impact on operations if the network passwords have been changed. Examples include:
- email clients (desktops and PDAs)
- Oracle Calendar client
- Oracle Instant Messenger
A password change window is an 15-day interval during which UTech staff may schedule and implement password changes. As a password lifetime approaches its expiration date, the password change window will be appended to the password lifetime. The password age begins counting the day after the password change date.
Technical means may be implemented to ensure compliance with password lifetimes.
Notifications of Changes: CWRU UTech staff will notify potentially affected end-users of UTech systems approximately 30 days prior to the password change.
Auditing: An audit cycle will be initiated within 30 days of the close of the password change cycle on selected events to identify the level of compliance and potential risk mitigation.
Initial implementation of this policy will take place between October 1 and October 15, 2006, and the 30 day advanced notification is waived for the initial password changes.
Credentials- the combination of a Network UserID (e.g. abc123) and a password
Kerberos principal- the underlying Network authentication mechanisms in the UTech authentication infrastructure that the credentials use for authentication.
Password lifetime- the time, in days, that a password is in effect. A minimum password lifetime of one day will mean that a user must wait until the next calendar day before it can be changed (a technical control to prevent password 'recycling'). A maximum password lifetime of 180 days is the time interval after which the password must be changed.
Policy conflict- when one policy counters another policy. In this case, if localized requirements demand changing passwords on a 30 day maximum password lifetime, this shorter time frame will take precedence over the 180 day requirement.
UTech managers are responsible for implementation, adherence, and feedback regarding this policy.
The UTech staff are responsible for the protection of their credentials. The standard which UTech sets in this policy speaks to the CWRU IT community in general about the importance of stewardship and protection of the critical IT infrastructure and data.
Policy Review Cycle
This policy will be reviewed every two years on the anniversary of the policy effective date, at a minimum. The policy may be reviewed on a more frequent basis depending on changes of risk exposure.