Unique credentials will be used for accessing all campus information systems.
Exceptions allowing the use of shared credentials must be approved by the requesting departments' manager and by all affected data owners. The manager and all affected data owners must be informed of the associated risks. The department administering the system being accessed with shared credentials must track all shared credentials in use, must require shared credentials to be reauthorized at least annually, and must deactivate any shared credentials that are not reauthorized.
When passwords are issued they must be one-time Passwords/Keys. One-time passwords (e.g., passwords assigned during account creation, password resets, or as a second factor for authentication) must be set to a unique value per user and changed immediately at first use.
Passwords must meet the following requirements:
- Minimum length of 12 characters
- Not include the user name
- A combination of letters, numbers and special characters, containing at least three
of the following character types:
- Lowercase alphabetic character (a-z)
- Uppercase alphabetic character (A-Z)
- Special character (punctuation, spaces, *, %, $, etc.)
- Number (0-9)
- Accounts will be locked after 5 unsuccessful login attempts
Information Security Resource Links
- United States Computer Emergency Readiness Team (US-CERT)
"The Department of Homeland Security's United States Computer Emergency Readiness Team (US-CERT) leads efforts to improve the Nation's cybersecurity posture, coordinate cyber information sharing, and proactively manage cyber risks to the Nation while protecting the constitutional rights of Americans. US-CERT strives to be a trusted global leader in cybersecurity—collaborative, agile, and responsive in a dynamic and complex environment." -US-CERT.GOV
- Internet Storm Center (ISC)
"The ISC was created in 2001 following the successful detection, analysis, and widespread warning of the Li0n worm. Today, the ISC provides a free analysis and warning service to thousands of Internet users and organizations, and is actively working with Internet Service Providers to fight back against the most malicious attackers." -ISC.SANS.EDU
- California Office of Information Security
"The California Information Security Office is the primary state government authority in ensuring the confidentiality, integrity, and availability of state systems and applications, and ensuring the protection of state information." -CIO.CA.GOV/OIS