University of Colorado Denver
Fiscal Policy for
 Information Systems Networked Resource Password
 

I.        Purpose, Reference, and Responsibility

A.       Purpose

At UCD, information technology users have the ability to change their passwords.  In order to protect computers, information and other related resources, the UCD requires its system users to have "strong" passwords.

           B.      Reference

University of Colorado Denver Fiscal Policy for Secure Computing

            C.     Responsibility

UCD information technology providers are responsible for managing and protecting the information technology resources under their jurisdiction, including the enforcement of strong password standards.  The use of computing and networking resources of the UCD is a privilege and as such, any individuals who use the information technology resources of the UCD are responsible for complying with the password requirements of this policy.

II.         Applicability and Definitions

            A.     Applicability

This policy applies to all users of the UCD internal data network who are connected through either a direct physical connection or connected via wireless connections, campus modem lines, DSL service, cable modems, over the Internet, or by other means.

            B.     Definitions

1. Users of the UCD internal network refers to any individuals and/or electronic devices that are connected to the UCD Campus computing infrastructure that interconnects computers, networking equipment, printers, personal digital assistants, and electronic devices for the purpose of data or information exchange.
    
2. IS is an abbreviation for information systems.
    
3. IT is an abbreviation for information technology.
    
4. Strong password is a password that is not readily decipherable and usually consists of symbols/characters, letters, and/or numbers that will allow a user to gain access to the UCD internal network.
    
5. UCD IS Department is the centralized service unit that provides data networking, e-mail, file server, telephone, and other information technology support services for the UCD campus (see web site at http://www.uchsc.edu/is).

III.       Statement of Policy

           A.     General

Passwords are an integral component of UCD’s “defense-in-depth” effort.  In some cases, passwords are the only protection against inadvertent or malicious access to a resource or data.  Because passwords play such a vital role in protecting the security of our resources, it is essential that all accounts with access to any networked resource have passwords that meet minimum length, complexity, and frequency of change criteria.

Without passwords that meet these criteria, UCD resources and data are vulnerable to attack.  With only a few insecure passwords, an experienced hacker may be able to do irreparable or costly harm to UCD resources.  In addition, passwords need to be protected against unauthorized disclosure, modification, or removal. 

All activities inconsistent with these objectives or that could be construed to constitute a conflict of interest or commitments are considered to be inappropriate and may jeopardize the user’s privilege of using IT resources.  To ensure the protection of IT resources, UCD reserves the right to probe and monitor computing activities on any and all devices connected to the UCD network to ensure they are operating in compliance with this policy.  In addition, UCD may withdraw a user’s privileges when violations of this policy occur.

        B.        Conditions for Use of UCD IT Resources

1. The use of campus standards for strong passwords is mandatory and exceptions are only allowed if the UCD IS Department authorizes exclusions due to unique and extraordinary circumstances.
    
2. UCD IS password policy ensures that all resources accessing the UCD.edu domain use the password criteria.  (See following section Password Criteria.)
    
3. UCD IS retains the right to scan domain passwords to ensure compliance to this policy.  UCD IS also retains the right to scan passwords in use on departmentally-owned servers, desktop systems, workstations, applications, and equipment attached to the campus communication network.
    
4. Except for technical support, and as authorized by UCD IS, passwords must not be shared with others or written down and left in an obvious location.
    
5. Service accounts, or accounts dedicated to a piece of equipment, may be exempt from the frequency of change criteria.
    
6. All suspected policy violations; system intrusions, fraudulent request for password changes, and other conditions which might jeopardize UCD IT resources, should be immediately reported to the Director of Information Systems Security (phone 303-724-0440).

C.       Non-compliance with Policies

1.   UCD IS will identify non-compliant passwords through network monitoring or other means.

2.   UCD IS will follow up with communications to owners of non-compliant passwords.

a.   Direct telephone or e-mail contact with  system owner

b.   Contact with departmental IT staff

c.   Escalation via departmental administrative channels

3.   Remedies will take the form of one of the following options:

a.   Change passwords and configure systems as needed; or

b.   The IS Department will authorize a written exclusion from this policy; or

c.   The account(s) will be removed from the campus network.