Information Technology Standard 02.11.0

Credential Management


Date of Current Revision or Creation: December 1, 2020


The purpose of an Information Technology Standard is to specify requirements for compliance with Old Dominion University Information Technology policies, other University policies, as well as applicable laws and regulations. Standards may include business principles, best practices, technical standards, migration and implementation strategies, that direct the design, deployment and management of information technology.

Purpose

The purpose of this standard is to define the Credential Management requirements used by Old Dominion University.

Definitions

ITS is the acronym for the official name of Information Technology Services.

Passwords are a secret used to gain access to an account.

Access Tokens serve as an authentication "cookie" that can be shared between browsers, clients, or connections so that each interaction does not require reauthentication.

Standards Statement

Credential use is required on all accounts on systems classified as sensitive, including local, remote access and temporary accounts.

Passwords

Password length and complexity requirements are based on sensitivity and risk. (See MIDAS Standard):

  • User accounts must follow "ITS Guideline for User Account Password Complexity" to the extent possible based on technical and operational constraints.
  • System and service accounts must follow "ITS Guideline for System and Service Account Password Complexity" to the extent possible based on technical and operational constraints.

Transmission of identification and authentication data (e.g., passwords) without the use of industry accepted encryption standards is prohibited.

IT system users are required to maintain exclusive control and use of their passwords.

For non-MIDAS controlled systems, users must be allowed to change their passwords.

Users determined to have access to sensitive data are required to change their passwords after a pre-determined period (ex., 90 days) as defined by the System Owner, based on sensitivity and risk.

IT system users are required to immediately change their passwords and notify the Information Security Officer (ISO) if they suspect their passwords have been compromised.

Password history files are to be maintained to prevent the reuse of the same passwords, commensurate with sensitivity and risk.

For non-MIDAS controlled systems, unique (non-MIDAS) passwords must be created per system.

Forgotten initial passwords are to be replaced rather than reissued.

Group account IDs and shared passwords on sensitive IT systems are discouraged. Group account IDs or shared passwords required for optimal administration of systems should be noted in the system risk assessment and accepted by the System Owner.

Inclusion of passwords as plain text is discouraged. Passwords required for system usage should be encrypted where possible. Exceptions should be noted in the system risk assessment as an identified risk with accepted compensating controls.

Access to files containing passwords is to be limited to the IT system and its administrators.

Hardware password requirements are to be based on sensitivity and risk.

Hardware passwords are to be documented and stored securely.

Procedures shall be implemented to handle lost or compromised passwords and/or tokens.

Access Tokens

Access tokens should be generated using industry standard mechanisms.

Access token expiration should be configured based on sensitivity and risk but should not be configured to never expire.

Access tokens should be limited in scope to required authorized resources.

Access tokens should only be shared among services with similar purpose within the same system and, if possible, should be unique per instance of the application.

Procedures, Guidelines & Other Related Information

History

Date

Responsible Party

Action

October 2008

ITAC/CIO

Created

October 2010

ITAC/CIO

Reaffirmed

October 2011

ITAC/CIO

Reaffirmed

February 2014 IT Policy Office Minor rewording for clarity
May 2014 IT Policy Office Added references to Password Guidelines

September 2014

IT Policy Office Updated to reflect recommendations from APA
December 2017 IT Policy Office Minor rewording for clarity
December 2020 IT Policy Office Rewording for clarity to reflect current naming and practices and to add Access Tokens to the standard