NID Password Change Frequency PIC Submission dated 7/10/13 University Audit and Finance & Accounting Tax Summary • As UCF implements shibboleth, the need for different log-ins and passwords will be reduced. • The myUCF Federated Identity login system has allowed for ARGIS, PARIS, AURORA, TERA, COI and interlibrary loan to be accessed via a single-sign in. • UCF uses best-practices for its password requirements. Reason for Password Changes • to reduce the risk that passwords may be discovered by unauthorized users who may gain access to the University’s critical information. • The risk increases with the length of time between password changes Basis for the 60 Day Interval • UCF Policy 4-008 Data Classification and Protection requires “passwords on systems holding confidential data must be changed every 60 days or less” • CS&T University Standards 501-101 Password Standards recommends that systems “observe these requirements via technical controls (e.g. password expiration controls) so that all university affiliated account passwords follow this policy.” Basis for the 60 Day Interval • In a State Audit of CS&T completed in 2011, the Auditor General recommended the 60 day frequency for “general user accounts for critical or sensitive applications”. Regulatory Requirements • Federal regulations (HIPPA Security Rule/ HiTech Act Section 164.308 (a)(5)(ii)(D) ) require only that passwords be changed and do not stipulate an interval. • Board of Governors Regulation 3.0075 Security of Data and Related Information Technology Resources, (3) states “the university’s security plan should be “based on best practices acquired from resources such as: Educause, National Institute of Standards (NIST), Information Systems Audit and Control Association (ISACA) or other recognized sources of information security practices and procedures.” Industry Best Practices • NIST Standards / FISMA Provision Section 15.1.6 suggests that passwords are changed at least every ninety days. • ISO 17799_2005 Standards Section 11.3.1 Password Use, also only suggest that passwords be changed at regular intervals, and avoid re-using or cycling old passwords. Impact of Single Sign On • The CS&T university wide initiative toward a single login credential using Shibboleth Federated Identity software allows users to sign in to the portal and transfer to other applications without having to sign in again. • The progression of this initiative will help to mitigate inefficiencies associated with more restrictive password change frequency requirements. Summation • The current password change frequency is set at a 60 day interval to comply with an Auditor General recommendation, reduce risk of unauthorized users, and follow best practice. Action Plan • To address community concerns, CS&T could clarify purpose for password changes and associated risk in university standards documentation.