NID Password Change Frequency

NID Password Change Frequency
PIC Submission dated 7/10/13
University Audit and Finance & Accounting Tax
• As UCF implements shibboleth, the need for
different log-ins and passwords will be
• The myUCF Federated Identity login system
has allowed for ARGIS, PARIS, AURORA, TERA,
COI and interlibrary loan to be accessed via a
single-sign in.
• UCF uses best-practices for its password
Reason for Password Changes
• to reduce the risk that passwords may be
discovered by unauthorized users who may
gain access to the University’s critical
• The risk increases with the length of time
between password changes
Basis for the 60 Day Interval
• UCF Policy 4-008 Data Classification and
Protection requires “passwords on systems
holding confidential data must be changed every
60 days or less”
• CS&T University Standards 501-101 Password
Standards recommends that systems “observe
these requirements via technical controls (e.g.
password expiration controls) so that all
university affiliated account passwords follow this
Basis for the 60 Day Interval
• In a State Audit of CS&T completed in 2011,
the Auditor General recommended the 60
day frequency for “general user accounts for
critical or sensitive applications”.
Regulatory Requirements
• Federal regulations (HIPPA Security Rule/ HiTech Act
Section 164.308 (a)(5)(ii)(D) ) require only that
passwords be changed and do not stipulate an interval.
• Board of Governors Regulation 3.0075 Security of Data
and Related Information Technology Resources, (3)
states “the university’s security plan should be “based
on best practices acquired from resources such as:
Educause, National Institute of Standards (NIST),
Information Systems Audit and Control Association
(ISACA) or other recognized sources of information
security practices and procedures.”
Industry Best Practices
• NIST Standards / FISMA Provision Section
15.1.6 suggests that passwords are changed at
least every ninety days.
• ISO 17799_2005 Standards Section 11.3.1
Password Use, also only suggest that
passwords be changed at regular intervals,
and avoid re-using or cycling old passwords.
Impact of Single Sign On
• The CS&T university wide initiative toward a
single login credential using Shibboleth Federated
Identity software allows users to sign in to the
portal and transfer to other applications without
having to sign in again.
• The progression of this initiative will help to
mitigate inefficiencies associated with more
restrictive password change frequency
• The current password change frequency is set
at a 60 day interval to comply with an Auditor
General recommendation, reduce risk of
unauthorized users, and follow best practice.
Action Plan
• To address community concerns, CS&T could
clarify purpose for password changes and
associated risk in university standards