ITS Authentication Policy
Author
Assistant Director of Information Security
Version
1.5
Updated
June 30, 2015
Status
Final
Date Effective
July 1, 2015
Confidentiality
Public
Owner
Information Security, ITS
Authorization
Asst. VP for ITS
Policy Statement
Access to University information and/or information resources must be done using identifier and
authenticators that are unique to each individual and/or group. Authenticators used by users must
meet minimum complexity requirements, be distributed to users in a secure manner and be
known only to the intended user. All access granted through the use of identifier and
authenticators must be revoked immediately upon separation from the University and/or the
revocation of individual’s need to access such information.
Reason for Policy
It is important that the University develop controls over the manner in which user identifier and
authenticators are established, distributed and revoked. Such controls allow the University to be
reasonably assured that only the individual for whom the identifier was assigned has access to the
information and information resources the identifier allows. In addition, the establishment of
unique identifiers allows the University to track down suspicious and/or malicious activity to a
specific individual or account.
Entities Affected By This Policy
All personnel of the Eastern Illinois University community to include but not limited to faculty,
staff member, students, and annuitants.
Contacts
Assistant Director of Information Security
217-581-1904
Definitions
Information resources - Information Resources are defined as any items, including
telecommunication equipment, computer systems, applications, network equipment, and
other equipment, goods, and services related to the processing, storage, transmission and
collection of University information.
Non-public Information – Non-public information is any information designed for internal
University use and not for release to the public. This information includes, but is not limited to,
memos, internal e-mails, reports, course work, etc. This information may be subject to open
records laws, however the intent of the work is not public use.
Protected Information – Protected information is any information that is currently covered by
local, State or Federal regulation or contractual obligations such as PIPA, FERPA, HIPAA,
GLBA, and PCI DSS.
User identifier – A User Identifier is any unique object that is used to positivity identify one
individual from another. User Identifiers can take the form of a user ID, a hardware token, etc.
User authenticator – A User Authenticator is an object (such as a password) that is used to
ensure that the user identifier (such as a username) is used by the appropriate individual to
which the identifier is assigned. User Authenticators can take the form of PINs, passwords, etc.
Group/service accounts – An account that is used to provide multiple users with the ability to
access a service.
Principle
User Identification and Authentication
- All information resources allowing access to internal, protected and/or non-public
information must have the ability to uniquely identify and authenticate users
- Any information resource allowing access to internal, protected and/or non-public
information must utilize unique identifiers for each individual accessing the resource that
meet, at minimum, the standards outlined below
- Any information resource utilizing unique identifiers to allow access to internal,
protected and/or non-public information must also utilize unique authenticators that
meet, at minimum, the standards outlined below
Device Identification and Authentication
- All information systems connecting to non-public sections of the University
network must be uniquely identified and authenticated for such access
- Identification and authentication of information resources may be handled
through:
o Media Access Control (MAC) address registration
o Network Access Control (NAC) technologies utilizing user authentication
Authenticator Management
- All authenticators used to grant access to information resources must meet the
following complexity requirements:
o
o
o
o
o
o
-
Must not be a previous password
Have between 8 and 15 characters
Must start with a letter
Have both upper and lower case characters
Have at least 1 number
Have at least 1 non-alphanumeric character, limited to:
o Minus sign (-)
o Underscore (_)
o Colon (:)
o Asterisk (*)
o Exclamation point (!)
o Dollar sign ($)
o Period (.)
o Comma (,)
All authenticators must be distributed in a secure manner
o Authenticators may not be distributed via e-mail or other non-encrypted,
electronic methods.
o Authenticators may be distributed via telephone provided the caller’s
identity has been verified prior to distribution
o Authenticators may be distributed via campus mail provided the mailing is done
using an envelope sealed with glue (no tape or string allowed) and mailing is
marked confidential
o Authenticators may be distributed via postal mail provided the mailing
address used is from an official University source such as Banner
o First time authenticators are the only exception and may be distributed via email.
-
-
Authenticator change requests may only be approved if the identity of the individual
has been established via challenge-response mechanisms involving non-public
information
o Authenticator changes must be uniquely generated
o Authenticator changes must force a change upon next logon
Initial authenticators must
o Be uniquely generated
o May not knowingly contain, whole or in parts, information such as
Dates of Birth
Social Security numbers
User identifiers
User’s name
- All authenticators for staff, faculty and general person accounts must be changed no less
than once every six (6) months
- All authenticators for annuitants, students, and group accounts must be changed no less
than once every year
- All authenticators for service and logon (labs and kiosks) accounts must be changed no
less than once every three years. Service accounts will require the following complexity
requirements.
o
o
o
o
o
o
Must not be a previous password
Have between 14 and 15 characters
Must start with a letter
Have both upper and lower case characters
Have at least 1 number
Have at least 1 non-alphanumeric character, limited to:
 Minus sign (-)
 Underscore (_)
 Colon (:)
 Asterisk (*)
 Exclamation point (!)
 Dollar sign ($)
 Period (.)
 Comma (,)
Authenticator Security
- Authenticators may not be transmitted electronically over non-encrypted
mediums
- Authenticators may only be known to the individual to whom the authenticator belongs
- Authenticators may not be shared with anyone or displayed in prominent
locations
Related Documents
Federal Educational Rights and Privacy Act