not mobile

Information Technology Handbook

5.8 Password Security

Print friendly Version date February 22, 2013

5.8.1 User Access Controls

USG institutions, the USO, and the GPLS must establish policies and procedures that ensure necessary user access controls are in place for controlling the actions, functions, applications, and operations of legitimate users. The aim is to protect the confidentiality, integrity, and availability of all USG information resources.

The guiding principles in developing these standards and procedures are:

  1. Users will have access to the resources needed to accomplish their duties.
  2. User access applies the principles of least privilege and resource categorization as necessary tools to achieve the desired purpose.
  3. User access controls will balance security and USG mission needs.

All users, whether internal, external, or temporary, and their activity on all IT systems should be uniquely identifiable. User identification should be enabled through appropriate authentication mechanisms. User access rights to all systems and data must be in line with defined and documented business needs, and job requirements must be attached to user identification. User access rights should be requested by user management, approved by system owners, and implemented by the appropriate local security administrator. User identification and access rights should be maintained in a central repository. Each USG participant organization should deploy cost-effective technical and procedural measures to establish user identification, implement authentication, and enforce access rights. These measures should be reviewed periodically and kept current.

return to top


5.8.2 USG Password Authentication Standard

5.8.2.1 Purpose

Passwords are an important aspect of information and information technology security. They are often the only means for authenticating users and the front line of protection for user accounts. Failure to use a strong password or using a poorly chosen password when accessing USG information assets may result in the compromise of those assets. It is the responsibility of every USG participant organization to implement authentication mechanisms such as passwords to access sensitive data, and the responsibility of the user to appropriately select and protect their passwords.

5.8.2.2 Scope

This security standard applies to all USG institutions, the USO, and the GPLS. This standard also applies to all users (employees, contractors, vendors, and other parties) of USG and state information technology systems or data are expected to understand and abide by the standard.

5.8.2.3 Standard

Passwords shall be the minimum acceptable mechanism for authenticating users and controlling access to the USG and its participant organizations’ information systems, services and applications unless specifically designated as a public access resource.

All users (students, employees, contractors, and vendors) with access to USG information and information systems shall take the appropriate steps to select and secure their passwords.

5.8.2.4 Enforcement

Individual USG participant organizations are responsible for developing internal procedures to facilitate compliance with these USG security policies and standards. The standards are designed to comply with applicable laws and regulations; however, if there is a conflict, applicable laws and regulations will take precedence.

USG participant organizations may establish more stringent policies, standards and procedures consistent with this USG standard.

Violations of this standard could result in serious security incidents involving sensitive state, federal, sensitive or privacy data. Violators may be subject to disciplinary actions including termination and/or criminal prosecution.

The standards will guide periodic security reviews, as well as audits by USG Internal Audit & Compliance and the state Department of Audits and Accounts (DOAA).

5.8.2.5 Authority

5.8.2.6 Exceptions

Exceptions to a standard must be approved by the USG CISO. In each case, the participating organization or vendor must include such items as the need for the exception, the scope and extent of the exception, the safeguards to be implemented to mitigate risks, specific timeframe for the exception, organization requesting the exception, and the management approval.

Denials of requests for exceptions may be appealed to the USG CIO and CISO.

5.8.2.7 Terms and Definitions

Authentication is a process of attempting to verify the digital identity of a system user or processes.

5.8.2.8 Related Enterprise Policies, Standards, Guidelines

return to top


5.8.3 USG Password Security and Composition Standard

5.8.3.1 Purpose

This section establishes a standard for protecting passwords and the frequency of change for such passwords to mitigate compromise of sensitive information.

5.8.3.2 Scope

This security standard applies to all USG institutions, the USO, and the GPLS. This standard also applies to all USG users, including employees, contractors, vendors, and other parties.

5.8.3.3 Standard

  1. All passwords shall be treated as sensitive, confidential information and shall not be shared with anyone including, but not limited to, administrative assistants, system administrators and helpdesk personnel.
  2. Passwords shall not be stored in clear text.
  3. Users shall not write passwords down or store them anywhere in their office or publically. They shall not store passwords in a file on any computer system, including smart devices, without encryption.
  4. All system-level administrative passwords shall be changed every ninety (90) days. All user-level passwords shall be changed every one hundred and eighty (180) days.
  5. User accounts that have system-level privileges granted through group memberships or programs shall have a unique password from other accounts held by that user.
  6. Passwords shall not be inserted into email messages or other forms of electronic communication unless encrypted.
  7. If an account or password is suspected of being compromised, the incident must be reported to the appropriate authorities in accordance with local incident response procedures.
  8. Temporary or “first use” passwords (e.g., new accounts or guests) must be changed the first time the authorized user accesses the system, and have a limited life of inactivity before being disabled.
  9. Access to all USG information systems and applications used to process, store, or transfer data with a security categorization of MODERATE or higher shall require the use of strong passwords or other strong authentication mechanisms. Strong passwords shall be constructed with the following characteristics:
    • Be at least ten characters in length
    • Must contain characters from at least two of the following four types of characters:
      • English upper case (A-Z)
      • English lower case (a-z)
      • Numbers (0-9)
      • Non-alphanumeric special characters ($, !, %, ^, …)
    • Must not contain the user’s name or part of the user’s name
    • Must not contain easily accessible or guessable personal information about the user or user’s family, such as birthdays, children’s names, addresses, etc.
    • Note 1: A six-character password is acceptable if “account lockout” is enabled and set to lock or disable the account after five unsuccessful or failed login attempts. Six-character passwords must adhere to all of the characteristics noted above.
    • Note 2: Participant organizations may mix different characteristics regarding length and mandatory characters to obtain the same password strength. For example, a password of 11 characters containing two upper case letters, two lower case letters, two numbers, and no special characters would be permissible.

5.8.3.4 Enforcement

Individual USG participant organizations are responsible for developing internal procedures to facilitate compliance with these USG security policies and standards. The standards are designed to comply with applicable laws and regulations; however, if there is a conflict, applicable laws and regulations will take precedence.

USG participant organizations may establish more stringent policies, standards and procedures consistent with this USG standard.

Violations of this standard could result in serious security incidents involving sensitive state, federal, sensitive or privacy data. Violators may be subject to disciplinary actions including termination and/or criminal prosecution.

The standards will guide periodic security reviews, as well as audits by USG Internal Audit & Compliance and the state Department of Audits and Accounts (DOAA).

5.8.3.5 Authority

5.8.3.6 Exceptions

Exceptions to a standard must be approved by the USG CISO. In each case, the participating organization or vendor must include such items as the need for the exception, the scope and extent of the exception, the safeguards to be implemented to mitigate risks, specific timeframe for the exception, organization requesting the exception, and the management approval.

Denials of requests for exceptions may be appealed to the USG CIO and CISO.

5.8.3.7 Terms and Definitions

Authentication is a process of attempting to verify the digital identity of a system user or processes.

5.8.3.8 Related Enterprise Policies, Standards, Guidelines

return to top