IT0132-C - UTC Standard: Identification and Authentication

Objective:

To align University of Tennessee at Chattanooga (UTC) standards of practice with University of Tennessee System-wide policy for developing, maintaining and documenting an Identification & Authentication program.

Scope:

This program applies but is not limited to employees, contractors, agents, and representatives accessing, using, or handling UTC information technology resources.

Principles:

This document is a UTC-specific Standard based on University System-wide policy. Each User of UTC resources is required to be familiar and comply with University policies, and acceptance is assumed if the User accesses, uses, or handles UTC information technology resources.

The Chief Information Officer (CIO) is the Position of Authority (POA) for Information Technology at UTC and responsible for IT security at the University of Tennessee Chattanooga.

Responsibilities:

The CIO has overall responsibility of the Identification & Authentication (IA) program at UTC and ensures:
1. The program is developed, documented, and disseminated to appropriate UTC entities in accordance with University policy.
2. The program is reviewed and updated annually.
The Chief Information Security Officer (CISO) is responsible for overseeing the Identification & Authentication program and consulting system owners to ensure effective procedures are implemented.
System owners/administrators are responsible for adhering to this Standard for their respective system(s).

Standard:

All business systems supporting mission-essential functions are included in UTC’s Identification & Authentication program.
System owners and administrators must develop, document and maintain Identification and Authentication processes and procedures that address:
1. Unique User ID’s (e.g. via UTC Net ID abc123) and passwords.
2. Use of strong passwords.
3. Reporting lost or compromised user accounts or passwords.
4. Revoking passwords when they are lost or compromised.
5. Defining a period of inactivity, after which a User ID is disabled.
6. Establishing management guidance for shared information system accounts (e.g. service, guest, and anonymous accounts).
7. Changing default authenticators upon information system installation;
8. Changing/refreshing passwords periodically as appropriate.
9. Critical information systems must mask passwords during the authentication process to protect the information from possible unauthorized use.
Password Enforcement (effective July 1, 2017)
1. Passwords will expire and must be reset (once every 180 days for regular employees; 60 days for IRIS users)
2. Upon expiration, accounts will be locked until the password is reset.
3. Go to https://ds.utk.edu/passwords to change your password.
4. Password history will be enforced. Choose a new password every time it is reset.
5. Passwords must meet the following minimum complexity requirements:
  1. Be a minimum of 8 and no more than 16 characters in length
  2. Contain some combination of at least three of the following:
    1. Uppercase letters
    2. Lowercase letters
    3. Numbers
    4. Punctuation & Symbols
    5. (Accepted: `~!@#$^&*()_-={}|[]:;'<>?,)
  3. May not contain a significant portion of your username or display name.
  4. May not reuse last 10 passwords.
6. Password tips:
  1. At UTC we highly recommend using a “passphrase” variant that you can easily remember. For example, “I’m graduating!” could become your passphrase “I’mgr@du@ting!”
  2. Use a different password for your NetID from your personal online accounts, such as Twitter, Instagram, and Facebook.
  3. Do not use your UT NetID or UT email address as the username for your personal accounts.
  4. Do not write your password down.
  5. Never use the names of your family, pets or favorite sports teams as your password.
  6. Never use dictionary words in any language as your password unless you are using a passphrase.
  7. Consider using a password vault such as LastPass or KeePass.