Authentication
Authentication
Unique credentials will be used for accessing all campus information systems.
Exceptions allowing the use of shared credentials must be approved by the requesting
departments' manager and by all affected data owners. The manager and all affected
data owners must be informed of the associated risks. The department administering
the system being accessed with shared credentials must track all shared credentials
in use, must require shared credentials to be reauthorized at least annually, and
must deactivate any shared credentials that are not reauthorized.
When passwords are issued they must be one-time Passwords/Keys. One-time passwords
(e.g., passwords assigned during account creation, password resets, or as a second
factor for authentication) must be set to a unique value per user and changed immediately
at first use.
Password Standards
Passwords must meet the following requirements:
- Minimum length of 12 characters
- Not include the user name
- A combination of letters, numbers and special characters, containing at least three
of the following character types:
- Lowercase alphabetic character (a-z)
- Uppercase alphabetic character (A-Z)
- Special character (punctuation, spaces, *, %, $, etc.)
- Number (0-9)
- Accounts will be locked after 5 unsuccessful login attempts
Information Security Resource Links
"The Department of Homeland Security's United States Computer Emergency Readiness Team (US-CERT) leads efforts to improve the Nation's cybersecurity posture, coordinate cyber information sharing, and proactively manage cyber risks to the Nation while protecting the constitutional rights of Americans. US-CERT strives to be a trusted global leader in cybersecurity鈥攃ollaborative, agile, and responsive in a dynamic and complex environment." -US-CERT.GOV
"The ISC was created in 2001 following the successful detection, analysis, and widespread warning of the Li0n worm. Today, the ISC provides a free analysis and warning service to thousands of Internet users and organizations, and is actively working with Internet Service Providers to fight back against the most malicious attackers." -ISC.SANS.EDU
"The California Information Security Office is the primary state government authority in ensuring the confidentiality, integrity, and availability of state systems and applications, and ensuring the protection of state information." -CIO.CA.GOV/OIS