RCIT-17 User Credentials

IT Reeves County User Credentials and Password Management Policy

Policy Statement:

This policy establishes management guidelines for user credentials and password management within the IT Reeves County. It applies to all users of IT resources, regardless of their classification as an end user or a system administrator.

Guidelines:

A. Responsibilities:

- Users must be identified and authenticated before accessing any information or IT resources.

- Users are responsible for secure maintenance of assigned credentials and compliance with relevant policies.

- Managers ensure users are aware of their responsibilities, and identification/authentication procedures are reviewed annually.

B. Password Management:

- Unique user identifiers are managed for authorized devices and users with unique passwords.

- Passwords are created, changed, and safeguarded through management procedures.

- Users must not share passwords, and administrators use dedicated accounts for elevated activities.

C. Multi-Factor Authentication:

- Multi-factor authentication is required for network access, considering risk assessment and resource prioritization.

- At least one authentication factor must be provided by a separate device.

D. Password Standards:

Passwords must:

- Be at least 16 characters long.

- Include upper/lowercase alphabetic characters, numerical characters, and special characters.

- Expire every 90 days for regular users and every 45 days for system administrators.

- Not be reused for the previous 24 passwords.

E. Strong Password Maintenance:

- Users should not share passwords; delegation of permissions is encouraged.

- Change passwords upon compromise suspicion.

- Consider using passphrases and avoid writing down or storing passwords insecurely.

F. Management Guidelines for Provisioning and Support of User Accounts:

- Enforce strong passwords and require change of initial passwords.

- Verify user identity before resetting passwords.

- Never ask for a user's password.

- Implement automated notification of password changes.

G. Guidelines for Design and Implementation of Systems and Applications:

- Change default account passwords and implement strict controls for system-level and shared service account passwords.

- Do not use the same password for multiple administrator accounts.

- Do not allow passwords to be transmitted in plain text.

- Do not store passwords in easily reversible form.

- Implement automated notification of a password change or reset.

H. Account Management Requirements:

- Unique User IDs assigned after  approval.

- Generic User IDs and System Administrator IDs have restricted privileges.

- Temporary IDs permitted with appropriate approval.

I. Additional Controls:

- Implementation of multi-factor authentication and encrypted channels for administrative account access.

- Identification and disablement of accounts not associated with a business process.

- Automatic disablement of dormant accounts after a set period of inactivity.

J. Policy Administration and Enforcement:

- Administered by the IT Reeves County IT Department.

- Exception requests through RCIT Help Desk on the institution's network.

- Violations may result in disciplinary actions, access restrictions, termination, and legal consequences.

- Employment terms align with collective bargaining agreements between the IT Reeves County and unions.