INFORMATION TECHNOLOGY SERVICES DIVISION

Usernames and Passwords

Number: ENT-SEC-063

Established for: State of Montana Information Technology Enterprise

Janet Kelly, Director
Department of Administration
Jeff Brandt, Acting CIO
Department of Administration
Date: June 2005

Policy - Requirements

SCOPE

This policy must be followed for any systems requiring a password. It is the user’s responsibility to follow the requirements of this policy for any password.

PURPOSE

This policy outlines the procedures for the use of usernames and passwords to control unauthorized use of the network, to prevent the intentional or unintentional modification, destruction, disclosure, or misuse of data and information resources for which the State of Montana is responsible.

All agencies are responsible for authorizing access to their information resources by designating certain persons as users and authorizing such persons to access these resources in the manner necessary for performing their duties.

KEY DEFINITIONS

For the purposes of this policy, the following definitions apply:

User: An individual with access to a computer system or network.

Login: The process of authenticating a user into a computer system or network. Typically this consists of a two-part process in which the user supplies a username and a password.

Username : A set of characters used as a unique identifier for an individual when authenticating to a computer system or network.

Password: A set of characters used to establish an individual’s authenticated access to a computer system or network. The password is a correlated piece of information that is used with the username to ensure that the username being entered is being entered by the correct individual.

External User: The term external user is used as a term for those users needing access to public state eGovernment services for non-state employee purposes. This could be for personal or business related activities not associated with a state job function.

Internal User: The term internal user is used to describe a state employee, contractor, or other user doing business for the state that needs access to state systems to perform his or her job functions.

External User – Usernames

• A user must be identified to the network with a unique username. Each username must have a minimum of 6 characters and must have a password associated with it.
• A username is to be deactivated when the individual user no longer needs access to a computer system.
• Usernames for external users will be deactivated if unused for 28 months.
• Usernames must not be shared.

Internal User - Usernames

• A user must be identified to the network with a unique username assigned by the Department of Administration. Exceptions must be approved by the agency security officer and documented. All usernames that are not restricted, must have a password associated with them.
• A username is to be deactivated when the individual user no longer needs access to a computer system or terminates employment with the agency. The agency security officer for the computer system or network must be notified by agency management to deactivate the username.
• Usernames will be deactivated if unused for more than 90 days.
• Usernames must not be shared.

External User – Passwords

Passwords will be at least six characters long and contain at least one numeric and one alphabetic character.

• Passwords will be changed every six months or at the next login time if previous login time is greater than six months.
• A password “hint” may be provided to users in the event that they lose or forget their current password.
• The user password hint cannot be the same as the password or contained therein.
• Passwords will not be reused for at least six cycles.
• Passwords must not be written down where they can be found by unauthorized persons and must not be shared with other individuals.

Internal User - Passwords

• Passwords will be at least six characters long and contain at least one numeric and one alphabetic character.
• Initial passwords assigned to new usernames must be changed by the user at their initial login.
• Passwords will be changed at least every 60 days.
• Passwords will not be reused for at least six cycles.
• Passwords must not be written down where they can be found by unauthorized personnel and must not be shared with other individuals.
• When the computer system or network allows, users with administrative, root, supervisor, super user, etc. access must have passwords that are more complex. They should have a minimum of 8 characters using a combination of uppercase and lowercase letters, and numbers. Characters must not be consecutive within the password, like AAAAAAA1, they should be something more like Qn01Ppa3.
• The warning level to users for forced password changes must be seven days or greater for systems with this capability.
• The password cannot be the same as the username including the initial password.

Internal User - Access Rights

• If a user changes work positions in an agency, their access rights must be reviewed and changed to match the new job position.
• Agencies may restrict or extend computing privileges and access to their information resources (except in cases of specific federal or state statute.)
• Access to network resources (programs, data, printers, etc.) is determined by the business process owner and/or authorized personnel and the rights or privilege are then assigned for each username.
• Agencies may allow individuals, other than state employees and contractors, access to information for which the agencies are responsible, so long as such access does not violate any license or contractual agreement; state policy or any federal, state, county or local law or ordinance.

IMPLEMENTATION TIMEFRAME

The modifications to this policy on June 2005 have implementation considerations. In addition to technical staff time, end user education will be necessary. Immediate compliance will be impossible for many agencies. The expectation is that agencies will start making implementation plans immediately, and compliance will be required by July 1, 2006.

Background - History on the creation of or changes to this policy

This policy was originally called “UserID, Password & Access”, policy number S-GEN40, effective on January 17, 1997. It was modified in September 2000 to include requirements for SABHRS at the request of the Legislative Audit Division. Based on recommendations from the Information Security Service Delivery Team, this policy was modified in October 2002 to include more specific requirements for passwords used by administrative UserID’s.

Recommendations for modifications of this policy were made by the enterprise Security Committee in January 2005 to meet Federal requirements, as well as to meet the needs for external usernames and passwords.

The January 2005 modifications were discussed at two ITMC meetings and at a separate ITSD sponsored meeting on May 10, 2005.

Guidelines - Recommendations, not requirements

It is recommended that every time a user is prompted to change their network password, that they change all of their application passwords, and other passwords at the same time.

Passwords should not be obvious or easily guessed (users’ name, address, birth date, child’s name, spouse’s name, etc.)

It is recommended that agency personnel procedures specifically identify that an employee’s IT authorizations be reviewed upon termination or change in job function.

User rights should be periodically reviewed.

References - Laws, rules, standard operating procedures and applicable policies

• 2-17-512, MCA
• 2-17-534, MCA
• 2-15-114, MCA
• ARM 2.13.101 - 2.13.107