Goal

 
To provide a reasonable and acceptable, university-wide level of password security for the users of computer and networking systems, to use reasonable effort to protect data from accidental or deliberate tampering or removal, and to prevent access and use of computer systems and files by unauthorized persons or entities.
 
This policy covers the use, management, and administration of computer user accounts for identification and authentication and for regulating access to computer and networking systems. For the purposes of this document, "Login Name" refers to the account name assigned to the computer user by the University. Accounts are granted to enrolled students (current and future terms), faculty, staff and retirees. Any exceptions are handled separately, documented and tracked as necessary.
 
 

Rationale

 
The implementation of the Luminis (OneTech) Portal, the Banner system, and the capability for single sign on access to most university systems (i.e., finance, student, human resources, etc.) has significantly increased the level of potential harm to data, systems, and individuals that can be inflicted by unauthorized access.
 

User Responsibilities


The account owner is responsible for all actions and functions performed under his/her account. Unauthorized access to university accounts is prohibited. To preserve the security of university computer accounts, users are expected to act responsibly as follows:
  • Users should never share their computer accounts (Tech login credentials username and/or password).
  • Users should not disclose their passwords to others.
  • Users should log off or lock and secure workstations when not in use.
  • Users should secure their workspace area when not in the office.
  • Users will be required to change passwords every 90 days as required by the state of Arkansas.
  • A previously used password will not be accepted until after SIX additional passwords have been used.  In other words, a previous password can be reused after the 7th password change.
  • Passwords should not be set to anything that is associated with the user (name, pet, birthdate, etc.).
  • Passwords must contain at least eight characters using a combination of letters and numbers. See Password Management below.
  • Passwords should not be displayed or posted.
  • Suspicious systems activity should be reported to the Campus Support Center or to the user's supervisor immediately.
  • Users should not embed or hard-code passwords into any system.

System Administration

  • Each user will be identified with a unique Login Name.
  • A timed logout feature will be enabled for extended session inactivity periods, to be not longer than 2 hours for faculty and staff and not longer than 1 hour for students.

Account Maintenance

  • Accounts with no activity for a period greater than 18 months will be revoked and/or deleted.
  • Accounts will be promptly disabled when a user is no longer authorized account access.
  • The number of unsuccessful logon attempts will be limited to 3 WITHIN one minute. The account will be disabled when the limit is reached. The user must contact the Campus Support Center at 479.968.0646 to have the account unlocked, or it will automatically unlock after 30 minutes.
  • Audit logs will be maintained to record login activity and periodically reviewed to detect suspicious login attempts.
  • Account and password management functions will be restricted to authorized staff.
  • Accurate records will be maintained of to whom, for what reasons, and for what functions such access is granted.
  • Passwords will be administratively reset when an ATU account is compromised.
  • All ATU email accounts that are administratively reset will have 2 Factor Authentication turned on.

Password Management

  • Minimum password length will be set to 8 characters with a maximum of 30, using a combination of letters, numbers, and/or special characters. Due to Banner or AIX system requirements, only the following special characters may be used:  !  ^ * - _ + [ ] { } \ : ' ? / . ~
  • Passwords should not be set to anything that can be readily associated with the user such as birthdays, first or last names, pet names, telephone numbers, etc..
  • Passphrases should be used if possible, they are much harder to decipher. For example – I have no idea what this means changed to "!HaveN01dea?thisMean's".
  • Password changes will be forced during first time login.
  • Password changes will be required minimally at the following intervals: system administrators, 60 days; users, 90 days.
  • Input of all passwords will be masked.
  • Passwords will be encrypted during storage and transmission over networks.
  • Embedding or hard-coding passwords into any system will be avoided whenever possible.
  • University Approved Electronic Password Safes may be used to store additional passwords as long as an appropriate strong password is utilized for the safe.