Password Standard Version 2.0 October 2006
|
|
- Gwen Carson
- 6 years ago
- Views:
Transcription
1 Password Standard Version 2.0 October 2006
2 TABLE OF CONTENTS 1.1 SCOPE PRINCIPLES REVISIONS OBJECTIVE POLICY PROTECTION LENGTH SELECTIONS EXPIRATION UNIQUENESS WORK AND PERSONAL SEPARATION RECOMMENDATION ACCOUNT LOCKOUT COMPROMISED DEFAULT PASSWORDS DISPLAY AND PRINTING CRACKING ENCRYPTION RETRIEVAL INFORMATION SYSTEM INSTALLATION EXCEPTIONS APPROVED PASSWORD MANAGERS MANDATORY CONTROLS 7 5.1DISCRETIONARY CONTROLS REFERENCES DEFINITIONS 8 Effective Date: 10/02/2006 Last Review: 11/27/2017 Next Review: 11/2018 Page 1
3 1.1 SCOPE This policy applies to all users of and information technology (IT) resources owned, operated, or provided by the University of Tennessee at Martin (UTM) including its remote centers. Users includes but is not limited to students, faculty, staff, contractors, agents, representatives, and visitors accessing, using, or handling the University s information technology resources. Information transmitted or stored on University IT resources is the property of the University unless it is specifically identified as the property of other parties. 1.2 PRINCIPLES The University has chosen to adopt the policy principles established in the National Institute of Standards and Technology (NIST) 800 series of publications, and this policy is based on those guidelines. Specifically, this standard is based on guidelines in NIST SP Rev4, Recommended Security Controls for Federal Information Systems and Organizations. The Chancellor or equivalent at each Campus must designate an individual or functional position responsible for information security at their Campus (Position of Authority and/or Campus Authority). The Position of Authority should be at a high enough organizational level to allow him/her to speak with authority on and for the Campus. UTM must develop or adopt and adhere to a program that demonstrates compliance with policies and related standards. This standard is the responsibility of the Position of Authority. Each User of University resources is required to be familiar and comply with University policies. Acceptance of this policy is assumed if a User accesses, uses, or handles University resources. Effective Date: 10/02/2006 Last Review: 11/27/2017 Next Review: 11/2018 Page 2
4 1.3 REVISIONS Date Action Name 07/14/2006 Revised Will Turner 10/02/2006 Implemented (1.0) 05/2015 Revised (1.1) 08/29/2016 Update formatting, content (1.2) Brian Stubblefield 12/15/2016 Content (1.3) 01/06/2017 Corrections/suggestions from sysadmins (1.4) 01/10/2017 Password managers section (1.5) 02/21/2017 Suggestions from Security Team (1.6) 07/27/2017 Content and controls (1.7) 08/09/2017 Updates to password length and complexity (1.8) 09/05/2017 Renamed to standard, changes to wording and page numbering (1.9) 10/25/2017 Suggested changes from Amy, section numbering (1.10) 10/27/2017 Suggested changes, updates to retrieval and password managers sections (1.11) 11/27/2017 Approved (2.0) Effective Date: 10/02/2006 Last Review: 11/27/2017 Next Review: 11/2018 Page 3
5 2.1 OBJECTIVE This policy contains requirements and recommendations for all system passwords, including servers, workstations, and network devices, for UTM. Each user and/or administrator is required to implement the system password definitions listed in this document. 3.1 STANDARD 3.2 PROTECTION Passwords must never be written down or recorded. No user should ever share or divulge their password to anyone. Each user is accountable and responsible for any action taken with that user's username and password. No university employee or administrator should ever ask a user for their password, and if such an action takes place, the user should not reveal it to anyone, no matter how plausible the reason. Any password that is known to be compromised or suspected to be compromised must be changed immediately. 3.3 LENGTH Password length is one of the main factors that determines password strength. All passwords must be a minimum of twelve (12) characters (IA-5). 3.4 SELECTIONS Easy to guess words, such as single dictionary words, university name, product or service names, the user's proper name or username, must not be used at any time. Strong passwords should include at least three of the following characteristics (IA- 5): At least one numeric character At least one special character #, $, <space>, etc.), At least one lower case character At least one upper case character. Passwords issued for temporary accounts, password resets, and locked out IDs, must also conform to this standard. Passwords issued for automated, service, system, and other accounts not requiring a regular login must conform to a stricter standard. At minimum, they should contain at least 3 unrelated random words, 3 numbers, and one special character. Single dictionary words and short words with substituted characters do not make good passwords even though they meet the complexity requirements. Examples of bad passwords include: Abbreviation! Fa$t4Ward P@ssW0rd Effective Date: 10/02/2006 Last Review: 11/27/2017 Next Review: 11/2018 Page 4
6 Examples of strong passwords (longer passwords are more secure): Random, unrelated words with numbers and special characters can be hard to recall: Lighter:vowel~Immigrant85* SpendGovernEveningWhose4764= Randomly generated character strings are hardest to recall: A83dXD8*X5$3tSd 3A^6yS6sT3P8QAta*r The strongest and easy to recall, is a passphrase: This is my 8th random sentence? The balanced crusader angelfish recoiled. Don t implement promises, but keep them! DO NOT use any of the previous examples as your password. 3.5 EXPIRATION All passwords generated within UTM for access to Internal Use Only or Proprietary information must be set to expire at a maximum of every 180 days. Passwords used for privileged accounts on information systems must be set to expire at a maximum of 90 days. Passwords generated within UTM for access to Confidential information must be set to expire at a maximum of every 60 days. Passwords issued for temporary accounts, password resets, and locked out IDs must all be reset to expire immediately so the user will be forced to change their passwords at their first login opportunity (IA-5). 3.6 UNIQUENESS Where technically feasible, a history of at least ten (10) passwords must be kept within the system for each password generated (IA-5). This uniqueness forces users to create a new password that is unique over a longer time period WORK AND PERSONAL SEPARATION Users should never use the same passwords between university/work and personal accounts. This creates the risk of unauthorized parties gaining access to university systems. Effective Date: 10/02/2006 Last Review: 11/27/2017 Next Review: 11/2018 Page 5
7 3.6.2 RECOMMENDATION It is highly recommended that users implement unique passwords for each account (IA-5). It is common practice for threat actors to try compromised credentials in multiple services to gain access to additional accounts. Never reuse credentials that have been compromised. 3.7 ACCOUNT LOCKOUT An account will be locked out after thirty (30) bad password or login attempts in fifteen (15) minutes (AC-7). The account will remain locked for fifteen (15) minutes once it is locked. 3.8 COMPROMISED DEFAULT PASSWORDS If a users default credentials are compromised, the flag must be set on their account to block it being reset to the default in the portal. 3.9 DISPLAY AND PRINTING The display and printing of passwords must be masked, suppressed, or otherwise obscured such that unauthorized parties will not be able to observe or subsequently recover them (IA-6) CRACKING Users must not attempt to "break", "hack", "crack", or otherwise determine another users' password. This applies to passwords for students, faculty, staff, friends and accounts on systems reached through the Internet ENCRYPTION For security purposes, passwords used for access to proprietary or confidential information will not be sent across the network in 'clear text' format. Passwords used for access to proprietary or confidential information must not be listed in clear text for the purpose of automating a login sequence. All passwords must be stored in an encrypted format by the OS, DBMS, or application. NOTE: All encryption methods and technology must comply with any international regulations governing this technology RETRIEVAL Computer and communication systems must be designed, tested, and controlled to prevent the retrieval of stored passwords, whether they appear in encrypted or plain text form. Effective Date: 10/02/2006 Last Review: 11/27/2017 Next Review: 11/2018 Page 6
8 3.13 INFORMATION SYSTEM INSTALLATION Default authenticators must be changed upon information system installation, by requiring developers and/or installers to provide unique authenticators or change default authenticators for system components prior to delivery and/or installation (IA-5) EXCEPTIONS Some systems may not be able to comply with this policy due to restrictions of password length or unsupported characters. For these systems, an exception must be noted and approved by the Security Team APPROVED PASSWORD MANAGERS The use of a password manager is allowed and encouraged for securely generating and recalling strong, unique passwords and passphrases. The following password managers have been approved for use with required authentication requirements: LastPass, 1Password (online) o Must have complex password with at least sixteen (16) characters o Must use Two-Factor Authentication (2FA) KeePass, KeePassX (local) o Must have complex password with at least sixteen (16) characters o Must require a key file that is stored separately from the database file Others not listed must be approved by the Security Team before implementation. 4.1 MANDATORY CONTROLS Mandatory security controls are University-wide controls that are required to be consistently designed, implemented, monitored, and assessed. Authenticator Management (IA-5): Enforces/Requires: o Minimum password complexity o Minimum and maximum lifetime restrictions, prohibits password reuse o Immediate changes to temporary passwords o Changing default authenticators upon information system installation o Having different authenticators on all systems to manage the risk of compromise due to individuals having accounts on multiple information systems Authenticator Feedback (IA-6): Critical information systems must obscure feedback of authentication information during the authentication process to protect the information from possible unauthorized use. Effective Date: 10/02/2006 Last Review: 11/27/2017 Next Review: 11/2018 Page 7
9 5.1 DISCRETIONARY CONTROLS Discretionary Controls are security controls whose scope is limited to a specific campus, institution, or other designated organizational component. Discretionary Controls are designed, implemented, monitored, and assessed within that organizational component. Discretionary controls must not conflict with or lower the standards established by Mandatory Controls. Unsuccessful Login Attempts (AC-7): Enforces a limit of consecutive invalid logon attempts by a user during a specified time period. 6.1 REFERENCES NIST SP Rev4 - Recommended Security Controls for Federal Information Systems and Organizations NIST SP B Digital Identity Guidelines - Authentication and Lifecycle Management, Appendix A Strength of Memorized Secrets IT0132 Identification and Authentication 7.1 DEFINITIONS Cracking - Refers to using various methods to reveal a password with the intent of accessing a computer, system, or service to which one is not authorized. Encryption - The process of converting information or data into a special form to prevent unauthorized access. Password - A string of characters that must be supplied by a user in order to gain access to a computer, computer system, or electronic device. Also referred to as a Memorized Secret. Password Manager - An application used to organize, encrypt, and generate passwords. Threat Actor - An entity, internal, external, or partner, that is partially or wholly responsible for an incident that impacts, or has the potential to impact, the safety or security of another entity, person, or organization. Two-Factor Authentication (2FA) - A method of confirming a user's claimed identity by requiring a combination of two different components, which includes something you know (password, PIN), something you have (smart card, token), and something you are (biometrics). Effective Date: 10/02/2006 Last Review: 11/27/2017 Next Review: 11/2018 Page 8
Media Protection Program
Media Protection Program Version 1.0 November 2017 TABLE OF CONTENTS 1.1 SCOPE 2 1.2 PRINCIPLES 2 1.3 REVISIONS 3 2.1 OBJECTIVE 4 3.1 PROGRAM DETAILS 4 3.2 MEDIA STORAGE AND ACCESS 4 3.3 MEDIA TRANSPORT
More informationSecurity Awareness, Training, And Education Plan
Security Awareness, Training, And Education Plan Version 2.0 December 2016 TABLE OF CONTENTS 1.1 SCOPE 2 1.2 PRINCIPLES 2 1.3 REVISIONS 3 2.1 OBJECTIVE 4 3.1 PLAN DETAILS 4 3.2 WORKFORCE DESIGNATION 4
More informationa. UTRGV owned, leased or managed computers that fall within the regular UTRGV Computer Security Standard
Kiosk Security Standard 1. Purpose This standard was created to set minimum requirements for generally shared devices that need to be easily accessible for faculty, staff, students, and the general public,
More informationInformation Technology Security Plan Policies, Controls, and Procedures Protect: Identity Management and Access Control PR.AC
Information Technology Security Plan Policies, Controls, and Procedures Protect: Identity Management and Access Control PR.AC Location: https://www.pdsimplified.com/ndcbf_pdframework/nist_csf_prc/documents/protect/ndcbf_
More informationUT HEALTH SAN ANTONIO HANDBOOK OF OPERATING PROCEDURES
ACCESS MANAGEMENT Policy UT Health San Antonio shall adopt access management processes to ensure that access to Information Resources is restricted to authorized users with minimal access rights necessary
More informationOpenLAB ELN Supporting 21 CFR Part 11 Compliance
OpenLAB ELN Supporting 21 CFR Part 11 Compliance White Paper Overview Part 11 in Title 21 of the Code of Federal Regulations includes the US Federal guidelines for storing and protecting electronic records
More informationOhio Supercomputer Center
Ohio Supercomputer Center Security Notifications No: Effective: OSC-10 06/02/2009 Issued By: Kevin Wohlever Director of Supercomputer Operations Published By: Ohio Supercomputer Center Original Publication
More informationPASSWORD SECURITY GUIDELINE
Section: Information Security Revised: December 2004 Guideline: Description: Password Security Guidelines: are recommended processes, models, or actions to assist with implementing procedures with respect
More informationSECURITY & PRIVACY DOCUMENTATION
Okta s Commitment to Security & Privacy SECURITY & PRIVACY DOCUMENTATION (last updated September 15, 2017) Okta is committed to achieving and preserving the trust of our customers, by providing a comprehensive
More informationCanadian Access Federation: Trust Assertion Document (TAD)
1. Canadian Access Federation Participant Information 1.1.1. Organization name: DOUGLAS COLLEGE 1.1.2. Information below is accurate as of this date: November 16, 2017 1.2 Identity Management and/or Privacy
More informationMinimum Security Standards for Networked Devices
University of California, Merced Minimum Security Standards for Networked Devices Responsible Official: Chief Information Officer Responsible Office: Information Technology Issuance Date: Effective Date:
More informationCompliance Matrix for 21 CFR Part 11: Electronic Records
Compliance Matrix for 21 CFR Part 11: Electronic Records Philip E. Plantz, PhD, Applications Manager David Kremer, Senior Software Engineer Application Note SL-AN-27 Revision B Provided By: Microtrac,
More informationTable of Contents. PCI Information Security Policy
PCI Information Security Policy Policy Number: ECOMM-P-002 Effective Date: December, 14, 2016 Version Number: 1.0 Date Last Reviewed: December, 14, 2016 Classification: Business, Finance, and Technology
More informationHitachi High Technologies America, Inc. Password Policy
Hitachi High Technologies America, Inc. Password Policy Revision Date: 4/17/2015 Table of Contents Table of Contents...2 Overview...3 Scope. 3 Guidelines...3 A. General Password Construction Guidelines...3
More informationORA HIPAA Security. All Affiliate Research Policy Subject: HIPAA Security File Under: For Researchers
All Affiliate Research Policy Subject: HIPAA File Under: For Researchers ORA HIPAA Issuing Department: Office of Research Administration Original Policy Date Page 1 of 5 Approved by: May 9,2005 Revision
More informationMedical Sciences Division IT Services (MSD IT)
Medical Sciences Division IT Services (MSD IT) Security Policy Effective date: 1 December 2017 1 Overview MSD IT provides IT support services support and advice to the University of Oxford Medical Sciences
More informationAgilent ICP-MS ChemStation Complying with 21 CFR Part 11. Application Note. Overview
Agilent ICP-MS ChemStation Complying with 21 CFR Part 11 Application Note Overview Part 11 in Title 21 of the Code of Federal Regulations includes the US Federal guidelines for storing and protecting electronic
More informationCredentials Policy. Document Summary
Credentials Policy Document Summary Document ID Credentials Policy Status Approved Information Classification Public Document Version 1.0 May 2017 1. Purpose and Scope The Royal Holloway Credentials Policy
More informationCanadian Access Federation: Trust Assertion Document (TAD)
Participant Name: University of Toronto Canadian Access Federation: Trust Assertion Document (TAD) 1. Purpose A fundamental requirement of Participants in the Canadian Access Federation is that they assert
More informationNETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS
NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS Scope and Applicability: These Network and Certificate System Security Requirements (Requirements) apply to all publicly trusted Certification Authorities
More informationCriminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud
Criminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud Introduction The Criminal Justice Information Security (CJIS) Policy is a publically accessible document that contains
More informationDFARS Requirements for Defense Contractors Must Be Satisfied by DECEMBER 31, 2017
DFARS 252.204-7012 Requirements for Defense Contractors Must Be Satisfied by DECEMBER 31, 2017 As with most government documents, one often leads to another. And that s the case with DFARS 252.204-7012.
More informationInteragency Advisory Board Meeting Agenda, December 7, 2009
Interagency Advisory Board Meeting Agenda, December 7, 2009 1. Opening Remarks 2. FICAM Segment Architecture & PIV Issuance (Carol Bales, OMB) 3. ABA Working Group on Identity (Tom Smedinghoff) 4. F/ERO
More informationNIST Compliance Controls
NIST 800-53 Compliance s The following control families represent a portion of special publication NIST 800-53 revision 4. This guide is intended to aid McAfee, its partners, and its customers, in aligning
More informationIntegration of Agilent UV-Visible ChemStation with OpenLAB ECM
Integration of Agilent UV-Visible ChemStation with OpenLAB ECM Compliance with Introduction in Title 21 of the Code of Federal Regulations includes the US Federal guidelines for storing and protecting
More informationAccess to University Data Policy
UNIVERSITY OF OKLAHOMA Health Sciences Center Information Technology Security Policy Access to University Data Policy 1. Purpose This policy defines roles and responsibilities for protecting OUHSC s non-public
More informationUNIVERSITY OF MASSACHUSETTS AMHERST INFORMATION SECURITY POLICY October 25, 2017
UNIVERSITY OF MASSACHUSETTS AMHERST INFORMATION SECURITY POLICY October 25, 2017 I. Introduction Institutional information, research data, and information technology (IT) resources are critical assets
More informationMaria Hishikawa MSIX Technical Lead Sarah Storms MSIX Contractor Security
Migrant Student Information Exchange (MSIX) Security, Privacy and Account Management Webinar Deloitte Consulting LLP. February 22, 2018 Maria Hishikawa MSIX Technical Lead Sarah Storms MSIX Contractor
More informationIntegration of Agilent OpenLAB CDS EZChrom Edition with OpenLAB ECM Compliance with 21 CFR Part 11
OpenLAB CDS Integration of Agilent OpenLAB CDS EZChrom Edition with OpenLAB ECM Compliance with 21 CFR Part 11 Technical Note Introduction Part 11 in Title 21 of the Code of Federal Regulations includes
More informationCanadian Access Federation: Trust Assertion Document (TAD)
Participant Name: Royal Society of Chemistry Canadian Access Federation: Trust Assertion Document (TAD) 1. Purpose A fundamental requirement of Participants in the Canadian Access Federation is that they
More informationPASSWORD POLICY JANUARY 19, 2016 NEWBERRY COLLEGE 2100 College St., Newberry, SC 29108
2016-2017 JANUARY 19, 2016 NEWBERRY COLLEGE 2100 College St., Newberry, SC 29108 Contents 1.0 Overview... 2 2.0 Purpose... 2 3.0 Scope... 2 4.0 Policy... 2 4.1 Guidelines... 2 4.2 Password Protection Standards...
More informationDepartment of Public Health O F S A N F R A N C I S C O
PAGE 1 of 7 Category: Information Technology Security and HIPAA DPH Unit of Origin: Department of Public Health Policy Owner: Phillip McDown, CISSP Phone: 255-3577 CISSPCISSP/C Distribution: DPH-wide Other:
More informationSparta Systems Stratas Solution
Systems Solution 21 CFR Part 11 and Annex 11 Assessment October 2017 Systems Solution Introduction The purpose of this document is to outline the roles and responsibilities for compliance with the FDA
More informationDonor Credit Card Security Policy
Donor Credit Card Security Policy INTRODUCTION This document explains the Community Foundation of Northeast Alabama s credit card security requirements for donors as required by the Payment Card Industry
More informationTABLE OF CONTENTS. Lakehead University Password Maintenance Standard Operating Procedure
TABLE OF CONTENTS 1.0 General Statement... 3 2.0 Purpose... 3 3.0 Scope... 3 4.0 Procedure... 3 4.1 General... 3 4.2 Requirements... 4 4.3 Guidelines... 4 5.0 Failure to comply... 6 2 1.0 GENERAL STATEMENT
More information201 CMR COMPLIANCE CHECKLIST Yes No Reason If No Description
Do you have a comprehensive, written information security program ( WISP ) WISP) applicable to all records containing personal information about a resident of the Commonwealth of Massachusetts ( PI )?
More informationISSUE N 1 MAJOR MODIFICATIONS. Version Changes Related Release No. PREVIOUS VERSIONS HISTORY. Version Date History Related Release No.
ISSUE N 1 MAJOR MODIFICATIONS Version Changes Related Release No. 01 First issue. 2.8.0 PREVIOUS VERSIONS HISTORY Version Date History Related Release No. N/A N/A N/A N/A APPROVAL TABLE Signatures below
More informationHong Kong Access Federation (HKAF) Identity Management Practice Statement (IMPS)
Hong Kong Access Federation (HKAF) Identity Management Practice Statement (IMPS) This document (IMPS) facilitates an organization to provide relevant information to describe how it fulfils the normative
More informationRemote Access Policy
Remote Consulting Group Policy 1.0 1234 Main Street Version 1.0 Philadelphia, PA 19000 1213 www.rcg.com 1. Overview Remote Access Policy Remote Access allows Remote Consulting Group (RCG) to leverage the
More informationPolicy Document. PomSec-AllSitesBinder\Policy Docs, CompanyWide\Policy
Policy Title: Binder Association: Author: Review Date: Pomeroy Security Principles PomSec-AllSitesBinder\Policy Docs, CompanyWide\Policy Joseph Shreve September of each year or as required Purpose:...
More informationUNIVERSITY OF MASSACHUSETTS AMHERST INFORMATION SECURITY POLICY September 20, 2017
UNIVERSITY OF MASSACHUSETTS AMHERST INFORMATION SECURITY POLICY September 20, 2017 I. Introduction Institutional information, research data, and information technology (IT) resources are critical assets
More informationTECHNICAL BULLETIN [ 1 / 13 ]
TECHNICAL BULLETIN [ 1 / 13 ] [Title] Guidelines on Compliance with FDA 21 CFR Part 11 for the GOT2000 and GOT1000 Series [Date of Issue] November 2014 (Ver. C: November 2017) [Relevant Models] GOT2000
More informationGLOBAL PAYMENTS AND CASH MANAGEMENT. Security
GLOBAL PAYMENTS AND CASH MANAGEMENT Security The Bank aims to provide you with a robust, reliable and secure online environment in which to do business. We seek to achieve this through the adoption of
More informationSystem Assessment Report Relating to Electronic Records and Electronic Signatures; 21 CFR Part 11. System: tiamo (Software Version 2.
Page 1 /15 System Assessment Report Relating to Electronic Records and Electronic Signatures; 21 CFR Part 11 System: tiamo (Software Version 2.5) Page 2 /15 1 Procedures and Controls for Closed Systems
More informationState of Colorado Cyber Security Policies
TITLE: State of Colorado Cyber Security Policies Access Control Policy Overview This policy document is part of the State of Colorado Cyber Security Policies, created to support the State of Colorado Chief
More informationTennessee Technological University Policy No Password Management
Tennessee Technological University Policy No. 852 Password Management Effective Date: January 1, 2014 Policy No: 852 Policy Name: Password Management Policy Policy Subject: Password Management Date Revised:
More informationSWAMID Identity Assurance Level 2 Profile
Document SWAMID Identity Assurance Level 2 Profile Identifier http://www.swamid.se/policy/assurance/al2 Version V1.0 Last modified 2015-12-02 Pages 11 Status FINAL License Creative Commons BY-SA 3.0 SWAMID
More informationNo More Excuses: Feds Need to Lead with Strong Authentication!
No More Excuses: Feds Need to Lead with Strong Authentication! Dr. Sarbari Gupta sarbari@electrosoft-inc.com Annual NCAC Conference on Cybersecurity March 16, 2016 Electrosoft Services, Inc. 1893 Metro
More informationSwanson School of Engineering University of Pittsburgh
Swanson School of Engineering University of Pittsburgh Information Security Policies Document Author: Brian Vidic Revision: 2.3 Revision Date: 03/10/16 Table of Contents OVERVIEW... 6 INFORMATION SECURITY
More informationThe Honest Advantage
The Honest Advantage READY TO CHALLENGE THE STATUS QUO GSA Security Policy and PCI Guidelines The GreenStar Alliance 2017 2017 GreenStar Alliance All Rights Reserved Table of Contents Table of Contents
More informationFedRAMP Digital Identity Requirements. Version 1.0
FedRAMP Digital Identity Requirements Version 1.0 January 31, 2018 DOCUMENT REVISION HISTORY DATE VERSION PAGE(S) DESCRIPTION AUTHOR 1/31/2018 1.0 All Initial document FedRAMP PMO i ABOUT THIS DOCUMENT
More informationUniversity of Alabama at Birmingham MINIMUM SECURITY FOR COMPUTING DEVICES RULE July 2017
University of Alabama at Birmingham MINIMUM SECURITY FOR COMPUTING DEVICES RULE July 2017 Related Policies, Procedures, and Resources UAB Acceptable Use Policy, UAB Protection and Security Policy, UAB
More informationDepartment of Public Health O F S A N F R A N C I S C O
PAGE 1 of 9 Category: Information Technology Security and HIPAA DPH Unit of Origin: Department of Public Health Policy Owner: Phillip McDown, CISSP Phone: 255-3577 CISSPCISSP/C Distribution: DPH-wide Other:
More informationSumy State University Department of Computer Science
Sumy State University Department of Computer Science Lecture 1 (part 2). Access control. What is access control? A cornerstone in the foundation of information security is controlling how resources are
More informationPassword Policy Best Practices
Password Policy Best Practices 1.0 Overview Passwords are an important aspect of information security, and are the front line of protection for user accounts. A poorly chosen password may result in the
More informationPart 11 Compliance SOP
1.0 Commercial in Confidence 16-Aug-2006 1 of 14 Part 11 Compliance SOP Document No: SOP_0130 Prepared by: David Brown Date: 16-Aug-2006 Version: 1.0 1.0 Commercial in Confidence 16-Aug-2006 2 of 14 Document
More informationPage 1 of 15. Applicability. Compatibility EACMS PACS. Version 5. Version 3 PCA EAP. ERC NO ERC Low Impact BES. ERC Medium Impact BES
002 5 R1. Each Responsible Entity shall implement a process that considers each of the following assets for purposes of parts 1.1 through 1.3: i. Control Centers and backup Control Centers; ii. Transmission
More informationMapping of FedRAMP Tailored LI SaaS Baseline to ISO Security Controls
Mapping of FedRAMP Tailored LI SaaS Baseline to ISO 27001 Security Controls This document provides a list of all controls that require the Cloud Service Provider, Esri, to provide detailed descriptions
More informationEmployee Security Awareness Training Program
Employee Security Awareness Training Program Date: September 15, 2015 Version: 2015 1. Scope This Employee Security Awareness Training Program is designed to educate any InComm employee, independent contractor,
More informationCyber Security Program
Cyber Security Program Cyber Security Program Goals and Objectives Goals Provide comprehensive Security Education and Awareness to the University community Build trust with the University community by
More informationJUNE 2018 Version 1.0. CU*ANSWERS Risk Assessment for It s Me 247. Online Banking
JUNE 2018 Version 1.0 CU*ANSWERS Risk Assessment for It s Me 247 Online Banking CONTENTS INTRODUCTION... 3 FEATURES... 3 QUICK REFERENCE... 4 RISK ASSESSMENT TOOLS... 5 PIB TOOLS... 8 ABNORMAL ACTIVITY...
More informationTECHNICAL AND ORGANIZATIONAL DATA SECURITY MEASURES
TECHNICAL AND ORGANIZATIONAL DATA SECURITY MEASURES Contents Introduction... 3 The Technical and Organizational Data Security Measures... 3 Access Control of Processing Areas (Physical)... 3 Access Control
More informationMANAGING LOCAL AUTHENTICATION IN WINDOWS
MANAGING LOCAL AUTHENTICATION IN WINDOWS Credentials Manager Windows OS has a set of tools that help remedy some of the authentication challenges. For example, the Credential Manager in Windows 7 and newer
More informationISSP Network Security Plan
ISSP-000 - Network Security Plan 1 CONTENTS 2 INTRODUCTION (Purpose and Intent)... 1 3 SCOPE... 2 4 STANDARD PROVISIONS... 2 5 STATEMENT OF PROCEDURES... 3 5.1 Network Control... 3 5.2 DHCP Services...
More informationSparta Systems TrackWise Solution
Systems Solution 21 CFR Part 11 and Annex 11 Assessment October 2017 Systems Solution Introduction The purpose of this document is to outline the roles and responsibilities for compliance with the FDA
More informationIMPLEMENTING MICROSOFT CREDENTIAL GUARD FOR ISO 27001, PCI, AND FEDRAMP
IMPLEMENTING MICROSOFT CREDENTIAL GUARD FOR ISO 27001, PCI, AND FEDRAMP North America Latin America Europe 877.224.8077 info@coalfire.com coalfire.com Coalfire sm and CoalfireOne sm are registered service
More informationPOLICY FOR DATA AND INFORMATION SECURITY AT BMC IN LUND. October Table of Contents
POLICY FOR DATA AND INFORMATION SECURITY AT BMC IN LUND October 2005 Table of Contents Introduction... 1 Purpose Of This Policy... 1 Responsibility... 1 General Policy... 2 Data Classification Policy...
More informationIntegrated Access Management Solutions. Access Televentures
Integrated Access Management Solutions Access Televentures Table of Contents OVERCOMING THE AUTHENTICATION CHALLENGE... 2 1 EXECUTIVE SUMMARY... 2 2 Challenges to Providing Users Secure Access... 2 2.1
More informationINCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES
INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES Participation in the InCommon Federation ( Federation ) enables a federation participating organization ("Participant") to use Shibboleth identity
More informationIdentity, Authentication and Authorization. John Slankas
Identity, Authentication and Authorization John Slankas jbslanka@ncsu.edu Identity Who or what a person or thing is; a distinct impression of a single person or thing presented to or perceived by others;
More informationIDENTITY THEFT PREVENTION Policy Statement
Responsible University Officials: Vice President for Financial Operations and Treasurer Responsible Office: Office of Financial Operations Origination Date: October 13, 2009 IDENTITY THEFT PREVENTION Policy
More informationAdobe Sign and 21 CFR Part 11
Adobe Sign and 21 CFR Part 11 Today, organizations of all sizes are transforming manual paper-based processes into end-to-end digital experiences speeding signature processes by 500% with legal, trusted
More informationRev.1 Solution Brief
FISMA-NIST SP 800-171 Rev.1 Solution Brief New York FISMA Cybersecurity NIST SP 800-171 EventTracker 8815 Centre Park Drive, Columbia MD 21045 About EventTracker EventTracker delivers business critical
More informationIT Governance Committee Review and Recommendation
IT Governance Committee Review and Recommendation Desired Change: Approval of this policy will establish Security Standards for the UCLA Logon Identity for anyone assigned a UCLA Logon ID/password and
More informationNew York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines
New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines New York Department of Financial Services ( DFS ) Regulation 23 NYCRR 500 requires that entities
More informationRed Flags/Identity Theft Prevention Policy: Purpose
Red Flags/Identity Theft Prevention Policy: 200.3 Purpose Employees and students depend on Morehouse College ( Morehouse ) to properly protect their personal non-public information, which is gathered and
More informationPHYSICAL AND ENVIRONMENTAL SECURITY
PHYSICAL AND ENVIRONMENTAL SECURITY 1.0 STANDARD FOR PHYSICAL AND ENVIRONMENTAL SECURITY - EQUIPMENT 1.1 PURPOSE The purpose of this standard is to establish baseline controls to prevent loss, damage,
More informationEHR SECURITY POLICIES & SECURITY SITE ASSESSMENT OVERVIEW WEBINAR. For Viewer Sites
EHR SECURITY POLICIES & SECURITY SITE ASSESSMENT OVERVIEW WEBINAR For Viewer Sites Agenda 1 Introduction and EHR Security Policies Background 2 EHR Security Policy Overview 3 EHR Security Policy Assessment
More information2015 HFMA What Healthcare Can Learn from the Banking Industry
2015 HFMA What Healthcare Can Learn from the Banking Industry Agenda Introduction- Background and Experience Healthcare vs. Banking The Results OCR Audit Results Healthcare vs. Banking The Theories Practical
More informationValidation Checklist Appendix A WiZARD2 Secure and 21 CFR 11 Requirements
Appendix A Procedures and Controls for Closed Systems (check = yes) (check = yes) Customers may devise their own validation protocols that may or may not be compliant with 21 CFR 11 Is the system validated?
More informationMessage Networking 5.2 Administration print guide
Page 1 of 421 Administration print guide This print guide is a collection of system topics provided in an easy-to-print format for your convenience. Please note that the links shown in this document do
More informationSDA COMPLIANCE SOFTWARE For Agilent ICP-MS MassHunter Software
SDA COMPLIANCE SOFTWARE For Agilent ICP-MS MassHunter Software Part 11 in Title 21 of the US Code of Federal Regulations (commonly referred to as 21 CFR Part 11) governs food and drugs in the US, and includes
More informationAnnex 1 to NIST Special Publication Recommended Security Controls for Federal Information Systems
Annex 1 to NIST Special Publication 800-53 Recommended Security Controls for Federal Information Systems Minimum Security Controls Low Baseline AC-1 ACCESS CONTROL POLICY AND PROCEDURES The organization
More informationCanadian Access Federation: Trust Assertion Document (TAD)
Participant Name: CARLETON UNIVERSITY Canadian Access Federation: Trust Assertion Document (TAD) 1. Purpose A fundamental requirement of Participants in the Canadian Access Federation is that they assert
More informationStandard CIP-006-3c Cyber Security Physical Security
A. Introduction 1. Title: Cyber Security Physical Security of Critical Cyber Assets 2. Number: CIP-006-3c 3. Purpose: Standard CIP-006-3 is intended to ensure the implementation of a physical security
More informationPHYSICAL & ENVIRONMENTAL PROTECTION GUIDE
2017 PHYSICAL & ENVIRONMENTAL PROTECTION GUIDE UTC IT0129-G UTC Information Technology Michael Dinkins, CISO 4/28/2017 CONTENTS 1. SCOPE... 2 2. PRINCIPLES... 2 3. REVISIONS... 2 4. OBJECTIVE... 2 5. POLICY...
More informationSparta Systems TrackWise Digital Solution
Systems TrackWise Digital Solution 21 CFR Part 11 and Annex 11 Assessment February 2018 Systems TrackWise Digital Solution Introduction The purpose of this document is to outline the roles and responsibilities
More informationAXIAD IDS CLOUD SOLUTION. Trusted User PKI, Trusted User Flexible Authentication & Trusted Infrastructure
AXIAD IDS CLOUD SOLUTION Trusted User PKI, Trusted User Flexible Authentication & Trusted Infrastructure Logical Access Use Cases ONE BADGE FOR CONVERGED PHYSICAL AND IT ACCESS Corporate ID badge for physical
More informationLakeshore Technical College Official Policy
Policy Title Original Adoption Date Policy Number Information Security 05/12/2015 IT-720 Responsible College Division/Department Responsible College Manager Title Information Technology Services Director
More information1. Federation Participant Information DRAFT
INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES [NOTE: This document should be considered a as MIT is still in the process of spinning up its participation in InCommon.] Participation in InCommon
More informationVirginia Commonwealth University School of Medicine Information Security Standard
Virginia Commonwealth University School of Medicine Information Security Standard Title: Scope: Personnel Security Standard This standard is applicable to all VCU School of Medicine personnel. Approval
More informationOracle Data Cloud ( ODC ) Inbound Security Policies
Oracle Data Cloud ( ODC ) Inbound Security Policies Contents Contents... 1 Overview... 2 Oracle Data Cloud Security Policy... 2 Oracle Information Security Practices - General... 2 Security Standards...
More informationCanadian Access Federation: Trust Assertion Document (TAD)
Participant Name: British Columbia Institute of Technology Canadian Access Federation: Trust Assertion Document (TAD) 1. Purpose A fundamental requirement of Participants in the Canadian Access Federation
More informationINCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES
INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES Participation in the InCommon Federation ( Federation ) enables a federation participating organization ("Participant") to use Shibboleth identity
More informationStandard CIP 005 2a Cyber Security Electronic Security Perimeter(s)
A. Introduction 1. Title: Cyber Security Electronic Security Perimeter(s) 2. Number: CIP-005-2a 3. Purpose: Standard CIP-005-2 requires the identification and protection of the Electronic Security Perimeter(s)
More informationSystem Assessment Report Relating to Electronic Records and Electronic Signatures; 21 CFR Part 11. System: StabNet (Software Version 1.
Page 1 /16 System Assessment Report Relating to Electronic Records and Electronic Signatures; 21 CFR Part 11 System: StabNet (Software Version 1.1) Page 2 /16 1 Procedures and Controls for Closed Systems
More information3 rd Party Certification of Compliance with MA: 201 CMR 17.00
3 rd Party Certification of Compliance with MA: 201 CMR 17.00 The purpose of this document is to certify the compliance of Strategic Information Resources with 201 CMR 17.00. This law protects the sensitive
More informationUniversity of North Texas System Administration Identity Theft Prevention Program
University of North Texas System Administration Identity Theft Prevention Program I. Purpose of the Identity Theft Prevention Program The Federal Trade Commission ( FTC ) requires certain entities, including
More informationSecurity Requirements for Password Management and Use
Government of Ontario IT Standard (GO-ITS) Number 25.15 Security Requirements for Password Management and Use Version #: 1.3 Status: Approved Prepared for the Information Technology Standards Council (ITSC)
More informationPayment Card Industry (PCI) Qualified Integrator and Reseller (QIR)
Payment Card Industry (PCI) Qualified Integrator and Reseller (QIR) Implementation Instructions Version 4.0 March 2018 Document Changes Date Version Description August 2012 1.0 Original Publication November
More information