[ skip to content ]

More Information about this image

Handbook and paperwork for the newly hired.

Old Dominion University

Information Technology Standard

02.11.0 Credential Management

Date of Current Revision or Creation: December 1, 2020

The purpose of an Information Technology Standard is to specify requirements for compliance with Old Dominion University Information Technology policies, other University policies, as well as applicable laws and regulations. Standards may include business principles, best practices, technical standards, migration and implementation strategies, that direct the design, deployment and management of information technology.

  1. Purpose

    The purpose of this standard is to define the Credential Management requirements used by Old Dominion University.

  2. Definitions

    ITS is the acronym for the official name of Information Technology Services.

    Passwords are a secret used to gain access to an account.

    Access Tokens serve as an authentication "cookie" that can be shared between browsers, clients, or connections so that each interaction does not require reauthentication.

  3. Standards Statement

    Credential use is required on all accounts on systems classified as sensitive, including local, remote access and temporary accounts.

    Passwords

    Password length and complexity requirements are based on sensitivity and risk. (See MIDAS Standard):

    • User accounts must follow "ITS Guideline for User Account Password Complexity" to the extent possible based on technical and operational constraints.
    • System and service accounts must follow "ITS Guideline for System and Service Account Password Complexity" to the extent possible based on technical and operational constraints.

    Transmission of identification and authentication data (e.g., passwords) without the use of industry accepted encryption standards is prohibited.

    IT system users are required to maintain exclusive control and use of their passwords.

    For non-MIDAS controlled systems, users must be allowed to change their passwords.

    Users determined to have access to sensitive data are required to change their passwords after a pre-determined period (ex., 90 days) as defined by the System Owner, based on sensitivity and risk.

    IT system users are required to immediately change their passwords and notify the Information Security Officer (ISO) if they suspect their passwords have been compromised.

    Password history files are to be maintained to prevent the reuse of the same passwords, commensurate with sensitivity and risk.

    For non-MIDAS controlled systems, unique (non-MIDAS) passwords must be created per system.

    Forgotten initial passwords are to be replaced rather than reissued.

    Group account IDs and shared passwords on sensitive IT systems are discouraged. Group account IDs or shared passwords required for optimal administration of systems should be noted in the system risk assessment and accepted by the System Owner.

    Inclusion of passwords as plain text is discouraged. Passwords required for system usage should be encrypted where possible. Exceptions should be noted in the system risk assessment as an identified risk with accepted compensating controls.

    Access to files containing passwords is to be limited to the IT system and its administrators.

    Hardware password requirements are to be based on sensitivity and risk.

    Hardware passwords are to be documented and stored securely.

    Procedures shall be implemented to handle lost or compromised passwords and/or tokens.

    Access Tokens

    Access tokens should be generated using industry standard mechanisms.

    Access token expiration should be configured based on sensitivity and risk but should not be configured to never expire.

    Access tokens should be limited in scope to required authorized resources.

    Access tokens should only be shared among services with similar purpose within the same system and, if possible, should be unique per instance of the application.

  4. Procedures, Guidelines & Other Related Information

    Federal and State Law

    University Policy 3501 - IT Access Control

    University Policy 3502 - Information Infrastructure, Architecture, and On-going Operational

    University Policy 3505 - Information Technology Security

  5. History

    Date

    Responsible Party

    Action

    October 2008

    ITAC/CIO

    Created

    October 2010

    ITAC/CIO

    Reaffirmed

    October 2011

    ITAC/CIO

    Reaffirmed
    February 2014 IT Policy Office
    		 Minor rewording for clarity
    May 2014 IT Policy Office
    		 Added references to Password Guidelines

    September 2014

    		 IT Policy Office Updated to reflect recommendations from APA
    December 2017 IT Policy Office
    		 Minor rewording for clarity
    December 2020 IT Policy Office Rewording for clarity to reflect current naming and practices and to add Access Tokens to the standard

Contact

IT Project Management

IT Project Management coordinates the efforts and resources of ODU ITS to produce effective, quality solutions for the University's students.

Student Computing

Faculty & Staff Computing

Site Navigation

Experience Guaranteed

Enhance your college career by gaining relevant experience with the skills and knowledge needed for your future career. Discover our experiential learning opportunities.

Academic Days

Picture yourself in the classroom, speak with professors in your major, and meet current students.

Upcoming Events

From sports games to concerts and lectures, join the ODU community at a variety of campus events.