范围
The policies and procedures outlined in the following document apply to all 贝博体育 faculty, 工作人员, 学生, 游客, 和承包商. 这项政策适用于所有学术, 行政, networking and microcomputer resources leased or installed at all 贝博体育 (RSCC) locations.
除了下面列出的政策, all users are subject to existing state and federal laws along with institutional and Tennessee Board of Regents (TBR) regulations concerning the use of computers, 电子邮件, 和互联网.
定义
密码 - A password is a string of characters used for authenticating a user on a computer system.
特权帐户 – Privileged accounts are those accounts with 行政 or root access to a system and used for the administration of an application or database. 例如:Oracle数据库管理、Banner等.
系统帐户 - Accounts used for automated processes without user interaction or device man年龄ment.
遵守TBR政策
To the extent a discrepancy exists between this policy and related TBR or state policy or law, TBR和国家政策优先.
概述
密码是计算机安全的一个重要方面. They are the front line of protection for user accounts including network login, 电子邮件帐户, 还有网络账户. Poorly constructed passwords may result in the compromise of Roane State’s entire network and its data. 考虑到个人身份信息受到威胁, 提供此策略是作为保护该信息的一种手段.
一般
All users of Roane State information systems will have a unique user identification and password.
密码
用户密码-更改所有用户级别的密码(网络登录,门户等).)每120天.
学生不需要更改密码.
特权帐户s – Users with privileged accounts must change their passwords every 120 days.
系统帐户—系统帐户密码不需要过期, 但必须满足此策略中定义的密码构造要求.
其他
Vendor provided passwords must be changed upon installation using the construction standards in this policy.
User accounts that have system-level privileges granted through group membership or 贝博体育 such as “sudo” must have a unique password from all other accounts held by that user.
使用SNMP或简单网络管理协议的场景, the community strings must be defined as something other than the standard defaults of “public,” “private” and “system” and must be different from the passwords used to log in interactively. 必须在可用且技术可行的情况下使用键控散列(例如.g. SNMPv2或v3).
密码 must not be sent by 电子邮件 mess年龄s or other forms of electronic communications. 例外:发送登录时必须修改的初始密码.
All user-level and system-level passwords must conform to the guidelines for strong passwords as described later in this document.
密码 parameters will be set to prevent users from reusing the past ten (10) passwords.
密码的最小有效期为一天.
密码 grace periods will be thirty (30) days during which the user will be warned the password is due to expire.
尝试五(5)次后,帐户将被锁定. 用户必须联系帮助台或管理系统进行重置.
Faculty and 工作人员 desktops will be locked after 15 minutes of inactivity requiring a logon using their password.
Lab computers will be logged out after 60 minutes of inactivity requiring users to logon using their password.
Contain a minimum of eight (8) characters consisting of three (3) of the following four (4) character categories. 这些将被强制执行.
英文大写字符(A-Z)
英文小写字符(a-z)
基数10位(0-9)
非字母数字字符(~)!#%*?_-)
建议使用以下方法:
不是任何语言中的一个词,俚语、方言或行话等等.
是不是基于个人信息.
密码短语的使用
Passphrases are longer versions (23 character minimum) of passwords and is therefore inherently more secure. A passphrase is typically composed of multiple words and therefore provides more security against “dictionary” attacks. An example is “This May Be One Way to Remember” and the passphrase could be “ThisMaybeOneWaytoRemember” or reduced to “TmB1w2R!另一个例子是:“iamthecapitanofthepin4”。. According to the National Institute of Standards and Technology (NIST) this passphrase of at least 23 characters contains a 45 bit strength.
Use of passphrases is encour年龄d as an alternative to passwords because they are generally easier to remember.
密码保护标准
Do not use the same password for Roane State accounts as used to access non-Roane State accounts (e.g., 个人互联网服务提供商,如MSN, 雅虎, 谷歌, 交易账户, 银行账户, 等.).
不要与任何人分享您的Roane State帐户信息, 包括行政助理, 秘书, 或者监事. All passwords are to be treated as sensitive and confidential RSCC information.
以下是密码安全的注意事项:
不要在电话中向任何人透露密码.
不要在电子邮件中透露密码. An exception is transmittal of an initial or reset password that must be changed upon access.
不要把你的密码告诉你的老板.
不要在别人面前谈论你的密码.
不要暗示你的密码格式,如“我的姓”等.
不要在问卷或表格上透露你的密码.
不要与家人分享你的密码.
外出度假时不要把你的密码给别人.
不要在应用程序中使用“记住密码”功能.
不要把密码写在便利贴上, 把它放在键盘下面, 或者把它“藏”在办公室的某个地方.
Don’t store your password on another device such as a Personal Digital Assistant (PDA) or USB drive without encryption. You may use a password stor年龄 utility as long as it encrypts the stored data; in addition, 确保它受到强密码的保护.
Report the incident to the Information Technology office immediately and change all passwords if you suspect your password has been compromised.
The Office of Information Technology or its designee may periodically run password “cracking” or “guessing” utilities to assess the compliance of this policy. If the password is “guessed” or “cracked” during this scan, users must change passwords.
在技术上可行的地方, provide role man年龄ment such that one user can perform the functions of another user without having to know the other users password.
执法与合规
Any employee found in willful violation of this policy may be subject to disciplinary action. Justification for exceptions to this policy must be approved in writing by the president.
负责任的政党
The CIO shall be responsible for development and maintenance of this policy for issuance by the president.
贝博体育不存在种族歧视, color, 宗教, 信条, 种族或民族出身, 性, 残疾, 年龄, status as protected veteran or any other class protected by Federal or State laws and regulation and by Tennessee board of Regents policies with respect to employment, 贝博体育, 和活动. 查看完整的非歧视政策.