Authentication mechanisms such as passwords are the primary means of protecting access to computer systems and data. It is essential that these authenticators be strongly constructed and used in a manner that prevents their compromise.
This policy applies to all passwords and other authentication methods used at the university.
University of Florida Data: Data in any format collected, developed, maintained or managed by or on behalf of the University, or within the scope of University activities. The terms ‘data’ and ‘information’ are used interchangeably in the context of the information security program.
Information System: An individual or collection of computing and networking equipment and software used to perform a discrete business function. Examples include the eLearning System, ISIS, the EPIC electronic medical records system, a lab system and associated PC or the set of desktop computers used to perform general duties in a department.
- Access to all university data and systems not intended for unrestricted public access requires authentication.
- Passwords and other authenticators must be constructed to have a resistance to attack commensurate with the level of system or data access granted to the account.
- Systems must be designed and configured to protect passwords during storage and transmission.
- No one may require another to share the password to an individually assigned university account, for example as a condition of employment or in order to provide technical support.
Review and Adjudication
- All members of the University of Florida Constituency are responsible for any activity that occurs as a result of the use of authentication methods issued to them.
- All members of the University of Florida Constituency are responsible for protecting the password or authentication method associated with an individually assigned university
account. Passwords may not be shared or disclosed to anyone else.
- All members of the University of Florida Constituency are responsible for reporting any suspicious use of assigned authentication mechanisms. Anyone that reasonably believes his or her password to be known by anyone else must change it immediately. Lost or stolen authentication devices are to be reported immediately.
- Information Security Managers (ISM) are responsible for verifying that information systems under their control, and those intended for acquisition or development by their unit, comply
with this policy.
- The Vice President and Chief Information Officer is responsible for implementing systems and specifications to facilitate unit compliance with this policy.
Failure to comply with this policy could result in disciplinary action for employees, up to and including termination. Volunteers may have their volunteer status terminated.
|July 11, 2013||Policy originally adopted|