All University IT Resource passwords must be changed at least every 120 days. Faculty, staff, student-employees, and other affiliates having privileges elevated in excess of the base roles listed in the User Credentials Standard will be assigned a 30-day password expiration cycle in the OnePurdue System. In no event will a password older than 120 days be usable for access of any type to any University IT Resources.
Authentication and Authorization Policy: http://www.purdue.edu/policies/pages/information_technology/v_1_2.html
User Credentials Standard: http://www.purdue.edu/securepurdue/bestPractices/passStandards.cfm
If you are accessing Purdue IT Resources, then the Authentication and Authorization policy and the related standards require that the device be password protected. Purdue University employees should be sure that they are following the University Data Handling Guidelines when accessing or storing Purdue University data on a mobile device.
University Data Handling Guidelines: http://www.itap.purdue.edu/security/procedures/dataHandling.cfm
Because a two-factor authentication (TFA) token requires two factors to authenticate you, something you know and something you have, it is a much stronger authentication method. Frequent PIN changes are not needed in this case. The User Credentials Standard discusses PIN requirements.
User Credentials Standard: http://www.purdue.edu/securepurdue/bestPractices/passStandards.cfm
The Identity and Access Management Office (IAMO) has launched a two-factor authentication project using the RSA SecurID® product. The pilot project is an exploration of ways to improve security for accessing the OnePurdue portal. Information on the pilot project can be found at: http://www.purdue.edu/securepurdue/careeraccount/token.cfm
Upon completion of the pilot project, the IAMO will assess the feasibility of providing TFA tokens to the university at large.
Yes, the use of group passwords to University IT Resources is controlled by the Authentication and Authorization policy and related standards. The use of group accounts should be minimized. Group accounts are subject to policy, and the password should be changed every 30 days and whenever there is a personnel change in the group.
User Credentials Standard: http://www.purdue.edu/securepurdue/bestPractices/passStandards.cfm
The Identity and Access Management Office (IAMO) recognizes that BIOS passwords may be difficult to change on a regular basis. System administrators are encouraged to submit policy exception requests to the IAMO for BIOS passwords.
Security Policy Exception information:
http://www.purdue.edu/securepurdue/bestPractices/deviationProcedure.cfm
Top