subpage_img01 subpage_img02 subpage_img03 filler
Images for the Office of the Provost - Harvard University
Home > Enterprise Security Policy > 2. Confidential Information > 2.4 Identifying Users With Access To Confidential Information

2.4 Identifying Users With Access To Confidential Information

Policy

System owners must be able to identify individual users of systems that contain or access confidential information. Passwords used to access such systems must meet current industry standards for length and complexity. User passwords must not be shared and must not be retrievable by anyone, including the system operator.

The Harvard PIN system or LDAP Server are to be used for University applications that access confidential information unless a specific exception is made by the University CIO.

Discussion

System owners are required to establish an accurate audit trail of which person performed what actions in any system that stores or accesses confidential information. The normal way to do this is through the use of login IDs that are unique to an individual and are not shared. Unique IDs are generally quite feasible for user accounts but there can be problems when it comes to administrative accounts -- in many systems such problems can be overcome by requiring administrators to login with their own unique IDs then to assume the administrator role though a mechanism that logs such actions.

Sharing passwords defeats the requirement for an accurate audit trail and can result in the wrong person being blamed if something goes wrong. This extends to administrators being able to retrieve users passwords and potentially login and act as that user, thus passwords must be stored in a way that does not permit them to be retrieved by anyone, including system administrators.

It is important that people use passwords that cannot be easily guessed so password systems at Harvard should enforce a minimum level of complexity for new passwords. Systems should also limit the number of password errors that are permitted to limit the opportunity for an attacker to guess a password. (See Section 2.5 Inhibit Password Guessing.)

If a user forgets their password an administrator can set a new temporary password for the user that the user can use to login and create a new secret password for themselves. Systems should force the user to change the temporary password the first time the user logs in.

Writing passwords down is not a good idea unless the paper is in a safe locked place. I.e., do not put your password on a Post-It note stuck to your monitor or kept in your laptop or wallet lest a stolen laptop or wallet put Harvard confidential information at risk.

It is a good idea to use different passwords for different purposes so that a compromise in one will not put other uses at risk.

Do not tell anyone your password at any time for any reason, not a stranger, roommate, spouse, coworker, boss or a technical support person and you should report anyone asking for your password. The one exception is if you leave Harvard you may be asked for your passwords to Harvard resources.

Harvard does not have a general policy about required password expiration. There are disagreements between security experts over the value of forced password changes, but regular password changes are required by some governmental regulations such as HIPAA and non-governmental agreements such as those governing working with credit and debit cards. In addition, Harvard Risk Management requires regular changes for administrative passwords in some cases.

Passwords should always be changed if you suspect that the password was compromised in some way.

Best Practices: 
Password Rules
Secure File Transfer for Confidential Information
Supported by WDS