”TigerAccounts & Passwords

Standards

Accounts and Passwords

Purpose

In support of the University’s Username and Password Policy, the processes and procedures presented in this document will be the authoritative source for how University user accounts and passwords are to be created and managed throughout the account lifecycle.

Account Management


 

Employee and Student Accounts

University user accounts will be created for all faculty, staff and student users as part of established onboarding processes and disabled during offboarding processes.

      • Student Accounts – A student account is generated and maintained for every student who is a) either currently enrolled or b) has been accepted for admission within the coming year with a reserved orientation date. These conditions are checked daily; however, student accounts remain active over summer break. The accounts of students who no longer meet these conditions are disabled. Following graduation, student accounts remain active for one year.
      • Employee Accounts (Faculty and Staff) – An employee account is automatically generated when appointment transactions are posted in the Human Resource system and are disabled when employee terminations are posted. An account can be disabled immediately if the department head contacts the university Human Resources group.

 

Other University Accounts

The following types of University accounts are created upon request and presentation of need. Contact the CCIT Support Center for assistance with these types of accounts.

 

      • Visitor Accounts
        Clemson visitor accounts are designed for an individual who is not a Clemson student, faculty, or staff member. Sponsorship by an active University faculty or staff member is required before an account can be created. The visitor account is used only to participate in the activities of a class, workgroup or collaboration. It is not intended to be a full-service Clemson account. By default, accounts are active for thirty (30) days from the date of creation but may be extended upon request of the University sponsor. Example use cases for this type of account are:
          • Research affiliates
          • Temporary visitors requiring access to Clemson resources
          • Vendors with active support or maintenance contracts
      • Miscellaneous Accounts
        This type of account is meant to be a generic, non-user specific, way to provide access to IT services. Sponsorship by an active University faculty or staff member is required before an account can be created. By default, accounts are active for one year from the date of creation but may be extended upon request of the University sponsor. Example use cases for this type of account are:
          • Student organizations
          • Departmental accounts
          • Generic re-usable accounts for summer programs
          • Shared Office365 mailboxes

 

Local System, Applications and SaaS Accounts

Accounts created for local systems, applications and SaaS applications are the responsibility of the Information System Owner (ISO) for each asset.

Account Privileges and Reviews

User accounts must be managed according to the principle of least privilege. Users should only be given the minimum access and permissions required to perform their assigned duties. Access to sensitive data cannot be automatically granted. It is the responsibility of the Data Owner or Data Trustee to ensure data is appropriately secured according to the Data Classification Policy.

Account privileges should be reviewed any time a user changes position, job requirements, or when they are terminated. At a minimum, local system, application and SaaS accounts privileges must be reviewed on an annual basis by ISO’s to ensure only valid user accounts are active and permissions are appropriate to secure data and resources. Privileged accounts should only be associated with a Clemson owned email address.

Training

Users with access to the University network or data are required to complete all assigned Information Technology and Information Security training and must read and adhere to all applicable policies and guidelines including the Cybersecurity Policy, Username and Password Policy, Acceptable Use Policy, and Data Classification Policy.

ISO’s must also review the Minimum Security Guidelines and ensure their solution meets the applicable requirements and that their users are in compliance with applicable policies and guidelines.

 

Password Management


 

Length and Complexity

A strong password helps prevent attackers from gaining unauthorized access. The University has established the minimum password requirements below:

      • Passwords are required to be at least 10 characters long. This can include letters, numbers, and most symbols. Note that Clemson University systems have a maximum password length of 64.
      • Passwords cannot contain the symbols “<”, “>” or “\”.
      • Passwords under 16 characters long are required to have at least one lower case letter, one upper case letter, one number, and one allowed symbol.
      • Passwords at least 16 characters long are only required to have at least one lower case letter and one upper case letter.
      • Passwords at least 20 characters long have no requirements for types of characters used in the password (but other requirements still apply).

 

Disallowed Words

      • Passwords must not contain the words “clemson”, “tiger”, or “password” or any variation created by substituting characters (such as “cl3ms0n” or “t1g3r”).
      • Passwords must not contain any variation of the following:
        • Clemson Username
        • CUID Number
        • Name
        • Date of Birth

 

Additional Requirements

      • When passwords are changed, they must not be a variation of the previous password.
      • Your password must not be shared between other websites and must not be in a list of known breached passwords.

Password Resets

If you believe your password or its security may have been compromised, you should immediately reset your password. The password change utility can be found at https://login.clemson.edu/changepass.php. Users may also reset their own password at any time.

Users who forget their password may request a new password from the CCIT Service Desk. Users will be required to verify their identity before an account password can be reset to allow access to their account.

OIS will reset passwords if an account is believed to be compromised. Users will need to contact the CCIT Service Desk and verify their identity to regain access.

 

Revised

May 26, 2020