”TigerAccounts & Passwords

Policy Title

Account and Password Management Policy

  1. PURPOSE
    The purpose of this Account and Password Management Policy is to establish the requirements for User Accounts provisioned and passwords established to access IT Resources of the University.  Departmental or Information System policies may impose additional account requirements but must not lessen the requirements set forth in this policy.
  1. SCOPE
    This policy applies to all Users of any IT Resources of the University.  The requirements apply to User Accounts, local Information System accounts, application accounts, and accounts used to access third party provided services.
  1. POLICY STATEMENT

3.1 Accounts

3.1.1 Unless technical limitations exist, the University’s central authentication services and User Accounts must be used instead of Information System specific authentication methods.

3.1.2 User Accounts include employee, student, visitor, and miscellaneous accounts created and managed by CCIT. Visitor and miscellaneous accounts that will have access to confidential or restricted Data require approval from the Office of Information Security.  These account types are established according to the requirements below.

3.1.2.1 Employee accounts: established when hiring transactions are posted in the Human Resource system and are disabled when employee terminations are posted.

3.1.2.2 Student accounts: established for each person currently enrolled or accepted for admission within the coming year and who has arranged an orientation date. Following graduation, student accounts remain active for one year.

3.1.2.3 Visitor accounts:  established as needed for individuals that are not students or Employees but are conducting University business and have approved access to IT Resources.

3.1.2.4 Miscellaneous accounts:  established as needed for limited access to IT services by a non-specific User, such as a student organization or departmental function.

3.1.3 For those local Information Systems, applications, and third-party service providers that do not use CCIT managed User Accounts, the Information System Owner is responsible for managing the User Accounts on each Information System, for which the Information System Owner is responsible.

3.1.4 Each Information System Owner must review all User Accounts with administrator privileges, at least annually, for each Information System(s) that the Information System Owner is responsible.

3.2 Access

3.2.1 Users must be given the minimum required permissions to access the IT Resources based on assigned roles and responsibilities, in accordance with the Principle of Least Privilege. No User is permitted to share the IT Credentials of the User with any other person.

3.2.2 No User is permitted to access any User account that is not owned by such User. Knowing the correct username and password combination for another User Account does not constitute authorization for access.

3.2.3 No User is permitted access to confidential and restricted Information without approval of the applicable Data Trustee or Data Steward. Access will only be granted if required by the User’s assigned roles and responsibilities.

3.2.4 User Account privileges must be reviewed when an individual changes positions or job duties. Information System Owners are responsible for submitting requests to remove or add access to IT Resources and Data.

3.3 Passwords

3.3.1 Each User is responsible for creating strong passwords and safeguarding the IT Credentials of the User.

3.3.2 Each password must pass the strength test enforced by the password change utility. (https://idp.clemson.edu/password/change.php)

3.3.2.1 Passwords must not contain the words Clemson, tiger, password.

3.3.2.2 Passwords must not contain the User’s name or date of birth.

3.3.3 Each User Account that has been, or is suspected of being, compromised requires a password change. When a compromised User Account has been detected, the OIS will initiate a password change and notify the User and/or their departmental IT consultant.

 

  1. ADDITIONAL RESOURCES

 

  1. RESPONSIBLE DEPARTMENT
    The Office of Information Security, security@clemson.edu

 

  1. APPROVAL & REVISION HISTORY
    • President Approval: May 23, 2022
    • Last Date of Revision: June 13, 2019
    • Originally Issued: February 2008