Policy #: IT0002
Effective Date: 02/11/07
Last Revision Date: 10/4/11

UCSC PASSWORD POLICY

Vice Chancellor, Information Technology
(Policy IT-0002)

I. Purpose/Scope

The purpose of this policy is to establish the applicability of, and specific responsibilities relating to, the UCSC Password Strength and Security Standards (Password Standards). This policy applies to all passwords that provide access to UCSC electronic information resources.

II. Definitions

The following terms used in this policy are defined in the online Glossary of UCSC IT Policy-Related Terms, available at http://its.ucsc.edu/policies/glossary.html.

• Confidential Information
• Electronic Information Resources
• Restricted Data
• Subject Matter Expert
• System Steward

III. Detailed Policy Statement: Applicability and Responsibility

APPLICABILITY

1. Compliance with the UCSC Password Standards is required for passwords that provide access to University restricted data [1], or where otherwise required by law, UC or campus policy, or contract.
2. The Password Standards are also recommended for passwords that provide access to other types of confidential information.
3. Passwords that do not provide access to confidential information, and do not share an Authentication System with ones that do, are not required to comply with the Password Standards.

RESPONSIBILITY

System Stewards [1], in consultation with Subject Matter Experts [1], where appropriate, are responsible for determining the applicability of the Password Standards to systems or data for which they are responsible based on the above criteria [2]. In situations where it is not clear whether the Password Standards apply to a certain type of data or system, the System Steward shall err on the side of more secure password requirements. System Stewards are also responsible for ensuring implementation and enforcement of the Password Standards where they are applicable. This includes informing users of password requirements.

System Stewards of authentication systems (e.g. systems, such as an identity management system, that allow the same username/password to be used for access to multiple services) are responsible for including in their service definition the minimum level of protection required for passwords provided by their system(s), and for communicating this information to other System Stewards.

All individuals are responsible for following the Password Standards where required. This includes not using passwords that provide access to confidential information with other systems or applications that do not adhere to the Password Standards.

IV. Authority

The campus Vice Chancellor, Information Technology on behalf of the Office of the Chancellor and the Office of the Campus Provost and Executive Vice Chancellor (CP/EVC) is the campus authority for the UCSC Password Policy. This policy was initially reviewed and approved by the CP/EVC on 2/11/2007. Next review date is October 2013.

V. Getting Help

For questions or feedback about this policy, contact the ITS Support Center at itrequest.ucsc.edu, help@ucsc.edu, 459-HELP, or in person M-F 8AM-5PM, 54 Kerr Hall

VI. Related Policies/References for More Information

References

• UC Business and Finance Bulletins - Information Systems (IS) Series: http://www.ucop.edu/ucophome/policies/bfb/bfbis.html.

Related Legislation and Policies

• Federal Privacy Act of 1974 - Public Law 93-579 (5 U.S.C. 552a) http://www.justice.gov/opcl/privacyact1974.htm
• State of California Information Practices Act of 1977 (Civil Code Section 1798 et seq.) http://www.leginfo.ca.gov/cgi-bin/calawquery?codesection=civ&codebody=1798&hits=20
• State of California Public Records Act (Gov. Code Section 6250 et seq.) http://www.leginfo.ca.gov/cgi-bin/calawquery?codesection=gov&codebody=6250&hits=20
• UC Business and Finance Bulletins - Records Management and Privacy (RMP) Series: http://www.ucop.edu/ucophome/policies/bfb/bfbrmp.html

VII. Attachments

• UCSC Password Strength and Security Standards: http://its.ucsc.edu/policies/password.html

Footnotes:

[1] See Definitions

[2] If a System Steward relies on an Authentication System, e.g. an identity management system, it is the responsibility of the System Steward to include password protection requirements of the Authentication System in this assessment.

Rev. 10/4/11