Account guidelines

Minimum password length: The length of passwords must always be automatically checked at the time that users construct or select them. All passwords must be at least fourteen characters in length.

Difficult-to-guess passwords required: All user-chosen passwords for computers and networks must be difficult to guess. Words found in a dictionary, derivatives of user-IDs, common character sequences such as “123456”, personal details such as spouse’s and pet’s names, license plate numbers, social insurance numbers, and birthdates must not be employed.

User-chosen passwords must not be reused: Users should not construct passwords, which are identical or substantially similar to passwords that they have previously employed. Reuse of passwords increases the chance that a password will be divulged to unauthorized parties.

Passwords should contain a mix of characters: All user-chosen passwords should contain characters from three of the following four groups:

Lower case alphabet
Upper case alphabet
Numbers (0-9)
Punctuation

The use of control characters and other non-printing characters is discouraged because they may inadvertently cause network transmission problems or unintentionally invoke certain system utilities.

Storage of system-generated passwords: If passwords or Personal Identification Numbers (PINs) are generated by a computer system, they must always be issued immediately after they are generated. Regardless of the form they take, passwords and PINs that are generated but not issued must never be stored on the involved computer systems.

Protection of password generation algorithms: If passwords or PINs are generated by a computer system, all software and files containing formulas, algorithms, and other specifics of the process must be controlled with the most stringent security measures supported by the involved computer systems.

Previous password history file: On all multi-user machines, system software or locally developed software must be used to maintain an encrypted history of previous fixed passwords. This history file must be employed to prevent users from reusing old passwords. The history file should minimally retain the last thirteen (13) passwords for each user-ID.

Displaying and printing of passwords: Displaying and printing of passwords must be masked, suppressed, or otherwise obscured so that unauthorized parties will not be able to observe or subsequently recover them.

Periodic forced password changes: All users should be automatically forced to change their passwords periodically; preferably every thirty (30) days for access to sensitive data and every ninety (90) days for access to other data.

Password change interval synchronization across platforms: The fixed password change interval could be synchronized across all computer and network platforms at the University of Ottawa for global sign-on if necessary.

Assignment of expired passwords: The initial passwords issued by the account management administrator should be valid only for the involved user’s first on-line session. At that time, the user must be forced to choose another password before any other work can be done.

Limits on consecutive, unsuccessful attempts to enter a password:To prevent password guessing attacks, the number of consecutive attempts to enter an incorrect password must be strictly limited. For example, after ten (10) unsuccessful attempts to enter a password, the involved user-ID should be either:

suspended until reset by a system administrator, or
temporarily disabled for no less than three minutes

Single/Global sign-on process: Users must be asked for only one user-ID and password combination at the time they reach the network and/or destination computer system. User identity related information should then be passed (transparent to the user) to other computers, database management systems, services and applications.

All workstations must have password-based boot protection: All workstations used for the University of Ottawa business activity, no matter where they are located, should use an access control system approved by Information Technology. In most cases this will involve screen-savers with fixed, password-based boot protection along with a 'time out after no activity' feature.

Passwords never in readable form outside workstations: Fixed passwords must never be in readable form outside a personal computer or workstation.

Protection of passwords sent through the mail: If sent by regular mail or similar physical distribution systems, passwords must be sent separately from user-IDs. These mailings must have no markings indicating the nature of the enclosure. Passwords must also be concealed inside an opaque envelope that will readily reveal tampering.

Storage of passwords in readable form: Passwords must not be stored in readable form in batch files, automatic login scripts, software macros, terminal function keys, in computers without access control, or in other locations where unauthorized persons might discover or use them.

Encryption of passwords: Passwords must always be encrypted when held in storage for any significant period of time or when transmitted over networks. This will prevent them from being disclosed to wire-tappers, technical staff that are reading system logs, and other unauthorized parties.

Changing vendor default passwords: All vendor-supplied default passwords must be changed before any computer or communications system is used at the University of Ottawa.

Requirement for different passwords on different systems: To prevent compromising multiple systems, computer users must employ different passwords on each of the systems to which they have been granted access unless the Global Sign-on procedure is in place.

Suspected disclosure forces password changes: All passwords must be promptly changed if it is suspected or known that they have been disclosed to unauthorized parties.

Forced change of all passwords: Whenever a system has been compromised by an unauthorized party, system managers must immediately change every password on the system involved. Even suspicion of a compromise requires that all passwords be changed immediately. Under either of these circumstances, a trusted version of the operating system and all security-related software must also be reloaded. Similarly, under either of these circumstances, all recent changes to user and system privileges must be reviewed for unauthorized modifications.

In-person proof of identity to obtain a password: Passwords must never be disclosed via voice telephone lines unless the requested identification can be confirmed by a pre-determined method. Otherwise, a user must show up in person and present suitable identification.

Granting user-IDs to external users

Individuals who are not employees, students, researchers, contractors, or consultants must not be granted a user-ID or otherwise be given privileges to use University of Ottawa computers or communications systems unless the written approval of a service director, dean or delegate has first been obtained.

Third party access to University of Ottawa requires signed contract

Before any third party is given access to University of Ottawa systems, a contract defining the terms and conditions of such access must have been signed by a responsible manager at the third party organization. Both the Security Architect and the Legal Counsel must also approve these terms and conditions.

Information systems access privileges terminate when employees leave

All University of Ottawa information systems privileges must be promptly terminated at the time that an employee ceases to provide services to the University of Ottawa, unless such services are extended to a specific community or special permission is obtained from the Director or the Dean.

Disclaimer of responsibility for damage to data and programs

The University of Ottawa uses access control and other security measures to protect the confidentiality, integrity, and availability of the information handled by computers and communications systems. In keeping with these objectives, management maintains the authority to:

restrict or revoke any user’s privileges,
inspect, copy, remove, or otherwise alter any data, program, or other system resource that may undermine these objectives,
take any other steps deemed necessary to manage and protect its information systems.

This authority may be exercised with or without notice to the involved users. The University of Ottawa disclaims any responsibility for loss or damage to data or software that results from its efforts to meet these security objectives.

Restricted remote administration of Internet-connected computers

Remote administration of Internet-connected computers is not allowed unless one-time passwords are employed over encrypted links whenever the computers are in the restricted secure zones or contain sensitive data.

Dormant user-IDs and automatic privilege revocation

All user-IDs must automatically have the associated privileges revoked after a two (2) year period of inactivity. If an authorized user goes on vacation or leave-without-pay for an extended period, this policy will result in their user-ID being revoked unless permission is granted by the involved user’s department or service.

Periodic review and reauthorization of user access privileges

The system privileges, granted to every user, must be re-evaluated by the user’s immediate manager every twelve months. This re-evaluation involves a determination of whether currently enabled system privileges are still needed to perform the user’s current job duties.

Administrative security management for all networked computers

Configurations and setup parameters on all hosts attached to the University of Ottawa must comply with in-house security management policies and standards.

Schedule for deletion of files following worker termination

Unless otherwise requested, all files held in a user’s directories should be archived and then purged four weeks after the employee has permanently left University of Ottawa.