DHS home | Policies | Administrative policies | Admin policies index | policy

DHS Policy: Oregon Department of Human Services
Administrative Services
 
Policy Title: DHS Password and User Identification Security
Policy Number: DHS-090-002
Version:
1.0
Effective Date:
 11/01/2003

Approved By: DHS Chief Administrative Officer
Approved Date: 10/02/2003

Procedures Link   Forms Link  References Link  Definitions Link  Contact Link  History Link

Purpose:

Information systems are essential to achieving effective and efficient operations of the Department of Human Services (DHS). The information assets stored on DHS information systems must be protected from unauthorized access. DHS uses a variety of control methods to ensure that only authorized users gain access to specified information assets. One method of control is the use of passwords with unique user identifications.

Passwords are an important aspect of computer security. Used in combination with unique user identifications, passwords are the front line of protection for DHS information systems. A poorly chosen password may result in the compromise of sensitive or confidential information.

The purpose of this policy is to establish guidelines for creating and protecting unique user identifications and "strong" passwords.

Policy:

  1. General
    1. All authorized users with access to the DHS network and information systems are responsible for taking appropriate steps to select and secure strong passwords.
    2. Passwords shall be used in conjunction with unique user identifications to control access to the DHS network, information systems, and information assets.
  2. Scope

    3. All individuals who have been granted access to the DHS network and information systems, including but not limited to full and part-time employees, temporary workers, volunteers, contractors, those employed by others to perform DHS work, and others granted access are covered by this policy and shall comply with this and associated policies, procedures, and guidelines.

  3. User Identification
    1. Unique Identification. Authorized users shall be assigned unique user identifications for access to DHS network and information systems.
    2. Use of Unique Identification. User identifications must be used only by the assigned user.
      1. Authorized users are responsible for activities taken using their assigned user identification and password.
      2. DHS assigned user identifications shall not be used as personal user identifications outside of DHS network systems (e.g., non-DHS websites, Internet, Yahoo, AOL, etc.).
    3. Group/Job Identification. In circumstances where there is a clear business need, a unique identification may be assigned for a group of users or a specific job. Approval shall be obtained from the Information Security Office, documented, and reviewed annually. Additional controls may be required to maintain accountability.
  4. Password Construction
    1. Strong passwords must meet all the following criteria.
      1. Length. All passwords must contain eight (8) characters. If the system cannot accommodate eight characters, the maximum number of characters the system allows shall be used.
      2. Contain both alphabetic and numeric characters. All passwords shall contain at least one alphabetic (a – z) and one numeric character (0 – 9) as the system allows.
    2. Passwords shall not be constructed by using personal information or words found in a dictionary.
      1. Examples of personal information include a spouse's name, children's names, automobile license plate, social security number, birthday, etc.
    3. Password reuse. User generated passwords shall not be reused.
  5. Password Disclosure
    1. Recording passwords. Passwords shall not be written or otherwise recorded where they are accessible or recognizable by anyone else, such as taped to computer screens, stored under keyboards, or visible in a work area.
    2. Sharing passwords. Passwords shall not be shared or used by others. This includes a co-worker, manager, supervisor, friend, vendor, partner, information technology staff, administrative assistant, or others.
    3. "Remember Password" feature. Features that allow applications or systems to "remember" passwords shall not be used.
    4. Automated logon prohibited. Macros, quick keys, shortcuts, or like technology to automate entry of User Id's and/or passwords shall not be constructed or used.
    5. Compromised password. A password shall be changed immediately when it has been compromised or when there is suspicion that it has been compromised.
  6. Password Control
    1. Password changes. Passwords shall be changed every 60 days. Network and information systems shall require passwords to be changed every 60 days, where possible.
    2. Initial or reset passwords issued by system administrators shall be valid only for the first log-on. Users shall create unique passwords at the first log-on or session.
    3. Unsuccessful attempts. Three (3) consecutive, unsuccessful attempts to access a DHS network or information system shall suspend or disable the user's ability to successfully log-on.
    4. Vendor default passwords shall be changed before any computer or communications system is released for production and used for DHS business.
    5. Automated systems. To the extent possible, information technology shall be designed, configured, and implemented to adhere to these provisions.
  7. Compliance

    8. Failure to comply with this policy and associated policies, standards, guidelines, and procedures may result in disciplinary actions up to and including dismissal from state service for employees or termination of contracts for contractors, partners, consultants, and other entities. Legal actions also may be taken for violations of applicable regulations and laws.

Back to top

Procedure(s):

DHS-090-002-01, Obtaining A Unique User Identification
DHS-090-002-02, Request for Group/Job ID
DHS-090-002-03, Add or Remove a User from Group/Job ID
DHS-090-002-04, Creating a Strong Password
DHS-090-002-05, Compromised Passwords
DHS-090-002-06, Monitor Password Construction Compliance

Back to top

Form(s):

DHS 2119, Group/Job ID Exceptions Request Form - Adobe PDF or Word
DHS 0001, Add/Modify/Move/Delete (AMD) Form - Word or Word Perfect

Back to top

Reference(s):

DHS-090-003, DHS Access Control Security Policy
Password Security

Back to top

Definition(s):

Back to top

Contact:

Back to top

Policy History:

Version 1.0:
11/01/2003 - Initial Release

Back to top


If you have comments about this site send email to dhs.policyinfo@state.or.us.

Oregon.gov, FindOR state search engine, and Get Acrobat Reader icons

Oregon Department of Human Services
500 Summer St. NE E94, Salem, OR 97301-1097
Phone: (503) 945-5944
Fax: (503) 378-2897
TTY: (503) 947-5330