General
This section implements CSU Information Security Policy 8060.00.
Account Provisioning
Each person who requires access to campus ITS resources is provisioned with a Dolphin Account automatically based on information in CI Records that describes a person’s affiliation with the University.
Whenever practical, each software and hardware system that performs authentication will interface with the campus’s Active Directory system and use Dolphin Names and Dolphin Passwords as authentication factors. Higher security systems may require additional authentication factors.
Systems that do not interface with the campus Active Directory or other authentication systems must demonstrate an equivalent and appropriate level of security.
Password Policy
All Dolphin Passwords must meet or exceed the following complexity rules:
- The password must contain eight characters or more.
- The password must contain an uppercase character, a lowercase character, and a numeric or special (i.e. !,$,#,%) character.
Dolphin Passwords may not contain a derivative of the Dolphin Name, Dolphin ID, birth date or last four digits of the user’s social security number, or a common word, phrase or number sequence.
Dolphin Passwords must be changed every 200 days using the Self Service Password Reset page on myCI. The Self Service Password Reset page is designed to prevent the reuse of the previous twelve Dolphin Passwords.
Each person issued a Dolphin Name and Dolphin Password is responsible for those credentials, and sharing them with another person constitutes a violation of the University’s Statement on Responsible Use of Information Assets.
Certain systems cannot integrate with the campus Active Directory system for authentication. For these systems, the minimum password complexity requirements and change intervals will vary. ITS will prescribe the strongest possible minimum password complexity requirements and change intervals for each of these systems in consultation with the Information Security Officer.
2-Factor Authentication with Duo
As of 12/31/2019 all faculty and staff have been enrolled in CI's Duo environment and are required to utilize 2-Factor Authentication when logging into university systems managed by single sign-on (SSO). These are primarily systems associated and accessed through the campus myCI portal.
Administrative Access to ITS Systems
Administrative access to campus information systems is governed by two ITS Business Practices.
Administrative access to workstations is regulated by ITS business practice BP-03-002. Administrative access to workstations is restricted to employees of the University, and, in the case of staff, is further restricted to employees with a legitimate business need for such access.
Administrative access to systems, services and servers is regulated by ITS business practice BP-02-002. The Chief Information Officer, Information Security Officer and Manager, ITS Infrastructure review administrative access roles for ITS systems at least annually. Administrative access to systems, services, and servers is restricted to employees of ITS who have a legitimate, documented business need for the access.
Common Management and Common Financial Systems (CMS/CFS) Segregation of Duties
The University will annually review Separation of Duties for CMS and CFS, and certify that the separation of duties meets or exceeds applicable University and CSU policy as well as applicable State or Federal laws.
The Director of Enterprise Services and Security performs a review of CMS and CFS roles once a month in conjunction with the appropriate module and security leads.