DTS POLICY 4000-0002
Policy Type: Enterprise
Authority: UCA §63F-1-103; UCA §63F-1-206; Utah Administrative Code
Submitted On: NA
Submitted By: Richard Madsen, DTS Hosting Director
Approved By: Michael Hussey
Issue Date: NA
Effective Date: 04/15/2013
Last Revised Date: 11/04/2020
Last Revised By: Ben Mehr
Last Approved By: Phil Bates
Last Reviewed Date: October 2020
Last Reviewed By: Ben Mehr
Next Review: October 2021
The purpose of this policy is to establish requirements for user authentication, including passwords and multifactor authentication.
This policy applies to all State of Utah executive branch employees, contractors, temporary workers, volunteers, and others (collectively referred to as users throughout the rest of this policy) who have access to State of Utah information resources that require user authentication. All user IDs created on any state computing system or device must have an associated password and multifactor authentication that meets the requirements of this policy. It is the responsibility of the user to adhere to this policy.
Common, default, or shared passwords are ineffective and aid hackers and others in their illicit attempts to access systems and confidential data within the State of Utah. Protecting State of Utah computers, systems, and data from unauthorized access is of preeminent importance. Strong passwords play a critical role in preventing unauthorized access.
In order for a system to be exempt from the MFA requirement, a user must request an exemption/exception by submitting a DTS Form 525 Security Risk Acceptance Request via ServiceNow, and the form must be approved by the Chief Information Officer (CIO), or the CIO’s authorized designee, before the exemption/exception takes effect.
1.4 Annual Review
In order to ensure that this policy is current and effective, DTS will review the policy annually and will make changes as needed.
Multifactor Authentication (MFA)
MFA refers to when a user is required to prove their identity by not only confirming their password but also using an additional security factor. While the first factor is something the user knows (i.e., a password), the additional factor, referred to as multifactor authenticator throughout this document, is something the user has that provides a numerical string that the user supplies when logging in, such as the following:
- a token,
- an e-mail or SMS text message,
- an app, or
- a dongle that plugs in to a USB port or uses near field communication.
An additional factor could be based on biometrics, such as confirming a user’s fingerprint or using facial recognition.
Near Field Communication (NFC)
NFC is a short-range wireless technology that enables simple and secure communication between electronic devices. It may be used on its own or in combination with other wireless technologies, such as Bluetooth.
A supervisor-level password is a password that provides a user with administrative access to applications and systems (e.g., system access to an operating system on a server by a system administrator or the ability to manage an application by an application administrator or power user). Accounts that require supervisor-level passwords may include root accounts, system admin accounts, and accounts with elevated privileges.
The term user in this document refers to all State of Utah employees, contractors, temporary workers, volunteers, and others who have access to State of Utah information resources that require a user ID and password authentication.
User ID and Password
User IDs and passwords protect the integrity of information, provide authentication, control access, and establish user audit capabilities within the State of Utah computing environment and information resources. The combination of a user ID and password validates that a particular user is authorized to access a system or device.
A user-level password is a password that provides a user with basic access to applications and systems (e.g., access to e-mail or a business application, such as Finet).
3.1 Password Frequency of Change
- All supervisor-level passwords must be changed:
- every sixty days; or
- when someone with administrative privileges, or a possible knowledge of supervisor-level passwords, leaves employment or a volunteer position with the State of Utah or is no longer performing duties that require supervisor-level permissions.
- All user-level passwords must be changed at least every ninety days.
- A history of a user’s twenty-four most recently used passwords will be maintained. Any password in the history may not be reused.
- After three consecutive unsuccessful password attempts, the first lockout is ten minutes, the second lockout is thirty minutes, and the third lockout is ninety minutes.
Note: Users with a UtahID account can reset passwords by going to https://login.utah.gov and clicking Forgot Password. Users can also refer to the instructions at https://idhelp.utah.gov/ for additional guidance.
3.2 Strong Password Requirements
Selecting a strong password is of the utmost importance. All supervisor- and user-level passwords must meet the following strong password requirements:
- Passwords must be at least eight characters in length.
- Passwords must not include any portion of a user’s name, address, date of birth, Social Security Number, username, nickname, family name, pet name, sports team name, or word that appears in a dictionary or any such word spelled backward.
- Passwords must include at least one character from three of the following attributes:
- uppercase characters (A – Z)
- lowercase characters (a – z)
- numeric characters (0 – 9)
- special characters (i.e. !, @, #, $, %, ^, &, *, ))
Also, when changing a password it is not acceptable for a user to simply add a number to the end of a previously used password (e.g., password88, password89, etc.).
3.3 Strong Password Suggestion
Users should try to create passwords that can be easily remembered but not easily guessed. One way to do this is to create a password based on a song title, affirmation, or other phrase.
Example Password Creation Suggestions
Potential Password from Phrase
“At work I am on my best behavior.”
“Money is a good asset to have.”
“The number 7 is a lucky number.”
3.4 Password Protection Requirements
- Passwords must never be sent in clear text (including via e-mail, chat, instant messaging, or any other nonsecure form of information transfer) over the network.
- Passwords should never be stored in unsecured places, such as written down on a sticky note or saved unprotected online.
- Passwords used for the State of Utah computing environment and information resources should be different from those passwords used for personal accounts (e.g., a personal internet service provider [ISP] account or personal e-mail account, a benefits account, a banking account, etc.).
- User IDs and passwords should never be shared with anyone, including administrative assistants, coworkers, family members, a local network administrator, desktop technician, or supervisor.
- All passwords are to be treated as sensitive, confidential State of Utah information.
3.5 Compromised Password
Any time a user suspects that the user’s ID or password has been compromised, the user must change their password immediately or request that the user’s account be disabled.
3.6 MFA Requirements
MFA is a necessary component in securing access to a user’s account. In the case that a password is compromised, MFA acts as a second level of security. Since MFA is something a user has, rather than something a user knows, MFAs must be kept safe. Multifactor authenticators differ in level of security. For example, federal regulations may require an MFA that is more rigorous than an MFA required by state regulations. State of Utah individual requirements for multifactor authenticators are that they:
- must not be shared with anyone else,
- must meet the level of security required by federal data security requirements,
- must be reported and replaced immediately if lost or broken,
- must be returned when leaving state employment.
Violation of this policy may be the basis for discipline, including termination. Individuals found to have violated this policy may also be subject to legal penalties as may be prescribed by state and federal statutes and regulations.