Net ID Standards

Authors: Contact: Version: Date: Status:

Mitchelle Morrison with Ken Bowman, Thomas Cramer, Richard Gadsden, Kayann Januchowski, Kurt Nendorf, Bill Rust, and Christine Williamson

morrisom@musc.edu

1.2.3

24 April 2006

approved by Infrastructure Council

Contents

1. Purpose and Scope
2. Applicable MUSC Policies
3. User Namespace Standards
4. Password Complexity Standards
5. Password Distribution Standards

5.1. Distribution Location
5.2. Account Activation
5.3. Password Changing

5.3.1. Assisted Password Resets
5.3.2. Self-Service Password Resets

6. Registration Standards

6.1. Sponsoring Entity Responsibilities
6.2. Registration Authority Responsibilities
6.3. Supervisor Responsibilities

1. Purpose and Scope

The purpose of this document is to establish the standard requirements for managing the NetID account.

2. Applicable MUSC Policies

The NetID is the basis of the "centralized, standards-based authentication service" referred to in the MUSC Policy: Information Security - Person or Entity Authentication . Other relevant policies include:

3. Namespace Standards

The NetID username will be assigned by the Identity Management System. It will consist of 3 to 8 characters and be assigned as follows:

The first 3 characters will be the user's initials or the first 3 characters of the user's first name.
The remaining characters will be sequentially generated digits, added as needed to create a unique username.

Existing users may keep their existing username. All users entitled to email will be given an email alias. For existing users, the email alias will default to their current email address. New users will be given an email alias that is derived from their name. The algorithm for deriving the initial email alias will be consistent with the email addresses of existing users. For example, suppose Robert Jackson Smith is a new user. He's assigned "rjs5" as his NetID and "smithrj" as his email alias. Robert Jackson Smith would log onto the network and any application utilizing the netID as "rjs5". "smithrj" could be published in the online directory and the appropriate email address book. A user may submit a request to have their email alias changed.

4. Password Complexity Standards

In accordance with policy and guidelines, users are required to choose a password that cannot be easily guessed by an attacker. Thus the password must adhere to the following complexity standards.

The password must be at least 6 characters long
The password must be no greater than 10 characters long.
The character types must adhere to 3 of the following standards.

At least 1 numeric character
At least 1 uppercase character
At least 1 lowercase character
At least 1 special character

The password (independent of case) must not contain the username.
The password (independent of case) must not contain any component of the user's name. Thus the password must not contain the user's first name, preferred name or last name.
The password is not in the Identity Management dictionary.

5. Password Distribution Standards

This section addresses the distribution of the NetID username and password. In accordance with policy and guidelines, both the initial password and password resets will be conveyed to user in a controlled manner.

5.1 Distribution Location

The Infrastructure Division of OCIO-IS will designate security stations. An account is automatically requested when a person is registered in the Identity Management System. Thus if a person desires an account, he should follow the assisted reset procedure. If it is determined that he does not have an active registration, he will be directed to contact his Human Resources department and follow the designated registration procedure. As part of the registration process, a security station is selected from the list of designated security stations. The user or the user's supervisor must then go to the selected security station. Upon presentation of a valid MUSC ID badge, the user or the user's supervisor may pick up the NetID instruction sheet, account username and initial password. The designated security stations include:

Medical Center Security Desk, 1st floor lobby North Tower (Sun-Sat, 24 hrs)
Library Systems Office, 4th floor Education Center/Library (Mon-Fri, 8am-5pm)
OCIO Information Services, 2nd floor Harborview Office Tower (Mon-Fri, 8:30am-5pm)

5.2 Account Activation

A new user must activate their NetID within 60 days of its creation. If the NetID is not activated within the specified time frame, it will be disabled. In order to activate their account, the user must:

Read and agree to the Computer Use Policy. Thereafter, the user will be required to agree to the Computer Use Policy on an annual basis.
Read and agree to the Security and Confidentiality Agreement
Establish the required number of shared secrets by selecting challenge questions and supplying the answers.
Change their initial password.

5.3 Password Changing

Although the NetID password will not have a minimum age, the user should change it immediately, if he has reason to believe his password has been compromised. Password changing will occur within the Identity Management system. After 3 failed attempts to login within 1 day, the user will be locked out of the Identity Management system for the day. All attempts to change passwords (including resets) will be logged (including a timestamp and IP address) and the user notified. Password recovery will not be possible, rather, when necessary, passwords will be reset. Prior to granting a password reset request, the user will be required to have an active registration. If a user does not have an active registration , she will be directed to contact her Human Resources department and follow the designated registration procedure.

5.3.1 Assisted Password Resets

If a user has forgotten her password and cannot answer the required number of challenge questions, she should present her MUSC ID badge at one of the designated security stations. If a user cannot present their MUSC ID badge, then his supervisor must request the password be reset and deliver the new initial password.

Note: Password resets will NOT be handled over the phone.

5.3.2 Self-Service Password Resets

Self-Service Password Resets will require the establishment of a set of shared secrets. The shared secret consists of a question and answer pair. In consultation with the MNA Creation and Password Management Task Force, the Infrastructure Division of OCIO-IS has established the following rules regarding shared secrets:

The user must select a minimum of 3 questions and supply their answers. The lists of questions have been established by the MNA Creation and Password Management Task Force.
A self-service reset request will be granted if the user supplies 2 out of 3 shared secrets.
After 2 retries within one day, the self-service reset request function will be locked. The user must then follow the procedure for assisted resets.
After successfully supplying the shared secrets, the user is allowed to select a new password and is directed to reactivate their account.
High risk users will be excluded from the Self-Service process.
The question and answer pairs will be stored removing punctuation and spaces, and the answers will be encrypted.

6. Registration Standards

Every person must be registered by a Registration Authority (RA) prior to receiving a NetID. Upon registration, NetID provisioning will be initiated. If a person is registered, but fails to complete the NetID process, e.g. doesn't activate his account, and later needs his NetID, then he will follow the assisted reset procedure.

6.1. Sponsoring Entity Responsibilities

The Sponsoring Entity is owned by its Human Resources department. The Human Resources department is the default Registration Authority, meaning that until the HR department establishes a Registration Authority to register a particular type of person, then the HR department will register them. For example, the MUSC Hospital Authority will register all of their employees, but will designate the House Options Pool Clinical Staffing Office as the Registration Authority for travel nurses. Each Human Resources department is responsible for establishing all RA's within its Entity.

The Sponsoring Entities have agreed on the following categories of people:

Student
Employee
Contracted
Partner
Volunteer

The Sponsoring Entities will agree on the registration rules per category of people. For example, all employees must clear a background check and a drug screening. The HR department is then responsible for enforcing the rules established for registering each category of people within its Entity.

6.2. Registration Authority Responsibilities

The RA is responsible for following the registration rules per category. Primarily, the RA is responsible for documenting and verifying the person's identity. The RA is also responsible for documenting the person's supervisor.

6.3. Supervisor Responsibilities

As indicated by MUSC Policy: Information Security - Workforce Security , the supervisor is responsible for approving the access requests for the person, i.e. approving Groupwise, OACIS, etc. The supervisor is also responsible for notifying the RA when the person departs, or when the person transfers to an

	About MUSC · Education · Medical Center · Research · Library