91.004:大学证书
批准
2015年8月27日
Matthew Dalton | Director of Information Security
Stephen Golding | Vice President for Finance and Administration
罗德里克J. 麦克戴维斯|总统
-
概述
凭证 issued at Ohio university are for the sole purpose of accessing university resources. 他们往往是攻击的第一线, 最后一道防线, 保护这些资源. Because of this, they must be used with care, and adequately protected. This policy outlines those protections that must be observed by individuals, 技术人员, and systems using credentials at the university and recommendations for their protection.
-
个人
An individual to whom credentials have been issued has certain responsibilities in the care of those credentials. The following behaviors should be observed to reduce the risk of compromise to your credentials.
-
Keep your credentials, secret questions, and their answers private and known only to you.
-
Use unique credentials (username and password combination) for Ohio university that are different from any other service or website.
-
Your credentials are for your personal authentication to university resources, and should not be used as a means to provision services to other users.
-
If you suspect that your credentials have been compromised, change your credentials and questions immediately and inform the information security office by e-mail to security@俄亥俄州.edu.
-
-
凭证
凭证 exist to ensure that the individual gaining access to university resources through an account is the same individual to whom the access was given. The university acknowledges that not all accounts carry the same level of risk. Therefore the level of rigor and complexity requirements that are applied to ensuring the security of the credentials will be in line with the risk which a compromise of that account would present to the university or its community.
The university data stewards (see part (D) of policy 93.001) will review these complexity requirements on an annual basis. Any changes that need to take place between reviews will be identified by the university information security officer, and presented to the university data stewards for approval. Actual authentication complexity requirements will be captured in the "Authentication 凭证 Complexity Standard," which strives to relate the strength of the credential with the risk that a compromise of that account would present to the university.
-
信息系统所有者
It is the owner or manager of information services' responsibility to ensure that they comply with this policy and its associated complexity requirements. The recommended method is integrating with OIT authentication services and appropriately mapping individuals' accounts to the correct risk levels. Prior to integrating with OIT authentication services, permission must be obtained from the university information security officer and the chief information officer or their delegates. 如果发出了单独的用户凭据, the service owner must instruct their users to use different credentials than are used with their OhioID.
-
身份验证服务器
University authentication services are limited to those run and maintained by the office of information technology. It is the responsibility of the chief information officer or appointed delegate to ensure that the following are adhered to by all systems that perform authentication functions.
-
Only those systems that are required and approved by the chief information officer or appointed delegate may store passwords in any form. Those that store these passwords must store them in a cryptographically secure format.
-
Authentication systems must encrypt password at all times during transmission.
-
Authentication systems must be housed in the university datacenter or another approved location.
-
Authentication systems must be administered by OIT.
-
Authentication systems must be hardened in accordance with NIST 800-123.
-
Administrators accessing authentication systems must use an approved multi-factor authentication to access.
-
评论家
Proposed revisions of this policy should be reviewed by:
-
大学数据管理员
-
资讯系统业主
-
Information Technology Governance Council
-
Information Technology Student Focus Group
-
行政参议院
-
教师参议院