• Purpose
  • Scope
  • Policy
    1. Account Administration Standards
      • Issuing Accounts
      • Managing Accounts
      • Departmental Accounts
    2. Shared Accounts
    3. Administration of Password Changes
      • Procedure for Password Resets
      • Procedures for maintenance of "confidential data"
  • Password Management
     

The purpose of this policy is to establish a standard for the administration of computing accounts that facilitate access or changes to Amrita University institutional data. An account, at minimum, consists of a user ID and a password; supplying account information will usually grant access to some set of services and resources. This policy establishes standards for issuing accounts, creating password values, and managing accounts.

This policy is applicable to those responsible for the management of user accounts or access to shared information or network devices. Such information will be within a database, application or shared file space. This policy covers departmental accounts as well as those managed centrally.

Account Administration Standards

The following security precautions should be part of account management:

Issuing Accounts

  • HOD shall make decisions regarding access to respective data, and what kind of access each user has. Account setup and modification shall require the signature of the requestor's supervisor.
  • ICTS shall issue a unique account to each individual authorized to access the network and computing and information resource. The naming convention to be followed by ICTS to issue a new account for users should be “firstname” + “lastname”. E.g. NavneetPal

    In case of similar names a Initial should be used in addition to the “firstname” + “lastname”. E.gNavneetKPal. In case of long name, “firstname” + intial of “lastname” should be used. E.g. KarthikeyanSathyanarayanan should be as “KarthikeyanS”. Email address should be setup as “firstname” + “.” + “lastname” @ “am.amrita.edu. In case of similar names it should be firstname + “.” + initial + “lastname” @ “am.amrita.edu. In case of long names, email address should be “firstname” + initial of lastname @ “am.amrita.edu

  • ICTS is also responsible for the prompt deactivation of accounts when necessary, i.e., accounts for terminated individuals shall be removed/disabled/revoked from any computing system at the end of the individual's employment or when continued access is no longer required; and, the accounts of transferred individuals may require removal/disabling to ensure changes in access privileges are appropriate to the change in job function or location. For students all data related to a disabled account should be cleared after 1 month. For staff all data related to a disabled account should be cleared after 3 months.

  • When establishing accounts, standard security principles of “least required access” to perform a function must always be used, where feasible. For example, a root or administrative privileged account must not be used when a non-privileged account will do.

  • The identity of users must be authenticated before providing them with account and password details. In addition, it is highly recommended that stricter levels of authentication be used for those accounts with privileged access (e.g., user accounts used for email do not require an identity validation process as thorough as for those user accounts that can be used to modify department budgets etc.).

  • Passwords for new accounts should NOT be emailed to remote users unless the email is encrypted.

  • The date when the account was issued should be recorded in an audit log.

  • All managers of accounts with privileged access should be recorded under the care of a Human Resources representative or liaison.
     

Managing Accounts

  • All accounts shall be reviewed at least annually by ICTS to ensure that access and account privileges are commensurate with job function and employment status. The ICTS officeshall also conduct periodic reviews for any system connected to the Amrita University network.
  • All guest accounts (for those who are not official members of the Amrita University community) with access to Amrita University computing resources shall contain an expiration date of one year or the work completion date, whichever occurs first. All guest accounts must be sponsored by the appropriate authorized member of the administrative entity managing the resource.

Departmental Accounts

For access to sensitive information managed by a department, account management should comply with the standards outlined above. In addition, naming conventions must not cause contention with centrally managed email addresses or usernames. 

Shared Accounts

Use of shared accounts is not allowed. However, in some situations, a provision to support the functionality of a process, system, device (such as servers, switchers or routers) or application may be made (e.g., management of file shares). Such exceptions will require documentation which justifies the need for a shared account; a copy of the documentation should be shared with ICTS.

Each shared account must have a designated owner who is responsible for the management of access to that account. The owner is also responsible for the above mentioned documentation, which should include a list of individuals who have access to the shared account. The documentation must be available upon request for an audit or a security assessment.

Administration of Password Changes

Procedures for password resets

  • The identity of users must be authenticated before providing them with ID and password details. In addition, it is required that stricter levels of authentication be used for those accounts with privileged access.
  • Whenever possible, passkeys or pre-expired passwords should be used to authenticate a user when resetting a password or activating a guest account, and should comply with the above standards. Passkeys/Pre-expired passwords provide one-time access to a system or application and require the user to change to a password of their choice upon initial login.
  • Passwords must be reset over an encrypted tunnel (SSL or VPN, for example).
  • Password change events should be recorded in an audit log.
     

Procedures for maintenance of "shared confidential data"

Those responsible for access to systems/applications/servers, etc. protected by high-level super-passwords must have proper auditable procedures in place to maintain custody of those "shared secrets" in the event of an emergency and/or should the password holder becomes unavailable. These documented procedures should define how these passwords are logically or physically accessed as well as who becomes responsible for access to and/or reset of the password.

Applications developed at Amrita University or purchased from a vendor should contain the following security precautions:

  • Passwords must not be stored in clear text or in any easily reversible form.
  • Role-based access controls should be used whenever feasible, in order to support changes in staff or assigned duties.
  • Systems should allow for lock-outs after a set number of failed attempts (e.g. five times). Access should then be locked for a minimum of ten minutes, unless a local system administrator intercedes. Lock-outs should be logged.
     

Password Management

  • All passwords must meet the following minimum standards, except where technically infeasible:
    1. be at least eight alphanumeric characters long
    2. should be set as amma@123 by ICTS for all first time users
    3. should be changed on login by the first time user.
    4. Should contain digits or punctuation characters as well as letters (e.g., 0-9, ~'!@#$%()_-'{.}) 
      Note: The following special characters cannot be used in passwords for most Amrita University systems: *+,/:;<=>?[\]|^&
    5. contain both upper and lower case characters (e.g., a-z, A-Z)
    6. not be a word in any dictionary, language etc.
    7. not be solely based on easily guessed personal information, names of family members etc.
  • Credit card numbers must never be used as a user ID or a password.
  • All passwords are to be treated as sensitive information and should therefore never be written down or stored on-line unless adequately secured. 
  • Passwords should not be inserted into email messages or other forms of electronic communication.
  • Passwords that could be used to access sensitive information must be encrypted in transit.
  • It is recommended that passwords be changed at least every six months.
  • Individual passwords should not be shared with anyone, including IT administrators.
  • If a password is suspected to have been compromised, it should be changed immediately and the incident reported to ICTS.