Service Updates

Changing passwords and closing inactive accounts on administrative applications

Patrick McGrath, IST–CCS

In March 2002, the requirements for administrative systems passwords were strengthened and all users were required to change their passwords (see Administrative application password change in the Winter 2002 BC&C). IST and the Office of the Controller implemented these changes to address concerns about Internet and system security for campus administrative applications in order to tighten controls and access to sensitive campus data. These changes brought our mission-critical system administration procedures more closely in line with best practices and University policy (Business & Finance Bulletin IS-3, Electronic Information Security [http://www.ucop.edu/ucophome/policies/bfb/is3.pdf]).

IST and the Office of the Controller continue to review controls and access to sensitive campus data, and are committed to establishing campus standards that mitigate risks and enhance operational effectiveness. The following new campus policies have been established as of July 1, 2002:

1. Users of administrative applications will be required to change their passwords annually. The annual changeover for all administrative application passwords will occur in March 2003. Users will be notified that it is time to change their passwords through messages on their respective applications or via an email message 30 days prior to the required change. If individuals or departments wish to do so, they may change their passwords more often. User IDs and passwords must never be shared, even among coworkers. Each employee is responsible for the security of the applications to which he or she has access.

Complete information and instructions on how to change your passwords, as well as the software to do so, are available on the BFS TechTips website (http://bfs-techtips.berkeley.edu/).

2. Account deletion policy. User accounts, or user IDs, for administrative applications that have not been used for a period of six months will be disabled by Central Computing Services. Users will be notified via email messages prior to the disabling of their IDs. The affected user will be given 30 days to respond. If no response has been given, the user ID will be disabled on the 31st day. These disabled IDs will be reviewed after another six months and those that have not been reactivated will be deleted. To request an exception to this process, or to reactivate a disabled user ID, please contact the Application Security Officer (ASO, http://ccs-sda.berkeley.edu/sdaforms.htm#ofcrlist) for the application you are utilizing.

Please note that this policy does not apply to CalNet IDs or the Human Resources Management System (HRMS).

Central systems affected by these policies include:

• Berkeley Financial System (BFS)
• Berkeley Integrated Budget System (BIBS)
• Payroll (PPS, PPP)
• Accounts Receivable (CARS)
• Class Scheduling System (CLASS)
• Course Approval System (COURSE)
• Degree Audit Reporting System (DARS)
• Enrollment Systems (ACE, ENR, OLADS)
• Registration Systems (Profile, SRS)
• Registration Blocking System (BLK)
• Registration Fees (AFB)
• Room Reservation System (ROOM)
• Student Aid Management System (SAMS)
• Student ID Assignment System (SID)
• Student Transcript System (STS)
• Summer Session Admission & Registration System (SSAR)
• Undergraduate Admission System (UGA)
• All NT-based systems in the CCS-SDA domain.
• OS/390 TSO users

As always, to report suspected security incidents, send email to security@berkeley.edu or contact the IST Trouble Desk, 642-4920.

[ Next Article | Contents | Search BC&C | BC&C Main Menu | IST | UC Berkeley ]

Berkeley Computing & Communications, Volume 12, Number 4 (Fall 2002)
Copyright 2002, The Regents of the University of California