Securing Passwords in Operations

Purpose

In case of emergency or other unforeseen incident, it may be necessary for an administrator other than the primary individual to access a device. Specific information on how to access the device may not be easily available due to security considerations. It is necessary to create a procedure which will allow such critical information to be created and stored with the proper checks and balances in place to minimize any risks.

Summary

This procedure will outline the proper method of storing passwords, password reset procedures, and emergency device access.

Definitions

  • Device: A hardware or software component which is used for business operations. Examples include servers, switches and routers.

  • Primary Individual: The UTS staff person who is designated the primary contact for a specific hardware device.

  • Supervisor: The UTS staff person who is the official supervisor of the Primary Individual.

  • Operations Manager: The UTS staff person who is designated the manager of operations by the CIO.

Details

  1. The primary individual shall create a document for each critical device. This document should contain:
    • Instructions on how to access the device normally.
    • Instructions on emergency device access.
    • Instructions on how to change the administrative passwords.
    • The current administrative passwords for the device, along with the dates the passwords are current.
    • The next date by which the information needs to be changed and resubmitted for secure storage.

    There is a template file attached which shows a sample device. Please see attachment:PasswordTemplate.doc.

  2. The primary individual shall create an instructional envelope which will contain your document. This envelope will have handling instructions printed on the outside.
    • The Device which has instructions contained.
    • Authorized staff which may open the envelope.
    • Creation and expiration dates.
    • Special Handling Instructions.

    There is a template file attached with shows a sample envelope. Please see attachment:EnvelopeTemplate.doc

  3. A supervisor shall attempt to access all devices as listed on the document, using the procedures and administrative passwords given. This is to confirm that the information listed in the document is correct.
  4. The supervisor and the primary individual shall place the instructions inside the envelope. The envelope should be sealed and personally delivered to the Operations Manager.
  5. The Operations Manager shall record the receipt of the envelope and affix anti-tamper stickers or seals as necessary. All three parties (primary individual, supervisor, operations manager) shall be witness to the deposit of the envelope into a safe, vault, or other secure location.
  6. All information stored using this procedure shall be periodically checked by both the supervisor and primary individual to ensure proper integrity. Information should be updated per the instructions on the envelope itself.