Department of Corrections and Rehabilitation - Operations Manual

Chapter 4 – Information Technology

Article 45 – Information Security

View All Sections >

49020.10.1 Information Security‑Responsibilities of Password Owners

  • Access to CDCRCalifornia Department of Corrections and Rehabilitation’s information systems is restricted by password to only authorized persons. Authorized persons shall never reveal their passwords to anyone for any reason. Authorized persons using a computer shall log off or activate a password-protected screensaver before leaving the immediate vicinity of the computer or terminal. Additionally, no ability shall exist for a user to store, load, or invoke the log on process on any department computer, by any method that includes the user Resource Access Control Facility (RACF), IDInstitutions Division (see DAI), or the password. Violation of this policy may result in the revocation of all access privileges and appropriate disciplinary action. Such disciplinary action may be based not only on the violation itself, but also on all activity performed by those obtaining access to a system or information asset due to a violation of this policy.

  • The password is a major “key” to the integrity of CDCRCalifornia Department of Corrections and Rehabilitation’s automated environment. The password policy exists to protect the integrity of that “key.” User IDs shall never be duplicated. User IDInstitutions Division (see DAI) security is backed up by the existence of passwords. Owners are responsible for anything for which their password is used. In addition to any password requirements associated with specific systems or services, as a matter of self-protection, the password owner shall:

    • Not share their password.

    • Not write down their the password.

    • Not use an obvious password. Obvious passwords include one’s name or nickname, the names of one’s children, one’s user IDInstitutions Division (see DAI), names, or words associated with hobbies (“DANCER,” “SKIER,” “GOLFER,” etc.), names associated with favorite books, TV shows, or movies (“JEDI,” “FRODO,” “PICARD,” “RHETT,” etc.), “SECRET,” “SECURE,” “PASSWORD,” all spaces or the “enter” key, “9999999”, “XXXXXXX,” driver’s license, social security numbers, the name of the current month, etc.

    • Not use single words that can be looked up in any dictionary, including foreign languages (e.g., Latin).

    • Use non-obvious passwords, such as word combinations rather than single words (“COMPUTERUSER,” “SKIBUM,” “IAMADANCER,” etc.) intentionally misspelled words (“KRAKER,” “KORECTUNS,” etc.), or random combinations of letters and numbers, etc.

  • If a password is forgotten, the password owner shall contact the local ITInformation Technology support staff or the CDCRCalifornia Department of Corrections and Rehabilitation Help Desk for a password reset. They shall validate the owner’s identity and give a new temporary, one-time password. The owner shall change this password immediately.

  • If anyone asks for a password, the owner shall refuse to provide it and shall refer the person to a supervisor. The owner shall then notify the supervisor.

  • Anyone who knows or suspects that password has been compromised, including instances where a known correct password is no longer accepted, shall take the following actions:

    • Notify the ISCInformation Security Coordinators;

    • Notify the immediate manager/supervisor;

    • Notify the Information Security Office;

    • Complete a “security incident report” and submit it to the Information Security Office.