Chapter 4 – Information Technology

49020.10.1 Information Security‑Responsibilities of Password Owners

• Access to CDCRCalifornia Department of Corrections and Rehabilitation’s information systems is restricted by password to only authorized persons. Authorized persons shall never reveal their passwords to anyone for any reason. Authorized persons using a computer shall log off or activate a password-protected screensaver before leaving the immediate vicinity of the computer or terminal. Additionally, no ability shall exist for a user to store, load, or invoke the log on process on any CDCRCalifornia Department of Corrections and Rehabilitation computer, by any method that includes the user Resource Access Control Facility (RACF), IDInstitutions Division (see DAI), or the password. Violation of this Policy may result in the revocation of all access privileges and appropriate disciplinary action. Such disciplinary action may be based not only on the violation itself, but also on all activity performed by those obtaining access to a system or information asset due to a violation of this Policy.

• The password is a major “key” to the integrity of CDCRCalifornia Department of Corrections and Rehabilitation’s automated environment. The password policy exists to protect the integrity of that “key.” User IDs shall never be duplicated. User IDInstitutions Division (see DAI) security is backed up by the existence of passwords. Owners are responsible for anything for which their password is used. Therefore, as a matter of self-protection, the password owner shall:

  • Not tell anyone what their password is.

  • Not write down their the password.

  • Not use an obvious password. Obvious passwords include one’s name or nickname, the names of one’s children, one’s user IDInstitutions Division (see DAI), names, or words associated with hobbies (“DANCER,” “SKIER,” “GOLFER,” etc.), names associated with favorite books, TV shows, or movies (“JEDI,” “FRODO,” “PICARD,” “RHETT,” etc.), “SECRET,” “SECURE,” “PASSWORD,” all spaces or the “enter” key, “9999999”, “XXXXXXX,” driver’s license, social security numbers, the name of the current month, etc.

  • Not use words that can be looked up in any dictionary, including foreign languages (e.g., Latin).

  • Use non-obvious passwords, such as word combinations rather than single words (“COMPUTERUSER,” “SKIBUM,” “IAMADANCER,” etc.) intentionally misspelled words (“KRAKER,” “KORECTUNS,” etc.), or random combinations of letters and numbers, etc.

  • Use passwords that are at least seven eight characters long.

  • Change the password in accordance with specific application requirements, every 30 to 90 days, depending on the application.

• If the password owner becomes aware that a correct password is being rejected, that user should immediately notify the local ISCInformation Security Coordinators and the AISO, since this may indicate that someone has discovered the password and has changed it without the owner’s permission, resulting in the owner no longer knowing his or her own password.

• If a password is forgotten, the local ITInformation Technology support staff ISCInformation Security Coordinators or the CDCRCalifornia Department of Corrections and Rehabilitation Help Desk shall be contacted for a password reset. They shall validate the owner’s identity and give a new temporary, one-time password. The owner shall change this password immediately.

• If anyone asks for a password, the owner shall refuse to provide it and shall refer the person to a supervisor. The owner shall then notify the supervisor.

• Anyone who knows that any password has been compromised should take the following actions:

  • Notify the ISCInformation Security Coordinators;

  • Notify the immediate manager/supervisor;

  • Notify the Information Security Office;

  • Complete a “security incident report” and submit it to the Information Security Office.