Policy 7230A - Department of Administration
Policy 7230A - Department of Administration
Policy 7230A - Department of Administration
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
authenticators for critical information systems must not be provided together while<br />
identifiers and authenticators for non-critical information systems should not be<br />
provided together. In circumstances where authentication must be cryptographically<br />
protected, the solution that provides this functionality must meet the minimum<br />
specifications <strong>of</strong> FIPS 140-2.<br />
Should an information system user’s account be disabled for any reason (see section<br />
4.2, Account Management) the users identifier and authenticator will also be disabled,<br />
where applicable.<br />
A. Passwords<br />
Passwords form the primary means <strong>of</strong> authentication for the State <strong>of</strong> Kansas. To<br />
ensure that passwords present as much security as possible, the following<br />
restrictions apply to them:<br />
• Passwords must be constructed according to set requirements.<br />
• Passwords will have both minimum and maximum lifespan.<br />
• Passwords may not be reused for a set number <strong>of</strong> generations.<br />
• Passwords may not be displayed while they are being entered.<br />
• Password should not be transmitted in clear text.<br />
• Passwords are to be individually owned and kept confidential – they are<br />
not to be shared.<br />
• If passwords must be electronically stored, they cannot be stored in clear<br />
text.<br />
Guidelines for these requirements will be provided in a separate document.<br />
B. Authentication Tokens<br />
Though the State does not, as a rule, require the use <strong>of</strong> hardware tokens for<br />
authentication purposes, in those circumstances where the choice is made to use<br />
them, the following restrictions apply:<br />
• A defined process must be followed for token distribution.<br />
• A defined process must be followed for token revocation.<br />
• A defined process must be followed for the handling <strong>of</strong><br />
lost/stolen/damaged tokens.<br />
Guidelines for these requirements will be provided in a separate document.<br />
4.2 Account Management<br />
The State <strong>of</strong> Kansas requires that all information system accounts be actively managed<br />
by appropriate administrative staff. Active management includes the acts <strong>of</strong><br />
establishing, activating, modifying, disabling and removing accounts from information<br />
systems.<br />
Information system accounts are the only legitimate method by which State<br />
information systems may be accessed. Without active account management, the<br />
12