Policy Statement: The purpose of this policy
is to define access control measures for Commonwealth systems to protect the privacy, security, confidentiality, and
integrity of the Commonwealth of Kentucky resources and data.
Policy Maintenance: The Commonwealth Office of Technology (COT), Office of the Chief
Information Security Officer and
Office of Infrastructure Services have joint responsibility for the maintenance
of this policy. Organizations may choose to add to this policy as appropriate,
in order to enforce more restrictive standards. Therefore, staff members must
refer to their organization's internal policy which may have additional
information or clarification of this enterprise policy.
Authority: KRS 42.726 authorizes COT to develop policies that support and promote
the effective application of
information technology within the executive branch of state government, as well
as information technology directions, standards, and necessary management
processes to assure full compliance with those policies.
Applicability: This policy must be adhered to by all Executive Branch agencies and
personnel, including employees,
contractors, consultants, temporaries, volunteers and other workers within
state government. This policy applies to all accounts/resources utilized by the
Executive Branch personnel on equipment owned or leased by the Commonwealth
regardless of time of day, location or method of access.
Responsibility for Compliance: Each agency is responsible for assuring that
appropriate personnel within their
organizational authority have been made aware of the provisions of this policy,
that compliance by the personnel is expected, and that unauthorized and/or
inadvertent actions in regard to this policy may result in disciplinary action
up to and including dismissal. It is each Executive Cabinet’s responsibility to
enforce and manage the application of this policy.
Non-compliance may result in
additional shared service charges to the agency for COT’s remediation efforts
pertaining to this policy.
Review Cycle: This policy will be reviewed at least every
• An ID
is an identifier for a user or an account.
• Access is
defined as the ability to use, modify or manipulate an information resource or
entry to a physical area or
• Elevated Privilege is
defined as additional access outside a standard user id or account. This can
include the ability to alter
configurations or data in which an ID and/or account has access.
• Multifactor Authentication is defined as the use of more than one method of
verify the user’s
identity for a login and/or other transactions.
• System ID – Accounts used by applications, systems or automated processes that are
not used by
individual users for
access or direct login. Examples of these accounts would be Windows service
accounts or accounts used by applications for back end data access.
Policy: To protect the privacy, security, confidentiality, and integrity of the
Commonwealth’s information systems,
all access to IT resources and data must be commensurate with the user’s job
responsibilities and follow the principle of least privilege. The Commonwealth
employs manual and automated mechanisms to support the management of access to
information systems through the use of IDs. Each agency has designated Human Resource (HR)
Contacts that have authorization to request the creation modification,
disablement or removal of IDs and access.
Prior to being permitted to
use Commonwealth of Kentucky resources to perform official Commonwealth
business, agencies are responsible for ensuring that appropriate access has
been granted through the establishment of IDs and passwords and that all
required confidentiality and usage forms have been completed.
ID and Account Usage:
• User IDs established to
access Commonwealth systems must be individually owned in order to maintain
accountability. Each ID must be used by only a single individual who is
responsible for every action initiated by that ID. These IDs should not be used
to sign up or access non-government websites unless utilized for official
business. (See CIO-061, Social Media.) Where
supported, the system must display the last use of the individual’s account so
that unauthorized use may be detected.
• System ID credentials must
not be distributed to users and shall meet all complexity requirements of
elevated privilege accounts. These system IDs and/or accounts may have
non-expiring passwords where expiration would cause a demonstrated negative
impact on system functionality.
• Elevated Accounts are
required for all IDs with elevated privileges. Standard user accounts may be required
to leverage multifactor authentication based on specific business need.
• Administrator level privileges require the use of a physical device that
provides an additional layer of authentication; this is also referred to as
multi-factor authentication. This is a hardware device that houses or generates
a key or token as defined in Enterprise Architecture and Kentucky
Information Technology Standards - 5100 Encryption.
• User level access can
leverage a physical device or software solution to provide the additional layer
of authentication when required to increase security controls or meet state
and/or federal regulatory requirements. This is also referred to as
multi-factor authentication. A software solution would consist of a token or
key provided through non-physical means such an application, plug in, or
• Multi-factor authentication
must be placed as close to the protected data or asset as possible. In cases
where the additional security layers cannot be placed on the asset itself, an
appropriate security boundary must be established and multi-factor
authentication placed at the boundary entry points. An example of this would be
database systems that require the boundary to be placed at the workstation
level, with access to the database limited only to workstations within the
protected boundary. In this scenario, users would authenticate to their workstation
leveraging multifactor authentication.
• Automated Disabled User
Account: Where possible, Commonwealth systems will include an account
management function that will automatically disable a user account after 90 consecutive
days of inactivity and delete the account after an additional 30 consecutive
days of inactivity. If a user is on extended leave then please notify your
Human Resource contact for appropriate account maintenance. Refer to the Agency Contact
which provides authorized Human Resource, IT Services, Compliance, and Security
Contacts for each agency.
• Agency employees, agents,
representatives, or contractors, shall not access sensitive or confidential
data while located offshore – outside of the United States territories,
embassies or military installations.
Further, sensitive or confidential data may not be received, processed,
stored, transmitted or disposed of by information technology systems located
• Be kept confidential and never shared with
• Meet Password Length Requirements.
§ Standard User - eight (8) or
§ Elevated Privilege - twelve (12) or more
§ System ID - sixteen (16) or more characters
• Be comprised of a combination
of uppercase characters, lowercase characters, numbers,
and special characters
such as !@#$%^ ()&* (as allowed by the system).
• Be unique from previous 24 passwords used by the
• Be changed at least every 60
days for all elevated privileged access accounts and 90 days
non-privileged access accounts.
• Vendor default passwords
(default passwords must be changed immediately upon first use).
• The same as the UserID.
• Hard coded within application code, batch jobs, processes,
or similar system code.
• Visible on a screen, hardcopy, or any other
Strong Password Recommendations:
• Does not contain repeated letters or numbers or
sequences of letters or numbers.
• Does not contain names of
persons, places, or things, nor a word contained in any English or foreign
• Does not use repeated letters
with numbers that are indicative of the month; i.e., vmPtm$01 in January,
vmPtm$02 in February.
• Does not use keyboard patterns that entitle left
to right and/or top to bottom sequences.
• Minimum Password Age: Where
supported, the minimum password age must be set to one day. This will help
prevent users from “cycling” through passwords, thus bypassing the password history
list. However, if inadvertent disclosure is known or suspected, the password
must be changed immediately by notifying the systems administrator.
• Password expiration warning notifications shall
be set to start seven (7) days prior to the
password expiration date. After the password
expires, the User ID will be denied access.
Non-expiring passwords shall only be used for
system, application, or service accounts with no direct user access. These
passwords must be highly protected and meet or exceed the complexity
requirements standards of twelve (12) characters defined for elevated privilege
• Automatic Log-in: Users must
refuse all offers by software to store credentials to allow for automatic
authentication. Examples of this are web pages or applications that provide an
option to save the user’s ID and/or password to provide access without
re-entering their credentials for future accesses.
• Password and ID Lockout:
Where supported, user accounts will be locked after three (3) invalid login
attempts and must remain locked for 30 minutes or until the authorized user
makes a request to reset the password by contacting the Commonwealth Service Desk at (502) 564-7576 or the
local system administrator. All elevated privileged accounts must be unlocked by an administrator
and not through any automated means.
• Note: For Windows accounts, users can reset their passwords by using
COT’s service, AD
SelfService Plus (pre-registration is required before the account is locked out). Other
accounts, including Mainframe and UNIX, do
not have this service.
• Password Audits: The Office of the Chief Information Security Officer
will perform password audits at the request of an agency to identify weak
passwords and passwords that do not comply with enterprise standards. This is
useful in ensuring security and integrity through password compliance. All
requests should be made by through the Commonwealth Service Desk at (502) 564-7576.
• Logon Security Notice: All logon screens must include a security notice
that states the involved system may be used only for authorized purposes. This notice must state the following at a minimum:
• Only authorized users may access the system.
• Users who access the system
beyond the warning page represent that they are authorized to
• Unauthorized system usage or abuse is prohibited
and subject to criminal prosecution.
• System usage may be monitored and logged.
• Any other specific language as required by state
or federal regulations.
• Exceptions: Agencies requiring exceptions to this policy must have
approval from the Office of the Chief Information Security Officer. The agency
must complete a Security Exemption Request Form, COT-F085 and submit the form to the Commonwealth Service Desk via e-mail
All requests will be considered and approval will be granted on a case-by-case
• Securing Unattended
Workstations: Staff are responsible for maintaining the security of their
assigned workstation. In order to prevent unauthorized system access, users
must lock unattended workstations. In addition, all workstations must lock or
invoke a password-protected screensaver after a maximum of ten (10) minutes of