CIO-072 Identity and Access Management Policy

Office of the Chief Information Officer Enterprise Policy

CIO-072: Identity and Access Management Policy

Effective Date: 06/01/2002
Revision Date: 07/13/2017
Reviewed Date: 2/4/2019

Policy Statement: The purpose of this policy is to define access control measures for Commonwealth systems to protect the privacy, security, confidentiality, and integrity of the Commonwealth of Kentucky resources and data.

Policy Maintenance: The Commonwealth Office of Technology (COT), Office of the Chief Information Security Officer and Office of Infrastructure Services have joint responsibility for the maintenance of this policy. Organizations may choose to add to this policy as appropriate, in order to enforce more restrictive standards. Therefore, staff members must refer to their organization's internal policy which may have additional information or clarification of this enterprise policy.
Authority: KRS 42.726 authorizes COT to develop policies that support and promote the effective application of information technology within the executive branch of state government, as well as information technology directions, standards, and necessary management processes to assure full compliance with those policies.
Applicability: This policy must be adhered to by all Executive Branch agencies and personnel, including employees, contractors, consultants, temporaries, volunteers and other workers within state government. This policy applies to all accounts/resources utilized by the Executive Branch personnel on equipment owned or leased by the Commonwealth regardless of time of day, location or method of access.
Responsibility for Compliance: Each agency is responsible for assuring that appropriate personnel within their organizational authority have been made aware of the provisions of this policy, that compliance by the personnel is expected, and that unauthorized and/or inadvertent actions in regard to this policy may result in disciplinary action up to and including dismissal. It is each Executive Cabinet’s responsibility to enforce and manage the application of this policy.
Non-compliance may result in additional shared service charges to the agency for COT’s remediation efforts pertaining to this policy.
Review Cycle: This policy will be reviewed at least every two years.
       An ID is an identifier for a user or an account.
       Access is defined as the ability to use, modify or manipulate an information resource or to gain
 entry to a physical area or location.
       Elevated Privilege is defined as additional access outside a standard user id or account. This can
include the ability to alter configurations or data in which an ID and/or account has access.
       Multifactor Authentication is defined as the use of more than one method of authentication to 
verify the user’s identity for a login and/or other transactions.
       System ID – Accounts used by applications, systems or automated processes that are not used by
  individual users for access or direct login. Examples of these accounts would be Windows service
  accounts or accounts used by applications for back end data access.
Policy: To protect the privacy, security, confidentiality, and integrity of the Commonwealth’s information systems, all access to IT resources and data must be commensurate with the user’s job responsibilities and follow the principle of least privilege. The Commonwealth employs manual and automated mechanisms to support the management of access to information systems through the use of IDs. Each agency has designated Human Resource (HR) Contacts that have authorization to request the creation modification, disablement or removal of IDs and access.
Prior to being permitted to use Commonwealth of Kentucky resources to perform official Commonwealth business, agencies are responsible for ensuring that appropriate access has been granted through the establishment of IDs and passwords and that all required confidentiality and usage forms have been completed.
ID and Account Usage:
      User IDs established to access Commonwealth systems must be individually owned in order to maintain accountability. Each ID must be used by only a single individual who is responsible for every action initiated by that ID. These IDs should not be used to sign up or access non-government websites unless utilized for official business. (See CIO-061, Social Media.) Where supported, the system must display the last use of the individual’s account so that unauthorized use may be detected.
      System ID credentials must not be distributed to users and shall meet all complexity requirements of elevated privilege accounts. These system IDs and/or accounts may have non-expiring passwords where expiration would cause a demonstrated negative impact on system functionality.
      Elevated Accounts are required for all IDs with elevated privileges. Standard user accounts may be required to leverage multifactor authentication based on specific business need.
      Administrator level privileges require the use of a physical device that provides an additional layer of authentication; this is also referred to as multi-factor authentication. This is a hardware device that houses or generates a key or token as defined in Enterprise Architecture and Kentucky Information Technology Standards - 5100 Encryption.
      User level access can leverage a physical device or software solution to provide the additional layer of authentication when required to increase security controls or meet state and/or federal regulatory requirements. This is also referred to as multi-factor authentication. A software solution would consist of a token or key provided through non-physical means such an application, plug in, or messaging service.
      Multi-factor authentication must be placed as close to the protected data or asset as possible. In cases where the additional security layers cannot be placed on the asset itself, an appropriate security boundary must be established and multi-factor authentication placed at the boundary entry points. An example of this would be database systems that require the boundary to be placed at the workstation level, with access to the database limited only to workstations within the protected boundary. In this scenario, users would authenticate to their workstation leveraging multifactor authentication.
      Automated Disabled User Account: Where possible, Commonwealth systems will include an account management function that will automatically disable a user account after 90 consecutive days of inactivity and delete the account after an additional 30 consecutive days of inactivity. If a user is on extended leave then please notify your Human Resource contact for appropriate account maintenance. Refer to the Agency Contact Listing, which provides authorized Human Resource, IT Services, Compliance, and Security Contacts for each agency.
      Agency employees, agents, representatives, or contractors, shall not access sensitive or confidential data while located offshore – outside of the United States territories, embassies or military installations.  Further, sensitive or confidential data may not be received, processed, stored, transmitted or disposed of by information technology systems located offshore.
Password Usage:
Passwords must:
       Be kept confidential and never shared with anyone.
       Meet Password Length Requirements.
§  Standard User - eight (8) or more characters
§  Elevated Privilege - twelve (12) or more characters
§  System ID - sixteen (16) or more characters
       Be comprised of a combination of uppercase characters, lowercase characters, numbers,
  and special characters such as !@#$%^ ()&* (as allowed by the system).
       Be unique from previous 24 passwords used by the user.
       Be changed at least every 60 days for all elevated privileged access accounts and 90 days
  for all non-privileged access accounts.
Passwords must not be:
      Vendor default passwords (default passwords must be changed immediately upon first use).
      The same as the UserID.
      Hard coded within application code, batch jobs, processes, or similar system code.
      Stored without encryption (encryption information can be found at Enterprise Architecture and Kentucky Information Technology Standards (5100 Encryption).
      Visible on a screen, hardcopy, or any other output device.
Strong Password Recommendations:
      Does not contain repeated letters or numbers or sequences of letters or numbers.
      Does not contain names of persons, places, or things, nor a word contained in any English or foreign language dictionary.
      Does not use repeated letters with numbers that are indicative of the month; i.e., vmPtm$01 in January, vmPtm$02 in February.
      Does not use keyboard patterns that entitle left to right and/or top to bottom sequences.
      Minimum Password Age: Where supported, the minimum password age must be set to one day. This will help prevent users from “cycling” through passwords, thus bypassing the password history list. However, if inadvertent disclosure is known or suspected, the password must be changed immediately by notifying the systems administrator.
      Password expiration warning notifications shall be set to start seven (7) days prior to the
password expiration date. After the password expires, the User ID will be denied access.
Non-expiring passwords shall only be used for system, application, or service accounts with no direct user access. These passwords must be highly protected and meet or exceed the complexity requirements standards of twelve (12) characters defined for elevated privilege accounts.
      Automatic Log-in: Users must refuse all offers by software to store credentials to allow for automatic authentication. Examples of this are web pages or applications that provide an option to save the user’s ID and/or password to provide access without re-entering their credentials for future accesses.
      Password and ID Lockout: Where supported, user accounts will be locked after three (3) invalid login attempts and must remain locked for 30 minutes or until the authorized user makes a request to reset the password by contacting the Commonwealth Service Desk at (502) 564-7576 or the local system administrator. All elevated privileged accounts must be unlocked by an administrator and not through any automated means.
       Note: For Windows accounts, users can reset their passwords by using COT’s service, AD SelfService Plus (pre-registration is required before the account is locked out). Other accounts, including Mainframe and UNIX, do not have this service.
Special Requirements:
      Password Audits: The Office of the Chief Information Security Officer will perform password audits at the request of an agency to identify weak passwords and passwords that do not comply with enterprise standards. This is useful in ensuring security and integrity through password compliance. All requests should be made by through the Commonwealth Service Desk at (502) 564-7576.
      Logon Security Notice: All logon screens must include a security notice that states the involved system may be used only for authorized purposes. This notice must state the following at a minimum:
       Only authorized users may access the system.
       Users who access the system beyond the warning page represent that they are authorized to
  do so.
       Unauthorized system usage or abuse is prohibited and subject to criminal prosecution.
       System usage may be monitored and logged.
       Any other specific language as required by state or federal regulations.
      Exceptions: Agencies requiring exceptions to this policy must have approval from the Office of the Chief Information Security Officer. The agency must complete a Security Exemption Request Form, COT-F085 and submit the form to the Commonwealth Service Desk via e-mail at All requests will be considered and approval will be granted on a case-by-case basis.
      Securing Unattended Workstations: Staff are responsible for maintaining the security of their assigned workstation. In order to prevent unauthorized system access, users must lock unattended workstations. In addition, all workstations must lock or invoke a password-protected screensaver after a maximum of ten (10) minutes of inactivity.



This page was last modified 2/28/2019 6:02 AM

Return to CIO Policies Home Page.