...

...

...

Changing Integrated System Passwords

Scope

This procedure covers changing existing Integrated System passwords. 

This procedure does not cover changing passwords for seated accounts.

Policy

Ethics in Computer Usage Policy requires everyone within the University of Virginia community who uses University computing and communications facilities to use them in an ethical, professional and legal manner. This means that users agree to abide by the following conditions:

• The integrity of the systems must be respected. This means that users of systems will not divulge passwords, pins, private keys or similar elements to anyone else, and they will not exploit sessions left open or otherwise misappropriate or steal the "identity" of another user.
• Privacy of other users must not be intruded upon at any time.
• Users must recognize that certain data are confidential and must limit their access to such data to uses in direct performance of their duties.
• The rules and regulations governing the use of facilities and equipment must be respected. Persons responsible for computing devices connected to the network will ensure that those devices are maintained in a secure state in accord with related policy on use of Network Devices
• No one shall obtain unauthorized access to other users' accounts and files.
• The intended use of all accounts, typically for university research, instruction and administrative purposes, must be respected.
• Users shall become familiar with and abide by the guidelines for appropriate usage for the systems and networks that they access.

Grounds for revoking access to University computing and communications equipment and facilities may be revoked for reasons including, but not limited to the following:

• attacking the security of the system
• modifying or divulging private information such as file or mail contents of other users without their consent
• modifying or destroying University data
• using the national networks in a manner contrary to the established guidelines.

Revocation of access may be done at any time by University system administrators in order to safeguard University resources and protect University privileges. Such revocation may be appealed to a committee appointed by the Vice President and Chief Information Officer.

If abuse of computer systems occurs, those responsible for such abuse will be held accountable and may be subject to disciplinary action.

Refer to Responsible Computing Handbook for Students

Refer to Responsible Computing Handbook for Faculty and Staff

Responsibility

The UVA DSC Administrator is responsible for resetting passwords for IS users when a reset is requested by the IS user.  This is the official responsibility name in the Integrated System.

The Data Security Administrator (DSA) is responsible for university-wide data security services.  One of the services they perform is resetting passwords for IS users when a reset is requested by the IS user or when such a request is escalated to them by the ISCSC staff.

The IS Helpdesk member is responsible for resetting passwords for IS users when a reset is requested by the IS user or by the Data Security Contact (DSC).

The Data Security Contact (DSC) is responsible for resetting passwords for IS users in his or her department, school or individuals for whom they provide data security service.

Distribution

UVA DSC Administrator

Ownership

The Data Security Administrator is responsible for ensuring that this document is necessary and reflects University practice.

Activity Preface

This activity is performed whenever an IS user contacts a Data Security Contact, the IS Customer Support Center or the Data Security Administrator to have their password changed.

UVA DSC Administrator can be any of the following:

• Data Security Contact
• IS Helpdesk
• Data Security Administrator

Data Security Contact, IS Customer Support Center Staff, Data Security Administrator

Note to Data Security Contacts:

• You may reset passwords only for individuals who are members of a school or department for which you provide data security services.

Note to Data Security Contacts and IS Computer Support Center staff:

• If the password change request comes via email, the email recipient MUST contact the individual and confirm  that he or she did request the password change.  This is an AUDIT requirement for anyone executing a password reset.  Since November 2004 Data Security Administrators have been applying this rule and will continue to do so.
• Based on the responses you receive from the individual to the questions below, if you feel that anything is askew, anything that makes you uncomfortable with the request, then escalate the request to the Data Security Administrator for action or resolution.
• Data Security Administrators who feel discomfort with a request escalate the request to the Manager, Data Services.

If the password change request is received via EMAIL and on contacting the individual you confirm that they made the request and you are comfortable with the request, goto task #1.  Otherwise, goto task #5.

1.   Start your VPN and Log on to the Integrated System (IS).

Refer to Connecting to the Oracle VPN

Refer to Logging On to and Off of Oracle Applications

2.   Select the IS Responsibility UVA DSC Administrator.

3.   Select [Users].

UVA Data Security Contact Administrator                
N ® Users
Users

4.   Ask the individual if they have an IS user account and ask for their user ID.     

If the individual does not have an IS user account, goto task #5. Otherwise, goto task #6.

5.   Refer the request - along with all pertinent data that you collect from the individual - to the appropriate entity.

• Data Security Contacts refer the request to the Tier II support.
• IS Helpdesk staff refer the request to the Data Security Administrator at security-dso@virginia.edu
• Data Security Administrators refer the request to the to the Manager, Data Services.

End of activity.

6.   Query [User Name].

• With your cursor in [User Name] press [F11].

• The User Name field will grey out.

• Enter the User Name and then press [Ctrl, F11] simultaneously.

• This will auto query the user information.

If no data is returned, goto task #5. Otherwise, goto task #7.

7.   The Effective Date [TO] field must be blank.

If the Effective Date [TO] field contains an end date, goto task #5. Otherwise, goto task #8.

8.   Confirm that the individual's [EMAIL] is a VIRGINIA.EDU address.

If The EMAIL account is not a VIRGINIA.EDU address, goto task #5. Otherwise, goto task #9

9.   Check the [PERSON] name displayed for the User.

If the PERSON name does not match the name of the individual requesting the password change, goto task #5. Otherwise, goto task #10.

10. Check the [DESCRIPTION] displayed for the User.

If the DESCRIPTION does not match the individual's name requesting the password change, goto task #5. Otherwise, goto task #11.

11. Enter a [Password] at least 7 characters long.

12. Press [Enter] on your keyboard.

• The Password field will turn yellow.

13. Enter the [Password] again.

14. Click the [Save] icon  on the Toolbar.

15. Notify the user that the password has been reset and tell him or her what the new password is.

• The user will be required to change the password at logon.
• A password is considered strong if it follows these rules:

• Passwords must be of length seven (7) or greater
• Passwords must contain at least one character and one number
• Passwords cannot contain your username, better know as your user-id
• Passwords cannot contain repeating characters (i.e. support1 is not a valid password)
• Passwords should not contain special characters (special characters cause problems with Discoverer log-ons, especially $ and @)
• Passwords cannot be re-used within 135 days (You do not have to change your password if you have ONLY the Self Service responsibility.)

• Observe all regulations for ethical computing use.

Refer to Ethical Computing Use  

Refer to Network Devices

Refer to Responsible Computing Handbook for Students

Refer to Responsible Computing Handbook for Faculty and Staff

End of activity.

Effective: 06/19/09

Revision: 2 wss

Oracle Tutor can be licensed to modify and add to this content, documenting all of your business process documentation in the Oracle Tutor format.

Oracle® Tutor   Copyright © 1997, 2009, Oracle. All rights reserved.