Statement

WTAMU manages information system authenticators by defining initial authenticator content; establishing administrative procedures for initial authenticator distribution, for lost/compromised, or damaged authenticators, and for revoking authenticators; and changing default authenticators during initial configuration. Authenticators include passwords, cryptographic devices, biometrics, certificates, one-time password devices, and ID badges.

Applicability

This Control applies to all West Texas A&M network information resources. The intended audience for this Control includes all information resource owners, custodians, and users of information resources.

Implementation

Management of information system authenticators shall include:

• Authenticators shall be treated as confidential information in accordance with Texas A&M University System Regulation 29.01.03 Information Security.
• If an authenticator has been confirmed as compromised, the event shall be reported as a security incident.
• Forgotten or lost authenticators shall be replaced with a new authenticator.
• If a user requests an authenticator change, the identity of the user must be verified before the authenticator is changed.
•  Initial authenticator content for any authenticators issued by the University is completed in accordance with established procedures.
• Default or assigned passwords shall be changed at first use.
• Passwords shall meet all requirements outlined in IA-5(1) Authenticator Management- Password Based Authentication.