Feature Article: Posted 11/02/01

Sharing User I.D. and passwords

by George Rogers

Dear Web Authors,

Within the October I have ran into a minimum of 6 cases of web authors sharing user I.D. and passwords between themselves. Un-knowingly, your are breaking university policies and state laws that you agreed to when you became an employee of University of Texas-Health Science Center at Houston.

Your compliance to these policies and procedures need to be at the foremost of your thoughts daily when you do your work. Please help others working around you correct any security issues as they arise.

The following information are excerpts taken from approved policies and procedures that have been provided for you as a reminder of what you did agree to when you where hired. Links are provided to all quoted information contained within this e-mail.

**************** HOOP - Handbook of Operational Procedures ***************

HOOP - Section 17, University Technology and Communications/Information Technology
17.01 Responsibilities for the Use of Information Resources
F. Users:

Users of information resources are individuals who use the information that is processed by an automated information system.

User Responsibilities:

• know and comply with published university policies and procedures
• manage UTHSC-H information resources responsibly
• protect confidential and sensitive information in its entirety, regardless of the method of access
• realize they are accountable for their actions relating to information resource security
• for user responsibilities see: Information Resources Security Manual, 17.02 Telecommunications Usage, 17.05 Email and Internet Usage, 17.06 Records
  Management Program.

Examples of Users:

Employees, students, vendors, contractors, visiting faculty, business partners, affiliate hospitals, clinics, and guest users of
UTHSC-H information resources and patients.

****************** Information Resources Security Manual ********************

Security Violations

Individuals using information resources owned or managed by the university are expected to know and comply with published university policies and procedures
documented at HOOP Chapter 17.

Failure on the part of an individual to comply may result in disciplinary action including suspension without pay or termination of employment or contract.

An individual may be subject to civil or criminal legal sanctions when a violation occurs. It is the responsibility of all personnel to report any suspected or confirmed
violations of this policy to appropriate management.

Policy Statements

The policies stated herein define accountability and responsibility toward information resources security. These policies apply to all individuals.

1. Access to university information resources must be secured. The integrity of data, its source, its destination, and processes applied to it must be assured. Changes to data and its usage must be made only in authorized and acceptable ways.

3. All passwords to information resources including, but not limited to, network systems, mainframe applications, voice mail or long distance telephone codes are confidential and property of the state. It is illegal to share assigned user-ids or passwords with anyone.

Passwords authenticate a user's identity and establish accountability. An individual is required by law to maintain the privacy of his or her password(s) and access
code(s) and is accountable for the unauthorized use or negligent disclosure of all access means under his or her control.

The following actions constitute violations under this provision and are specifically prohibited:

user-ids assigned to individuals should not be shared
user-ids assigned to groups should not be shared with any personnel outside of the group assigned access to the user-id
revealing passwords or access codes either verbally or in writing, and
negligent disclosure of passwords or access codes

Note: User I.D.'s and passwords issued by OAC web authors are not group assigned. These user I.D. and passwords should not be shared between staff members or to outside contractors providing a service to there departments. Temporary contract employees and outside contracting companies have to apply for a guest account for each employee regardless of duration of project (1 day to several months).

Security Contract

Individuals who request authorization to use university computer applications sign a security contract acknowledging comprehension and acceptance of personal
accountability. By signing this contract, individuals agree to only use the user-id or password for the purpose intended, not to share or disclose a password, and to
report any suspected or confirmed violations to appropriate management.

Texas Penal Code

The following sections of the Texas Penal Code apply.

Section 33.02: Breach of Computer Security

An individual commits an offense if the individual

• knowingly accesses a computer, computer network, or computer system without the effective consent of the owner.
• intentionally or knowingly gives a password, identifying code, personal identification number, debit card number, bank account number, or other confidential information about a computer security system to another individual without the effective consent of the individual employing the computer security system to restrict the access to a computer, computer network, computer system, or data.
• An offense under this section is a Class A misdemeanor unless the actor's intent is to obtain a benefit or defraud or harm another, in which event the offense is:
• a state jail felony if the value of the benefit or the amount of the loss or harm is less than $20,000; or
• a felony of the third degree if the value of the benefit or the amount of loss or harm is $20,000 or more.

An individual who is subject to prosecution under this section and any other section of this code may be prosecuted under
either or both sections.