POLICY ON COMPUTER ACCOUNT AND EMAIL REQUIREMENTS
FOR UNIVERSITY EMPLOYEES

Many University functions are conducted online. This policy identifies requirements of faculty, staff, and students needed to provide these online functions securely.

Departments, Schools, Divisions, Institutes, administrative units, or other parts of the University may have supplemental policies regarding computer account and email requirements. Those policies cannot diminish the requirements set forth below.

Policy

  1. The University of Chicago provides a CNetID account to each of its faculty, staff, and students. Faculty, staff, and students are responsible for using this account throughout their affiliation with the University.
  2. Faculty, staff, and students must regularly attend to email addressed to this account.
  3. Faculty, staff, and students must either change their CNetID password at least annually or enroll in Two Factor Authentication.
  4. When required by management or by an authority for an online function, Two Factor Authentication must be used in conjunction with the account used to access the online function.
  5. Employees in any department whose purpose is primarily to conduct or support administrative activities must complete security awareness training as part of new employee on-boarding and annually thereafter.

Frequently Asked Questions

I have a UCHAD account. Do I need to also have a CNetID account?
No. A UCHAD account provided by the Medical Center can be used to access online functions the same as a CNetID account. If you have both a UCHAD account and a CNetID account, you must use the CNetID account when logging in to online functions outside of the Medical Center. It is simplest to have only one of these accounts.

I have an account issued by my Department, Division, School, or Institute in addition to a CNetID account. Is this account also subject to this policy?
This policy pertains only to CNetID accounts. The Department, Division, School, or Institute may have its own policies concerning the use of accounts it issues.

Must I use a University provided email service?
The University provides all faculty and staff the option to use one or more email services to which email addressed to their CNetID account is delivered. The University also provides all faculty, staff, and students the ability to forward all email addressed to their CNetID account to an email service of their choice. One of these choices must be selected in order to regularly attend to email addressed to your CNetID account.

Why annual password expiration and not some other interval, or never?
With a corpus of hundreds of millions of compromised passwords and “rainbow tables” covering all possible passwords of length up to 8 characters already incorporated into cloud-based services provided by and to the hacker community, older, shorter, and simpler passwords are easy targets. When a password is a substantial part of the protection against unauthorized access to something important, it should be kept out of range of this powerful artillery, and that means changing it from time to time. But there is little consensus about how long that interval should be – there is no a priori reasoning that leads to “annually”. Instead, IT Services has a pragmatic reason to choose this value. The technologies and processes used to issue, manage, and use CNetIDs implement a specification that is accepted by organizations as diverse as the US Federal government and the International Grid Trust Federation as meeting “Level of Assurance 2”. All greater Levels of Assurance require a credential technology that is stronger than passwords. This specification must be tuned to some specific password expiration value, and one year was selected as a reasonable interval. So the better question is: Why not annually?

What is Two Factor Authentication? Why may that be required?
Two Factor Authentication, or 2FA, is the use of a second means of authenticating a user in addition to their username and password. Typically, a smart phone or special hardware token is used to implement the second factor. When 2FA is enabled, a compromised password is not sufficient to gain access. Users of some online functions may be required to use 2FA to prevent unauthorized access to sensitive information. Details of the University’s implementation of 2FA are on the 2fa.uchicago.edu website.

If I enroll in Two Factor Authentication, will I never be asked to change my CNetID password?
You may still be asked to change your CNetID password in response to specific circumstances in which that step is warranted. For example, if your CNetID password is compromised for whatever reason, you will need to change it. And if IT Services updates CNetID password standards to keep ahead of password cracking technology, a campaign to refresh CNetID passwords may be undertaken so that they adhere to the revised standards.

How long does it take to complete security awareness training and why must it be retaken annually?
The security awareness training is provided online and takes approximately 15 minutes to complete. Like IT, IT Security keeps changing and an annual refresher keeps you updated on how you can do your work securely.

Category: Account and Identity
Expiration Date: February 4, 2018
Policy Owner: tbarton