Friday, December 18, 2020 - 15:30
Effective: December 18, 2020
- All references to "UVA Identity Token combined with JointVPN or HSVPN connection" were replaced with "UVA-approved two-factor authentication (e.g. Duo-based High Security VPN)"
- Use of "physical token" to "hardware token" to be consistent with terminology elsewhere in the standard.
- Password length and complexity in general from 8 characters and 3 of 4 character classes OR passwords of more than 20 characters two character classes to 12 characters and three of four character classes.
- "should" to "must" for current password should differ from the user's previous 24 passwords.
- Clarified and defined the difference between a administrative account and a service account.
- Overall format of sections with bulletted items to two tables listing requirements.
- The Purpose and Background was revised to specify the policy under which this standard falls (IRM-002)
- Clear text passwords or passcodes must never be sent via email or printed.
- Changed the format of the User Authentication Requirements from bulleted text to two tables to simplify and make easier to understand.
- Required Reporting section.
- Multiple new Related Links were added.
- “moderately" in front of "sensitive data"