Per reference (a) an individual identifier (i.e. a user login id or unique token) and password are required to access DON IS. The following guidance is provided to ensure the security of all IS including networks, terminals, laptops, peripherals, and government-approved portable electronic devices.
TTGL IS requires a standardized management system for the proper, and repeatable, management of user accounts. This system should encompass all facets of user account creation, management and deletion in order for system administrators to properly maintain all IS on TTGL network.
Personnel reporting onboard and requesting access to the TTGL network will have an account created once the following has been provided:
A completed OPNAV 5239/14 (SAAR-N).
Security Clearance validated on SAAR-N by TTGL SECMGR.
Copy of current IA Awareness training certificate.
Note: Interim access to the network may be granted for three days in order for member to complete IA training. If the training is not completed by the end of day three, the account will be disabled until training is completed and reported to IAM.
User Logon Identification. The following naming conventions will be used to create user login IDs for all personnel having access to the TTGL IS.
The user’s first name (.) last name (e.g., Nancy King would be nancy.king). Middle initial may also be included.
Account expiration date will be set as either the month following the user’s PRD, EAOS, or the date of disembarkation if the user is embarked.
Display names in the Global Address List (GAL). The GAL is used by the entire command to identify individual users and e-mail distribution membership. The following standard will be used when establishing the displayed information in the GAL.
Title – Military personnel: Last name, first name followed by Rank/Rate. Civilian personnel: last name, first name followed by CIV/CTR.
Departmental Affiliation. Users will be included in a Departmental group (i.e. N6, Module Heads, TLAM, etc.).
Abandoned/Dormant User Accounts.
Any account that has not been accessed in over 60 days is classified as a dormant user account and will be disabled.
User accounts will be removed deactived within 48 hours of notification that a user no longer requires access to the system. Users and supervisors are responsible for notifying N6 when access is no longer required.
Dormant accounts that have not been accessed, or reactivated within 12 months, will be reviewed for deletion unless noted that the member is TAD and still attached to the command.
If the user for the account will return within 30 days or a justified reason for inactivity exists, the account description will be annotated to reflect the estimated date of return of the individual and the account will be disabled.
If the user will be TAD longer than 60 days, their account shall be deactivated and they shall be removed from all email distribution lists. Lead SYSADMIN shall annotate which distribution lists user was assigned for reactivation.
Lead SYSADMIN shall make a monthly report to IAM outlining all users, indicating those that have been added, disabled, deleted, and granted/revoked privileged access.
To ensure proper use and function of administrator login IDs, all privileged users should be assigned two user IDs and passwords:
One with privileged user (SYSADMIN) access
One with authorized user access
Group accounts are not permitted unless approved by IAM.
Passwords
Default passwords are not permitted unless approved by IAM.
The initial password for new users will be a standard password generated by SYSADMIN. This password will be at least twelve characters consisting of one uppercase character, one lowercase character, one number, and one special character. This will be a one-time password that will require the user to change on initial log in.
Passwords, at a minimum, shall comply with standards defined in reference (b). Passwords shall consist of fourteen characters and will contain, in random order, at least two uppercase letters, two lowercase letters, two numerals, and two special characters (e.g., !$P%a*S2w0rd$!).
Password settings shall be set to change every 60 days or as directed by INFOCON guidance. This applies to all levels of access.
Passwords shall not be shared with other individuals.
If a password is compromised, the individual shall notify the duty SYSADMIN for an immediate password change.
Passwords shall be given the same classification as the IS they protect.
Physical identity is required prior to resetting passwords or unlocking user accounts; account resets over the phone/email are not permitted. Commanding Officer (CO), Executive Officer (XO), Senior Enlisted Leader (SEL), and Department Heads (DH) may reset passwords by email request combined with a phone confirmation.
All factory set, default or standard user IDs and passwords will be removed or changed during system configuration and prior to the system becoming operational.
Basic Input/Output System (BIOS) passwords will be set and maintained by the lead SYSADMIN. These passwords shall not match administrative passwords. Per reference (h), systems with automated BIOS password administration capabilities will be changed semi-annually. Systems without this automated capability will be changed annually.
Communicating passwords, including temporary passwords, via phone or email is not permitted.
Chapter SEVEN
Policy on use of REMOVABLE Media Control and Accounting Procedures