Personal tools

Appendix A: Security Protocols

This appendix provides a brief overview of considerations when setting up access profiles for providers in the CAISI system.

Note: All of the functions below are performed by administrators, unless otherwise specified.

1. Provision & Termination of Accounts

Staff members requiring access to client files for their position, are to be given accounts.  Accounts include User Names, Passwords, PINs and Secret Questions.  Passwords and PINs will be chosen by staff members and are not to be told to administrators. 

All User Names, Passwords & PINs must be set to ‘expired’ upon staff termination.

2. Expiration of Accounts

User accounts must be set to expire in one year from creation or renewal.  ‘Expired’ accounts remain in the system, but passwords no longer permit entry. 

When accounts/passwords are about to expire, CAISI will give reminders (in pop-up window) to change the password 4 days in advance.  Users can change their own passwords.

3. Password & PIN Creation

Administrators should encourage the use of ‘strong’ passwords. Strong passwords are:

  • 8 or more characters in length
  • alphanumeric (combination of letters and numbers)
  • not an existing word:
    • make a new ‘word’ from a phrase by making an acronym using the first letters of each word (ex. instead of John think of My Son’s Name is John and use the password msnij)
    • change the new ‘word’ into alphanumeric (ex. instead of msnij use m5nij)
    • do not use user IDs, names or nicknames, basic personal information (ex. street name, pet name, telephone number) or dates (ex. September or SEPT2006)

4. Writing Down Passwords & PINs

Writing down passwords and PINs is not encouraged, however, if users have chosen to do so, they should use one of the following tips:

  • write down your password but add or subtract a letter or number (ex. written down is msnij but password is msnij64)
  • write down at least 3 other bogus passwords/PINs on same sheet (and add or subtract a character from the real one)
  • use a chart or other scheme to jog their memory
    • for example: On a credit card size paper, have a grid of random letters with a row and a column header. They only have to remember the start coordinate (Row/Column) and a navigation rule (ex. my password takes 6 letters horizontal and 4 letter vertical).

5. Use of Secret Questions

Secret Questions should be used when administrators monitor accounts of users that they do not know (ex. are not employees or coworkers of theirs) and when there is the possibility of having to identify identity remotely (ex. by telephone).  Secret Questions will be used to verify user identity when resetting passwords & PINs.

If Secret Questions are used, each staff member must pick a Secret Question from the list below and specify an answer:  

  1. What is the first and last name of your first boyfriend or girlfriend?
  2. Which phone number do you remember most from your childhood?
  3. What was your favorite place to visit as a child?
  4. Who is your favorite actor, musician, or artist?
  5. Where did you get engaged?
  6. What is the name of your first movie star crush?
  7. What is your father's nickname?
  8. What is your sibling’s nickname?
  9. What are the last 5 digits of your driver’s license?
  10. Where did your parents get married?
  11. What was your favorite thing to collect as a child?
  12. What is your child’s favorite food?
  13. What is your favorite appetizer?
  14. What was your favorite childhood candy or treat?
  15. What was the name of your favorite high school teacher?
  16. What color was your first pet?
  17. Where did you honeymoon?
  18. What color was your first car?

Administrators are responsible for recording the User Name, Secret Question & PIN and will limit access to this document by locking paper documents in a location to which only that administrator has access or placing passwords on electronic files.

 

Document Actions