Printed on: 01/16/2019. Please go to for the most current version of the Policy or related document.

Operating System Access Control Standard

Appendix to Policy


To ensure authorized access and to prevent unauthorized access to University information and IT resources, operating systems must be configured so that access requires authentication, access attempts are controlled and recorded, and breaches of security generate alerts.

Security Controls

Operating System Access Control

The following table defines the baseline security controls for access controls in the operating system. Controls in this section apply to any access (user, system or service account) to the data or systems (single-use computer, server, etc.).

Control Security Level
ID Description High Medium Low
OSA.A.01 Limit the number of unsuccessful logon attempts (suggested: no more than 10 consecutive attempts) Required Required Optional to view data
Recommended for all other access
OSA.A.02 Record successful and unsuccessful logon attempts Required Required Required
OSA.A.03 Limit the time and delay for logon (suggested: wait 15 minutes after 10 unsuccessful logon attempts and reset the lockout counter after 15 minutes) Required Recommended Recommended
OSA.A.04 Conceal password entry Required Required Recommended
OSA.A.05 Do not transmit password in clear text Required Required Required
OSA.A.06 Use inactive session timeout (suggested: 15-30 minutes) Required 1 Required Optional to view data
Required for all other access
OSA.A.07 Enforce password history (suggested: 5 passwords remembered) Required Required Optional
OSA.A.08 Maximum password age (365 days or less) Required Required Optional
OSA.A.09 Minimum password age (1 day) Required Required Optional
OSA.A.10 Display only generic identifiers or messages until successful logon Required Recommended Recommended
OSA.A.11 Change vendor default passwords Required Required Required
OSA.A.12 Document operating system access controls used Required Recommended Optional to view data
Recommended for all other access

1 PCI-DSS requires a 15 minute timeout for systems that store, process, or transmit cardholder data, or support the credit card processing environment.

Resources Covered

This applies to IT resources owned or contracted by the University. This also applies to personally owned devices accessing, or authorized to store University data designated as private-highly restricted or private-restricted .

Individuals Covered

This applies to University community members who use or manage University IT resources.

Related Information

More information on Operating System Access Control

Published Date

  • November 2014

Document Feedback