Security & Passwords

Protect your identity and the university.

You are sharing your identity when you share your password. How would you feel about being interviewed by the police or Internal Audit as a suspect in a crime? If you happen to share your password with someone who embezzles funds, you will be considered a suspect because your name is associated with those transactions. Your UC Davis login ID and password are your signature and are the only way the computer has to identify you. Even if you can clear yourself, you will know that you created the opportunity for the other person to commit the crime. You may also face disciplinary action for violating policy.

You were given a unique login ID/password and a specific role in our financial system (e.g., Document Initiator, Chart String Approver) to ensure that no one person has complete control over a transaction. This separation of duties takes away the opportunity from someone motivated to steal. Think of what could happen if a dishonest person had Chart String Approver privilege.

Fraud is not the only risk caused by sharing passwords. The likelihood of errors and omissions also increases when you share your password with untrained persons. While every good manager will closely supervise and train new employees, having new employees use their own UC Davis login ID makes it easier to identify the transactions they create. Errors and omissions reduce the accuracy, and hence the value, of the information recorded. Aggie Enterprise is the official record of the university and is the basis for financial management and reporting. If the people interested in the way we use our money perceive that our financial reports are not accurate, we can lose the funding (e.g., research funds, state appropriations, bonds, gifts, etc.) and the prestige of UC Davis.

Reasons given for sharing passwords have included:

  1. “Our approver is going on vacation (or is out sick)”
  2. “It takes too long to get an Aggie Enterprise user account for a new employee”
  3. “I use temporary or student employees and can’t get them accounts.”

While we are all looking for ways to ease the burden of our daily workload, sharing passwords is not an alternative as it puts both you and the university at risk. (Answers to these, and related, problems can be found below).

Facilities Services is an example of an organization that has taken workstation security seriously. They have issued an internal policy that includes: “Each person accessing a computer system must be provided a computer account username and password. It is the responsibility of each person to secure and protect their password. You must never provide/divulge/share your password to/with anyone (including your supervisor or computer support personnel).” Their Computer Resource Manager has also instructed their computer support group to immediately lock/disable any network account for a person who has violated any of their policies. The locked account will not be re-enabled until a meeting between the employee, the employee’s supervisor, and the Computer Resource Manager has been arranged to discuss system security.

No one needs to know your password – including your supervisor and network administrator. The technical support people in your unit have the access they need to perform their duties. In summary, there is absolutely no legitimate reason to ever share passwords. Sharing passwords severely weakens the security of our systems. Make sure that all employees that need access to Aggie Enterprise and/or other university systems have their own user account.

If you have any questions please contact Controls & Accountability.


How to solve similar problems
 

ScenarioSolution
Our approver is going on vacation/is out sick.” Review the Knowledge Base Article for guidance on setting up alternate approvers.
It takes too long to get an Aggie Enterprise user account for a new employee.” The department security liaison can help to quickly set up Aggie Enterprise access for an employee.
I use temporary or student employees extensively and cannot get them accounts.” The department security liaison can give access to any employee, including temporary and student employees. The procedures are the same as for new employees (see above).