Body
Policy Name: Password Policy
- Owner: Chief Information Officer
- Author: Information Security Manager
- Contact Information: servicedesk@css.edu
- Effective Date: 04/16/2024
- Recent Review: 07/09/2024
- Next Review Date:
- Applicable Laws, Regulations, Compliance: NA
I. Purpose
The Password Policy aims to establish secure and effective practices for creating, managing, and using passwords within The College of St. Scholastica. This policy is designed to protect the confidentiality, integrity, and availability of our data and information, including but not limited to student records, employee information, and intellectual property. By enforcing strong password management, we aim to mitigate the risks associated with unauthorized access, data breaches, and cyber threats. Users who violate this policy will be held responsible for a security breach and any impact this may have on the integrity of data or the network's performance.
II. Definitions
● Complexity Requirements: Passwords must include a mix of uppercase and lowercase letters, numbers, and special characters.
● Domain Administrator (Elevated Accounts): Accounts with elevated privileges and comprehensive access or control over the College’s network resources.
● Domain User Accounts: Standard accounts used by students, faculty, and staff to access general computing resources within the College’s network.
III. Policy
-
Password Creation and Requirements
- Domain Administrator (Elevated Accounts)
- Minimum Length: Passwords must be at least 20 characters.
- Complexity Enabled: Passwords must contain uppercase letters, lowercase letters, numbers, and special characters.
- Minimum Age: Passwords cannot change for at least one day after the last change.
- Password History: An account may not reuse the last 24 passwords set to avoid repetition.
- Auditing and Blocklisting: Regularly audit passwords for strength and disallow commonly used weak passwords.
- Domain User Accounts
- Minimum Length: Passwords must be at least 14 characters.
- Complexity Enabled: Passwords must include uppercase letters, lowercase letters, numbers, and special characters.
- Minimum Age: Passwords must be at least one day old before being eligible for a change.
- Password History: An account may not reuse the last 18 passwords set to avoid repetition.
- Auditing and Blocklisting: Regularly audit passwords for strength and disallow commonly used weak passwords.
-
Password Confidentiality
- All College of St. Scholastica account holders must treat their passwords as confidential.
- Passwords are recognized as the “digital keys” that protect the user’s identity and secure access to sensitive data, preventing unauthorized access to personal and institutional data.
-
Password Sharing
- No Sharing of Passwords: No individual may share passwords with others, including, but not limited to, colleagues, supervisors, friends, or family. Sharing passwords undermines the security measures to protect the user and the College’s digital resources. Each password ties to an individual’s account, and any actions taken with that account are the account holder's responsibility.
- No Use of Others' Passwords: Similarly, no individual may use a password or account not issued to them in any capacity. Using someone else's password to access systems or information, regardless of the reason, violates College policy.
-
Password Compromises
- Individuals aware of a suspected or confirmed password compromise must immediately report it to the IT Service Desk to alert the Information Security team.
- Accounts experiencing a suspected or confirmed password compromise will be locked and subject to owner verification and a password change before unlocking.
IV. Individuals and entities affected by this policy
This policy applies to all accounts, including those belonging to other students, faculty, staff, or any other accounts within the College's network. Temporary privileges will be given, as appropriate, for official guests at The College.
V. Related documents, forms, and procedures
Shared Accounts Policy
VI. History and Updates
The College reserves the right to modify policies at any time, ensuring the involvement of relevant committees and constituents in the decision-making process (e.g., policy committee, faculty assembly, staff council, student government association, etc.)