Policy Title | Password Management Policy |
Type or category of Policy: | COLLEGE Policy |
Approval Authority: | Chief Information Officer |
Responsible Executive: | Chief Information Officer |
Responsible Office: | Information Technology Services |
Owner Contact: | Information Security Administrator informationsecurity@siena.edu |
Reviewed By: | Cabinet |
Reviewed Date: | 4/28/2015 |
Last Revised and Effective Date of Revision: | 9/7/2015 |
Reason for Policy
The purpose of this policy is to establish a standard for the creation of strong passwords, the protection of those passwords, and the frequency of changing these passwords.
Scope of the Policy: Entities or Individuals affected by this policy
The scope of this policy includes all personnel (students, faculty, staff, administrators, guests, volunteers, vendors, contractors, temporary workers, alumni, etc.) who have been granted or are responsible for an account (or any form of access that supports or requires a password) on any system that resides at any Siena College facility or has access to the Siena College network.
This policy applies, but not limited to, the following areas:
- Email/Network/Active Directory
- Banner/Oracle
- Banner Self-Service PIN
- Central Information Technology Services (ITS) Administered Services
The Official Policy
Passwords are an important aspect of computer security. They are the front line of protection for user accounts. A poorly chosen password may result in the compromise of Siena College's entire college network. As such, all Siena College faculty, staff, administrators and students (including contractors, guests, volunteers and vendors with access to Siena College systems) are responsible for taking the appropriate steps, as outlined below, to select and secure their passwords. It is important to set a strong password and change them regularly. As a general rule of thumb, changing your password every 90 days is recommended.
A strong password consists of:
- A minimum of ten characters
- A mix of upper and lower case letters
- At least one numeric, and
- At least one special character.
- See Password Policy Chart below for further details.
A password helpful hint: A suggestion is to create a strong password phrase and then develop your password for it. This might be easier than trying to remember a random combination of characters. Remember, however, to use special characters as well.
Password Best Practices:
- Do not reveal a password over the phone to anyone.
- Do not reveal a password in an email message without encryption.
- Do not reveal a password to your boss or administrative assistant.
- Do not talk about a password in front of others.
- Do not hint at the format of a password.
- Do not use passwords that could be easily identifiable or easy for someone to guess such as your name or school name.
- Do not use dictionary words in any language.
- Do not reuse old passwords.
- Do not reveal a password on questionnaires or security forms.
- Do not share a password to co-workers while on vacation.
- Do not write down a password and store it in an easily accessible location, i.e. under your keyboard.
- Do report to the ITS Help Desk immediately if you suspect that your user account or password has been compromised.
Password Policy Chart: | |||
Email/Network/ Active Directory | Banner System INB/ Oracle | Banner Self Service PIN | |
Password Expiration (days) | 365 | 90 | 120 |
Minimum Length (characters) | 10 | 10 | 10 |
Account Locking / Failed Logins | 12 Times* |
5 times |
5 times |
Password Grace Period (days) | None | 14 | None |
Account Inactivity Locking | After one year | After six months | None |
Minimum Password Complexity | Password must contain three of the following four categories: -Upper Alpha (A-Z) -Lower Alpha (a-z) -Numeric (123) -Special Character (ex: !, ^, *, %, +, ?, -) Note that not all symbols are allowed. |
Password is case sensitive and should be a combination of letters, numbers, and one special character. It must be different from the previously used password for at least three characters. | PIN must contain at least one alpha and one numeric character; in addition, the user will need to setup two security questions. |
Password History | 12 passwords | None – password cannot be reused for one year | None – password cannot be reused for one year |
*Note: 7/23/2012 Moran Group recommendation; increased from 5 times.
Policy Related to Central ITS Administered Services (Servers)
ITS’ policy is to create the strongest passwords possible to protect the College’s central IT infrastructure, i.e. servers, network storage, etc. Thus, the following policies are in place:
- All system level passwords (e.g. root, enable, Windows Administrator, application administration accounts, etc.) are changed every 90 days.
- Default passwords are not used.
- Where SNMP is used, the community string must be defined as something other than the standard defaults of “public”, “private”, and “system”, and must be different from the passwords used to log in interactively.
- Passwords are at least ten characters in length.
- Passwords have the following characteristics:
- ⮚ Contain at least three of the five following character classes:
- ▪ Lower case characters
- ▪ Upper case characters
- ▪ Numbers
- ▪ Punctuation
- ▪ Special characters (e.g. @#$%^&, etc.)
- ⮚ Contain at least three of the five following character classes:
Exceptions
Exceptions can be granted in limited circumstances by the Chief Information Officer based upon the needs of the College and upon the requestor’s written justification, which has been reviewed and approved by the College’s Risk Officer.