Password Requirements

Policy Details
Information Security
Policy Name Password Requirements
Policy Approved By Senior VP of Business Affairs/CFO
Effective Date 06/01/2018
Policy Objective The purpose of this policy is to establish a standard for creation of strong passwords, the protection of those passwords, and the frequency of change. This policy reinforces information security by establishing a strong but reasonable password management practice.
Scope The scope of this policy includes all personnel who has access to the colleges information systems.
Defined Terms Passwords – A secret word or phrase that must be used to gain admissions or access to something.

Phishing – A fraudulent attempt to obtain sensitive information such as usernames, passwords, and credit card details, often for malicious reasons, by discussing as a trustworthy entity in an electronic communication.
Policy Statement The protection of confidential information and other sensitive data on the network is a fundamental responsibility of every employee and student at the college. Passwords are the keys that control access to this information.
Passwords creation guidelines should be as follows:

• Be a Minimum of 8 characters

• Contain at least three of the 4 following password complexity requirements
- Lowercase alpha characters (e.g. a, b, c, d, e, …z)
- Uppercase alpha characters (e.g.. A, B, C, D, E, … Z)
- Numbers (e.g. 1, 2, 3, 4, 5, …9)
- Special characters or punctuation (e.g. ! @ # $ % ^ & * + > < { } ?)

• Not be based on personal information (names of family, pets, etc.)

Passwords shall be changed at a minimum of every 90 days (3 months), and the last six passwords cannot be reused. Users shall note that anytime there is a change in password, it must be updated on all devices that use the Company’s password, including smartphones, tablets, and laptops.

All passwords should be treated as confidential information. This password shall be unique from every other password the user has. Passwords shall never be written down or recorded along with corresponding account information or usernames. Passwords shall not be shared with any other individual. Users should always be mindful of their surroundings when entering their password (e.g. ensuring no one is looking over their shoulder). If the password is forgotten, users must contact the IT Department for password reset. In the event that you suspect your account of password to be compromised in any way, immediately report the incident to your immediate supervisor or Client Services.

The IT Department will never send an email message or make a phone call asking for the user’s password. If such a request is received, consider it a forgery (i.e. a phishing scam). Your password should never be provided to anyone including anyone from IT, when working with IT on an issue if your password is required you will be asked to type it in.
Roles and Responsibilities Employees and students are responsible for reading, understanding and complying with the statements in this policy.