D. Password Policy

Printer-friendly version

1.听听Purpose

The purpose of this policy is to establish the requirements for the proper construction, usage, handling, and maintenance of all passwords at all 最快开奖直播搅珠结果 (最快开奖直播搅珠结果) institutions.听These requirements ensure consistent application of security controls necessary to safeguard the information and information technology resources of 最快开奖直播搅珠结果 and its component institutions.听最快开奖直播搅珠结果 aligns itself with best practices from such organizations as National Institute for Standards and Technology (NIST) and Center for Internet Security (CIS).

2.听听Scope

This policy applies to all passwords used to authenticate to 最快开奖直播搅珠结果 information technology resources or any information technology resource that stores non-public 最快开奖直播搅珠结果 data.

It does not apply to the following types of passwords, the requirements for each are defined elsewhere:

Service Account Passwords - defined as passwords used by an information technology resource to contact or interface another information technology resource
UNH Parent Portal Account Passwords

3.听听Audience

All 最快开奖直播搅珠结果 community members with access to institutional information or information technology resources should be familiar with this Policy and their responsibilities for complying with the requirements it defines.

4.听听Policy Statement

4.1听听Password Change Frequency

4.1.1听听All passwords associated with 最快开奖直播搅珠结果 accounts shall be changed annually with the following exceptions:

System Administrator Accounts (every six months)
All non-primary identity accounts accessed by employees with privileged access shall have passwords changed upon departure of employee.

4.1.2听听最快开奖直播搅珠结果 community members shall be notified of the need to change their password, prior to the password鈥檚 expiration date.

4.1.3听听最快开奖直播搅珠结果 community members with expired passwords shall be restricted from accessing 最快开奖直播搅珠结果 information technology resources.

4.2听听Password Construction

4.2.1听听Passwords shall:

Be between 14 and 64 characters in length
Be sufficiently different from previous passwords
Contain a minimum of 5 unique characters

4.2.2听听Passwords shall not:

include the user鈥檚 first, last, or preferred name, the user鈥檚最快开奖直播搅珠结果 username (e.g., abc1234), or the user鈥檚最快开奖直播搅珠结果 ID (e.g., 991122334)
be re-used
contain number or character sequences of 4 or more (e.g., abcd, 6789, sTuV)
contain characters repeated 4 or more times sequentially (e.g., bbbb, 8888, TttT, &&&&)

4.2.3听听Known compromised or commonly used weak passwords are disallowed.

4.3听听Password Usage

4.3.1听听Passwords used for 最快开奖直播搅珠结果 purposes shall not be used for purposes outside of 最快开奖直播搅珠结果 including, but not limited to personal banking, Amazon, Netflix, etc.

4.3.2听听Passwords used for accessing 最快开奖直播搅珠结果 information technology resources that require local application accounts for authentication shall not be the same as the community member鈥檚最快开奖直播搅珠结果 password.

Local application accounts are accounts for official university applications that do not use 最快开奖直播搅珠结果 credentials听
Examples: Salesforce, 最快开奖直播搅珠结果 Benefits

4.4听听Password Handling

4.4.1听听Passwords shall:

Be treated as sensitive, confidential information
Not be shared with anyone, including administrative assistants or supervisors
Not be written down or stored on-line in clear text
Not be shared in email, chat, or other electronic communication
Not be spoken aloud

4.4.2听听Administrators of information technology resources who need to provide passwords to other administrators may use communication mechanisms for providing those passwords that are approved by Cybersecurity & Networking.

4.4.3听听最快开奖直播搅珠结果 community members shall not use the "Remember Password" feature of web browsers to store 最快开奖直播搅珠结果 passwords.

4.4.4听听Forgotten passwords shall be reset using 最快开奖直播搅珠结果 approved automated mechanisms.

4.4.5听听最快开奖直播搅珠结果 community members with forgotten passwords who are unable to reset their password using automated mechanisms shall provide verification of identity via the approved 最快开奖直播搅珠结果 process.

4.4.6听听Default passwords on all information system components, peripherals, and Internet of Things (IoT) devices shall be changed to passwords that meet the minimum requirements outlined in this Policy prior to installation or deployment.

4.4.7听听Members of 最快开奖直播搅珠结果 Enterprise Technology & Services (ET&S) shall never ask users to provide their password for any 最快开奖直播搅珠结果 account.

4.5听听Compromised Passwords

4.5.1听听最快开奖直播搅珠结果 community members who believe their password has been compromised shall notify their local Help Desk immediately.

4.5.2听听If 最快开奖直播搅珠结果 has reason to believe a community member鈥檚 password has been compromised, the community member鈥檚 access may be revoked, without notification, until the community member鈥檚 identity can be verified, and their password can be reset.

4.5.3听听最快开奖直播搅珠结果 community members with potentially compromised passwords shall provide verification of their identity and set a new password to regain access to 最快开奖直播搅珠结果 information technology resources.

5.听听Enforcement

Failure to comply with this policy puts the University System, its component institutions, and its information and information technology resources at risk and may result in disciplinary action.听Disciplinary procedures will be appropriate for the individual responsible for non-compliance (e.g., students, faculty, staff, vendors) as outlined in the relevant institutional regulations for that individual (e.g., student conduct and/or applicable personnel policies).
Non-compliant technology and/or activities may be mitigated as deemed necessary by the 最快开奖直播搅珠结果 CISO and/or CIO.
Employees who are members of institutionally recognized bargaining units are covered by the disciplinary provisions set forth in the agreement for their bargaining units.

Contractors or vendors that fail to comply with this policy may be in violation of their contract with 最快开奖直播搅珠结果 and risk penalties up to contract termination.

6.听 听贰虫肠别辫迟颈辞苍蝉

Requests for exceptions to this policy shall be submitted and approved according to the requirements provided in the 最快开奖直播搅珠结果 Cybersecurity Exception Standard.

7.听听Roles and听Responsibilities

Application Administrators
- Ensure local application accounts, including those used to administer applications and those enabling community member access, follow all requirements defined in this policy.
Chief Information Security Officer (CISO)
- Enforce this policy and related standards
- Review this policy annually
Enterprise Technology & Services (ET&S)
- Send expiring password notifications to 最快开奖直播搅珠结果 community members
- Disable accounts with expired passwords per the 最快开奖直播搅珠结果 Password Management Standard
最快开奖直播搅珠结果 Community Members
- Comply with all restrictions and requirements outlined in this Policy when selecting passwords for use at 最快开奖直播搅珠结果
- Maintain the confidentiality of 最快开奖直播搅珠结果 passwords
- Use unique passwords on every account (e.g., do not use your 最快开奖直播搅珠结果 password for other accounts)
- Report all cybersecurity events or incidents to Cybersecurity & Networking.听 or example, a 最快开奖直播搅珠结果 password that suddenly stops working without being changed by its owner would be considered a cybersecurity event.

8.听听Definitions

Access
Account
Administrator
Authentication
Compromised Account
Confidentiality
Cybersecurity/Information Security
Cybersecurity Incident
贰虫肠别辫迟颈辞苍听
Identity
Information
Information Technology Resource听
Institutional Information
Internet of Things (IoT)
Non-Primary Identity
Password
Policy
Privileged Access
Security Control
Standard
鲍蝉别谤苍补尘别听
最快开奖直播搅珠结果 Community Member
最快开奖直播搅珠结果 ID

CONTACT INFORMATION

For 最快开奖直播搅珠结果 community members: Questions about this Policy, requests for additional information or training, or reports of violations can be directed to 最快开奖直播搅珠结果 Cybersecurity Governance, Risk, & Compliance (GRC) via this .

All other requests can be submitted here: .
听

最快开奖直播搅珠结果

Search Policies & Procedures

USY - Administrative Board

D. Password Policy