Introduction
Passwords are one of the primary mechanisms that protect university information systems and other resources from unauthorized use. Constructing secure passwords and ensuring proper password management are essential. Standards for proper password creation and management greatly reduce these risks. As such, all Belmont University students and employees (including contractors and vendors with access to Belmont University systems) are responsible for taking the appropriate steps, as outlined below, to select and secure their passwords.
Purpose
The purpose of this policy is to establish a standard for creation of strong passwords, the protection of those passwords, and the frequency of change.
Scope
The scope of this policy includes all users who have or are responsible for an account (or any form of access that supports or requires a password) on any system that resides at any Belmont University facility, has access to the Belmont University network, or electronically stores any non-public Belmont University information. All staff and faculty who require maintenance access to Banner and related administrative systems must comply with data security standards as required by the Office of Assessment and Institutional Research (OAIR).
Policy
Computing accounts shall be protected by strong passwords. Account holders and system administrators shall protect the security of those passwords by managing passwords in a responsible fashion. System developers shall develop systems that store or transmit password data responsibly and that use secure authentication and authorization methods to control access to accounts.
Password Construction Guidelines
- All user-level passwords (e.g., email, web, desktop computer, etc.) must exhibit complexity by:
- Not containing all or part of the user's account name or any personally identifiable data such as birthdate; and
- Containing characters from three of the following four categories:
- Uppercase characters (A through Z)
- Lowercase characters (a through z)
- Base 10 digits (0 through 9)
- Non-alphabetic characters (for example, !, $, #, %)
- All user-level passwords must be a minimum of 8 characters but we recommend at least 12 characters in combination.
- The university recommends use of a passphrase for passwords that are easy to memorize and use, and they are secure. For example, if you used the passphrase “I love bike riding” it could be used as a very strong password by substituting letters such as, “Ilov3bik3riding!”.
Password Protection Guidelines
Passwords must be protected. Under no circumstances should a user divulge their password to another person. If a password or account is shared with a member of Belmont LITS support for the purposes of resolving a technical issue then that password must be changed as soon as possible after the incident. The following rules apply to password use and management by students, faculty and staff.
- Maintain a password history of at least 2 passwords and do not allow reuse.
- Allow a maximum password age of 180 days.
- Require a user to be locked out after more than 5 unsuccessful attempted logons.
- Campus Network access through Active Directory, Ellucian Banner and MyBelmont must have automatic log-offs after a predetermined period of inactivity; username and password will be required for re-authentication.
- Complete username and password combinations must not be inserted into email messages or other forms of electronic communication unless the message is encrypted.
- All temporary passwords must be changed at first logon.
- If an account or password is suspected to have been compromised, the incident must be reported to IT Security Services and all associated passwords must be immediately changed.
- Automated password guessing may be performed on a periodic or random basis by the Office of Information Security or its delegates. If a password is guessed during one of these scans, the user will be required to change it.
- All major system-level passwords must be changed on at least a semi-annual basis.
- The university recommends users have a different password for each system.
- Passwords should never be written down and left in plain sight, or stored in plain text online. If a password must be written down, it should be stored in a secured location.
Administrative Password and Account Protection Guidelines
Direct account login access by all users including faculty, staff and students to Belmont Data Systems including but not limited to Banner INB, Adirondack, Document Imaging, Argos, Degreeworks, ProWatch and EMS must conform to University Data Security and Data Access Requests Policy and these additional password and account protection guidelines. These guidelines are intended to protect confidential data by ensuring that account usernames and passwords are protected at all times and access is available and limited to specific users based on role.
- Administrative Accounts must be approved and maintained as with data security standards as required by the Office of Assessment and Institutional Research (OAIR).
- Access level to Banner data must conform to user roles based on assigned status within Banner.
- Passwords must not contain all or part of a user’s administrative account name.
- Passwords cannot contain any of the following character strings: 'welcome', 'database', 'account', 'user', 'password', 'oracle', 'computer', 'abcd', 'banner'.
- Passwords are required to be changed every 90 days or the account will be designated expired.
- Administrative accounts will be locked after three failed successive login attempts.
- Creation of strong passwords and best practices for password use should be emphasized via employee security awareness training to improve the overall posture of IT risk management.
- Administrative account access will be removed as soon as possible and no later than 5 days when a user is no longer an employee of the university.
- Administrative passwords must be changed whenever there is a change in the technical staff that has administrative account access and whenever there is a suspicion of possible system compromise.
Compliance
Violations of this policy may incur the same types of disciplinary measures and consequences as violations of other university policies, including progressive discipline up to and including termination of employment, or, in the cases where students are involved, reporting of a student code of conduct violation.
Systems and accounts that are found to be in violation of this policy may be removed from the Belmont network, disabled, etc. as appropriate until the systems or accounts can comply with this policy.
Related Standards, Policies, and Procedures
The Password Policy is administered through a collection of Belmont standards. The Belmont University Password Policy and its standards are in effect at all times. LITS works in concert with the Dean of Students Office, Senior Leadership, and Human Resources to ensure fair and appropriate investigation, consideration, and consequences where appropriate. Users are expected to familiarize themselves with Belmont standards and comply with them.
- Acceptable User Policy
- Wireless Communication Policy
- Remote Access Policy
- Technology Purchasing Policy
- Data Classification Policy
- 2016-2017 Belmont Bruin Guide
- 2016-2017 Faculty Staff Handbook
- 2016-2017 Staff Handbook
- FERPA Policy
- HIPPA Policy
- GLBA Policy
- Misconduct Policy
- Data Security and Data Access Requests Policy
Definitions and Terms
USER:Any person using any of the university’s computer or information resources, including but not limited to:
- Faculty
- Students
- Alumni
- Contractors
- Consultants
- Associates, honoraries and visiting staff
- Community members and guests
- Other users authorized by the university
- Third parties (ex. Vendors, contractors, etc.)
- Anyone connecting non-Belmont equipment (e.g. laptop computers) to the university network
LITS: Library and Information Technology Services. Belmont division that supports technology and library services for the campus
Date of Change | Responsible | Summary of Change |
---|---|---|
May 19, 2016 | Randall Reynolds Director of Information Security |
New Policy |
July 25, 2016 | Randall Reynolds Director of Information Security |
Policy language for Administrative systems updated |
October 20, 2016 | Randall Reynolds Director of Information Security |
Policy Updated |
May 12, 2017 | Randall Reynolds Director of Information Security |
Policy Updated |