Skip to main content

Policies

Go Search
Home
  
Policies > Wiki Pages > Password and PIN Security Policy  

Password and PIN Security Policy

Purpose:

The purpose of this policy is to establish secure guidelines for password and PIN administration.

 

Statement:

Passwords and PINs must be properly structured, routinely changed, and kept strictly confidential.

 

Description:

  • Each individual user must keep their passwords and PINs for all accounts secret. At no time are user IDs, passwords, or PINs to be shared with others.
  • Passwords will not be displayed on screens as they are entered.
  • Passwords and PINS must be changed whenever there is any indication of possible system or password compromise.
  • Passwords and PINs must be encrypted when held in storage for any significant period of time or when transmitted across the network.
  • Passwords and PINs must never be embedded in sign-on utilities; users must never be able to authenticate at sign-on by using a function key or running an available program.
  • Passwords and PINs must have a minimum length of 8 characters, including at least on upper, one lower and one numeric.  Note:  Passwords which allow access to the SIS database (Colleague) cannot be any variation of the username ID.
  • Passwords and PINs must be changed every 90 days.
  • Initial passwords which allow access to our SIS database (Colleague) must be marked as expired, and users must be required to change the password/PIN at the first use.
  • User-chosen passwords and PINs must not be reused for 10 iterations.
  • Guest logins are available and issued by the help desk or a UTS administrator and be changed on a routine basis.
  • Users may reset their password by visiting the Community System website and using the Reset password option.
  • Users with access to the SIS database (Colleague) must contact the help desk if a manual password reset is required; this requires positive identification.
  • A clear-text user ID and associated password must never be delivered in a single message and/or via the same medium.

 

Additional Information: See also Password Notification.

 

Approved By: Managers and CIO

 

Date of Origination: 5/8/2008

 

Last Reviewed: 11/26/2012

 

 

Last modified at 12/4/2012 1:47 PM  by Ramsdell, Nancy