PURPOSE:
All user accounts will be protected by passwords that are both strong and confidential. Users will protect the security of those passwords by managing passwords according to SPC-IS password procedures.
System and Application Administrators will ensure account passwords are secured using industry best practices.
SCOPE:
The SPC User Accounts Password policy applies equally to all individuals granted access privileges to any South Plains College information technology resources.
POLICY:
Users are responsible for what is accessed, downloaded, or created under their credentials regardless of intent. An unauthorized person can cause loss of information confidentiality, integrity and availability that may result in liability, loss of trust, or embarrassment to SPC.
Default Password:
User credentials are initiated with a default password. The default password follows this format; First letter of the users first name capitalized, the first four letters of the users last name lowercase, a dollar sign, the last four digits of the users social security number and an exclamation point. (If the student does not have a social security number then the student’s six (6) digit birthday (mmddyy) will be used in place of the social security number.)
Example: (John Smith, SSN - 123-45-6789)
Jsmit$6789!
Example, No SSN: (John Smith, Birthday July 6, 1999)
Jsmit$070699!
The user will be required to change the password at first logon.
If a user forgets their password and request a reset the password will always be reset to the default.
Account holder’s responsibilities:
Minimum password requirements are defined in Microsoft Active Directory and cannot be overridden.
- 1. Password must have a minimum length of six (8) alphanumeric characters.
- 2. Password must contain a mix of upper case, lower case, numeric characters and special characters (!@#%^&*+=?/~’;:,<>|\).
- 3. Users must create a strong password and protect it.
- 4. Passwords must not be easy to guess, for instance, they should not include part of your SPC ID number, your birth date, your nickname, etc.
- 5. Passwords must not be easily accessible to others (e.g. posted on monitors, under keyboards).
- 6. Computing devices must not be left unattended without locking or logging off of the device.
- 7. Stored passwords must be encrypted.
- 8. SPC username and password should not be used for external services (e.g. LinkedIn, Facebook or Twitter).
- 9. Users should never share their password with anyone, including family, supervisors, co-workers and SPC-IS personnel.
- 10. Users should change passwords on a regular basis.
- 11. If you know or suspect that your account has been compromised, change your password immediately and contact SPC-IS Help Desk for further guidance and assistance.
- 12. If SPC-IS suspects your account has been compromised, your account will be deactivated and you will be contacted immediately.
Any individuals responsible for managing passwords must:
- 1. Prevent or take steps to reduce the exposure of any clear text, unencrypted account passwords that SPC applications, systems, or other services have received for purposes of authentication.
- 2. Never request that passwords be transmitted unencrypted. It is particularly important that passwords never be sent via email.
- 3. Never circumvent this password policy for the sake of ease of use.
- 4. Coordinate with SPC-IS regarding password procedures.
Detailed information and instructions for password management can be found on the SPC website in the New Employee Technology Orientation training booklet. http://[LINK TO NEW EMPLOYEE TECHNOLOGY TRAINING BOOK]
DEFINITIONS:
Compromised Account: The unauthorized use of a computer account by someone other than the account owner.
Encrypted: The conversion of data into a form, called cipher text that cannot be easily understood by unauthorized people. Encryption is achieved using Windows native Bit Locker or other available software.
Password: A string of characters input by a system user to substantiate their identity, authority, and access rights to the computer system that they wish to use.
System Administrator: Individual(s) who are responsible for running/operating systems on a day-to-day basis.
Unauthorized person: A person who has not been given official permission or approval to access SPC systems.
Related Policies, References and Attachments:
An index of approved SPC-IS policies can be found on the SPC Policies website at https://www.southplainscollege.edu/human_resources/policy_procedure. The SPC Information Security Program and SPC Information Security User Guide are also available on the Information Technology Services Policies website.
Approved by: Executive Council, 9/17/2018
Next Review: October 1, 2020