Published using Google Docs
IS.103 Password Standard
Updated automatically every 5 minutes

OPERATIONAL POLICY

NUMBER: IS.103

TITLE: Password Standard

DATE: October 8, 2024

REVISION: 

DEPARTMENT: Information Security

Authorized: Rafael Espinosa, Chief Information Officer

Purpose

Assigning unique individual logins and requiring password protection is one of several primary safeguards employed to restrict access to Santa Clara University networks, systems, applications, and data. If a password is compromised, inappropriate access might be obtained by an unauthorized individual. Individuals with SCU accounts are responsible for safeguarding against unauthorized access to their account, and as such, must conform to this policy in order to ensure passwords are kept confidential and designed to be complex and difficult to guess. The parameters in this policy are designed to comply with relevant legal and regulatory standards, including but not limited to GLBA and PCI-DSS

Scope

Applies to all students, faculty, staff, contractors, consultants, temporary employees, guests, volunteers and all other entities or individuals with access to Santa Clara University network, cloud, or data resources.

Policy

  1. Password Requirements

The following parameters indicate the minimum requirements for passwords for all accounts (except for those defined in Privileged & Service Accounts below):

  1. At least sixteen (16) characters;
  2. Unique and different from passwords used for other services (e.g., personal banking or email);
  3. Changed upon suspicion or confirmation of compromise;
  4. Not based on anything somebody else could easily guess or obtain using person-related information (e.g., names, telephone numbers, dates of birth or graduation, etc.);
  5. Cannot be shared with others;
  6. Not reasonably vulnerable to a dictionary or brute-force attack; and,
  7. Not reused.
  1. Privileged & Service Accounts

    Privileged accounts are those accounts assigned to individuals with elevated access to administer systems, applications, and network devices. These accounts are more valuable targets for threat actors and consequently have a higher risk for compromise.

    Service accounts are accounts used for automating processes or integrating multiple applications or data sources. They are not generally used for interactive login, but rather run in the background. Compromise of these accounts can go undetected and they are therefore valuable targets.

    The following parameters indicate the minimum requirements for passwords for Privileged and Service accounts:
  1. At least twenty (20) characters;
  2. Rotated at least annually, unless additionally protected by Multi-factor authentication
  3. May only be shared for business continuity purposes, and if shared, must be changed during staffing transitions;
  4. All passwords must otherwise adhere to the criteria above.

Enforcement

Information Services reserves the right to reset account passwords of any account suspected or determined to have a compromised password.

Related

internal policies to SCU that should be considered to ensure ensure behavior is consistent. Optional.

Questions or comments to is-policy@scu.edu

Effective Date: October 8, 2024

Last Reviewed: October 8, 2024

Next Scheduled Review: October 8, 2025

IS.003  Password Standard, 2024.10.08