POLICY TITLE: | HMC Password Policy |
POLICY STATUS: | Effective November 16, 2011 |
POLICY ADDRESS: | |
POLICY PURPOSE: | The purpose of this policy is to establish a standard for creation of strong passwords, the protection of those passwords, and the frequency of password changes. |
APPLIES TO: | All users, including contractors and vendors with access to Harvey Mudd College systems, are responsible for taking the appropriate steps, as outlined below, to select and secure their passwords. The CIO/Vice President for Computing and Information Services is responsible for ensuring policy compliance on systems that are owned or managed by CIS. Vice Presidents and Department Chairs are responsible for ensuring policy compliance within their respective areas. |
POLICY STATEMENT: | Passwords are an essential aspect of computer security, providing important front-line protection for electronic resources by preventing unauthorized access to network resources and local devices.
A poorly chosen password may result in the compromise of College systems, data, or the network. Therefore, all who hold accounts on HMC systems are responsible for taking appropriate steps, as outlined in Appendix A, to select strong passwords and protect them. College faculty, staff or students making use of third party systems to conduct College business on a regular basis, such as Jenzabar CX (managed by Pomona College), DirectorsDesk, Facebook, Formstack, Slate, Gmail, Office365 etc, are advised to select strong passwords for those systems. For HMC systems, the following apply:
|
COMPUTING AND INFORMATION SERVICES RESPONSIBILITY: |
|
EXCLUSIONS OR SPECIAL CIRCUMSTANCES: | Systems or services that, for technical reasons, cannot meet the minimum complexity standards must be documented and secured as much as possible. Serious consideration should be given to whether they need to be connected to the network at all. Whenever possible they should be isolated behind firewalls and network access controls. |
CONTACTS: | Responsible Office: Vice President for Computing and Information Services Contact: Computing and Information Services helpdesk@hmc.edu |
APPROVED BY: | HMC President’s Cabinet |
APPROVED ON: | November 16, 2011 |
EFFECTIVE ON: | November 16, 2011 |
REVIEW CYCLE: | Annual |
| |
BACKGROUND: | The format and much of the content of this policy are based on documents available in the University of Kansas Policy Library as well as the SANS Institute password policy. |
RELATED DOCUMENTS: | Policies: Claremont Appropriate Use Policy http://goo.gl/xYS7e Other: CIS report on Password Manager tools http://goo.gl/Oew5k |
REVIEW/CHANGE HISTORY: | 07/17/2014: Joseph Vaughan; created Appendix A for password requirements and guidelines 7/17/2014: Joseph Vaughan; made stylistic updates to all sections; separated out CIS responsibilities and placed specific password guidelines in a separate appendix. The President’s Cabinet approved this version on 7/23/2014. 12/10/2012: Joseph Vaughan; updated to change “punctuation characters” to “special characters” 8/10/2012: Joseph Vaughan; Updated to include links to Appropriate Use Policy and Report on Password Managers. <mm/dd/yyyy: Approved by; Short description of action> |
The following are minimum requirements for strong passwords, and should be regarded as a guide to choosing strong passwords and avoiding weak ones.