Policy Portal

Administrative Policy: Operational

Password Policy

Policy Number: 3349-OP-362
Effective Date: 11/01/2021
Updated:
Reviewed:
Responsible Department: Information Technology
Approval Authority: Vice President, Operations & Finance

A. Purpose

To establish minimum standards for the creation and management of University passwords to help safeguard the confidentiality, availability, and integrity of University Data and Systems.

B. Scope

Applies to any NEOMED account associated with an individual or University System.

C. Definitions

  1. “Authorization” refers to the granting of permission to an identified individual to use University Data or System(s) and to explicitly accept the Risk to University operations, individuals, and assets based on extending such permission. Acceptance of Authorization to use University Data and Systems establishes an obligation on the part of the individual to use those resources responsibly.
  2. “Public University Data” refers to University Data that is intended and accessible for public use and is not restricted by federal, state, local, or international regulations regarding disclosure or use.
  3. “Restricted University Data” refers to University Data that requires the highest level of protection due to legal, regulatory, administrative, contractual, rule, industry standards, or policy requirements.
  4. “Security Incident” refers to an adverse event that results in a suspected or known unauthorized disclosure, misuse, alteration, destruction, or other compromise of University Data or Systems.
  5. “Service Provider” refers to any person or entity that receives, maintains, processes, or otherwise is permitted access to University Data and/or Systems through its provision of services directly to NEOMED.
  6. “System” refers to an information technology resource that can be classified, may have security controls applied, and are organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of University Data. Example of Systems are, but not limited to: desktop, laptop, or server computers; mobile devices (e.g., iPhones; iPads; Android; BlackBerry) to the extent that they interact with University Data and Systems, such as University email; University network(s); software; applications; and databases.
  7. “University Data” refers to Data that is created, collected, stored, and/or managed in association with fulfilling the University’s mission or its required business functions. University Data may or may not constitute a Public Record (as defined within Ohio Revised Code §149.43).
  8. “User” refers to any individual or Service Provider that has received Authorization, if applicable, to access, use, transmit, dispose of, or receive University Data and/or Systems.

D. Policy Statement

  1. Assigning unique user logins and requiring password protection is one of several primary safeguards employed to restrict access to University Data, Systems and the NEOMED network to only authorized Users.
  2. Passwords are classified as Restricted University Data, in accordance with the University’s Classification of University Data and Systems Policy and must be protected as such. If a password is compromised, access to University Systems can be obtained by an unauthorized individual, either inadvertently or maliciously.
  3. Individuals with NEOMED accounts are responsible for safeguarding against unauthorized access to their account, and as such, must conform to this policy to ensure passwords are kept confidential, designed to be complex, and are difficult to compromise. The parameters in this policy are designed to comply with legal and regulatory standards, including but not limited to the Gramm Leach Bliley Act and the Payment Card Industry Data Security Standard.
  4. Individual Responsibilities
    1. Individuals are responsible for keeping NEOMED passwords secure and private. As such, the following principles must be adhered to for creating and safeguarding passwords:
      1. NEOMED passwords must be changed immediately upon issuance for their first use. Initial passwords must be securely transmitted to the individual.
      2. NEOMED passwords must never be shared with another individual for any reason or in any manner inconsistent with this policy. A shared or compromised NEOMED account password is a reportable Security Incident.
      3. Students and employees must never ask anyone else for their password and are required to report to the Information Technology (IT) department if asked to provide their password to an individual or sign into a System and provide access to someone else under their login.
      4. NEOMED passwords must never be written down and left in a location easily accessible or visible to others. This includes both paper and digital formats on non-NEOMED devices. Passwords may be stored in a secure password if the master password is kept private and meets the requirements in of Section (D)(6)of this policy.
      5. Individuals must never leave themselves logged into an application or system where someone else can unknowingly use their account.
        1. IT will never ask for a password. In IT support scenarios where an IT account cannot be used, an individual may allow a technician to utilize their computer under the individual’s account even if the individual is unable to be present during the entire support session. The individual should not share their password with the technician. All IT support technicians are expected to abide by University Information Technologypolicies and their actions may be audited upon request.
        2. In the event of a hardware malfunction and the device needs to be repaired by a third-party, the device hard drive should be backed up to a secure storage device and wiped securely prior to being handed over to an external technician. IT can assist with a secure backup and the drive erasure and other exceptional circumstances. Passwords should not be shared with an external technician.
      6. If a password needs to be issued to a remote user or Service Provider, the password must be sent with proper safeguards (e.g., sent separately via encrypted email).
      7. If a password needs to be shared for servicing, IT should be contacted for Authorization and appropriate instruction.
      8. Passwords for NEOMED accounts must be unique and different from passwords used for other personal services (e.g., social media, banking, credit card).
      9. NEOMED passwords must meet the requirements outlined in this policy.
      10. NEOMED passwords must be changed at the regularly scheduled time interval (as defined in Section (D)(7)) or upon suspicion or confirmation of an account compromise.
      11. Individuals with access to service accounts or test accounts must ensure the account password complies with this policy and must keep the password stored in a secure manner.
      12. In the event a breach or compromise is suspected, the Security Incident must be reported to IT immediately.
  5. Responsibilities of Systems Processing Passwords
    1. All University Systems must be designed to accept passwords and transmit them with proper safeguards.
      1. Passwords must never be stored in clear, readable format (encryption must always be used).
      2. Systems storing or providing access to non-Public University Data or remote access to the internal network must be secured with multifactor authentication.
      3. Password hashes (irreversible encoded values) must never be accessible to unauthorized individuals.
      4. Where possible, salted hashes (irreversible encoded values with added randomness) should be used for password encryption.
      5. Where any of the above items are not supported, a variance request should be submitted to IT for review. Appropriate Authorizations and access control methods must be implemented to ensure only a limited number of authorized individuals have access to readable passwords and only when necessary.
  6. Password Requirements
    1. The following parameters indicate the minimum requirements for passwords for all individual accounts (except for passcodes defined in Section (D)(a)) where passwords are:
      1. At least fourteen (14) characters; and
      2. Not based on anything somebody else could easily guess or obtain using person-related information (e.g., names, NEOMED username, telephone numbers, dates of birth, etc.).
  7. Password Expiration
    1. Most Users are no longer required to change their passwords at fixed intervals. Some account types, such as Privileged Users, must still adhere to regular password changes as defined below. However, in all cases, IT reserves the right to reset a User’s password in the event a compromise is suspected, reported, or confirmed. This helps prevent an attacker from making use of a password that may have been discovered or otherwise disclosed.
    2. Standard Users
      1. Standard Users consist of NEOMED faculty, staff, student employees, consultants, and students that are not system administrators or processing credit card payments.
        1. Passwords must be changed upon suspicion or confirmation of compromise.
        2. New passwords must comply with the criteria in Section (D)(6).
    3. Privileged Users
      1. Privileged Users consist of Users with elevated access to administer Systems and applications (other than to a local device), most often in the IT Department. Such users have administrator access via a shared account or to multiple systems at NEOMED and these accounts are at a higher risk for compromise.
        1. Privileged domain accounts must be stored in a Privileged Identity Management (PIM) system and passwords rotated upon each use. Privileged accounts that cannot be stored in the PIM system must have their passwords changed every ninety (90) days.
        2. Passwords must not be reused for at least six (6) generations
        3. Passwords must not be changed more than one (1) time per day.
        4. New passwords must comply with the criteria in Section (D)(6).
    4. Payment Card Industry (PCI) Users
      1. Users responsible for processing payments on behalf of NEOMED’s financial services must adhere to the PCI Data Security Standard for password expiration.
        1. Passwords must be changed every ninety (90) days.
        2. Passwords must not be reused for at least four (4) generations.
        3. Passwords must not be changed more than one (1) time per day.
        4. New passwords must comply with the criteria in Section (D)(6).
    5. Service Accounts and Test Accounts
      1. Service accounts are accounts used by a system, task, process, or integration for a specific purpose. Test accounts are accounts used on a temporary basis to imitate a role, person, or training session. Passwords for service accounts and test accounts must be securely generated in accordance with this policy, distributed securely to the account owner, and stored securely in a password manager.
        1. Passwords must be changed upon suspicion or confirmation of compromise.
        2. Passwords must be changed when an account owner leaves the institution or transfers into a new role.
        3. Passwords must comply with the criteria in Section(D)(6).
  8. Account Lockout
    1. To limit attempts at guessing passwords or compromising accounts, an account lockout policy is in effect for all Systems. Account lockout thresholds and durations vary based on the type of User, as defined below.
    2. Standard Users. Standard user accounts have the following lockout policy:
      1. Accounts will lockout after ten (10) invalid password attempts in fifteen (15) minutes.
      2. Accounts will remain locked for a duration of thirty (30) minutes, unless the NEOMED Help Desk is contacted, and the user’s identity is verified for the account to be unlocked sooner.
    3. Privileged Users. Privileged user accounts have the following lockout policy:
      1. Accounts will lockout after six (6) invalid password attempts in fifteen (15) minutes.
      2. Accounts will remain locked for a duration of sixty (60) minutes, unless the NEOMED Help Desk is contacted, and the user’s identity is verified for the account to be unlocked sooner.
    4. PCI Users. PCI Users have the following lockout policy:
      1. Accounts will lockout after six (6) invalid password attempts in fifteen (15) minutes.
      2. Accounts will remain locked for a duration of sixty (60) minutes, unless the IT Service Desk is contacted, and the user’s identity is verified for the account to be unlocked sooner.
  9. Mobile Devices
    1. Personal devices accessing or storing University Data, such as smartphones and home computers, must have appropriate safeguards in place, including password protection.
    2. If it is determined that a mobile device does not have a device password/PIN implemented, access to University Data and Systems may be restricted until a password/PIN is implemented.
  10. Enforcement
    1. The University reserves the right to perform random password tests and other assessments to ensure the availability, confidentiality, and integrity of University Data and Systems.
    2. Information Technology personnel have the right to change a User’s password and/or lock their account(s) based upon identified risks to University Data and Systems, including Security Incidents.
    3. Any User found to have violated this Policy will be required to immediately change their password(s) and may be subject to disciplinary action, up to and including termination of employment or dismissal from the University.

CONTACT

Lisa Noland
Administrative Specialist
Phone: 330.325.6354
Email: lnoland@neomed.edu

Office of General Counsel

Northeast Ohio Medical University