University Policies

Page tree

Versions Compared

Old Version 14

changes.mady.by.user O'Neill, Erin E.

Saved on

compared with

New Version Current

changes.mady.by.user O'Neill, Erin E.

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  1. All passwords are to be treated as confidential sensitive information. 

    1. Users are required to use only account credentials for which they have been authorized. Attempts to log into an account other than those for which a user has been authorized are a violation of this policy.
    2. Use of default or general user accounts to run system services are prohibited.
    3. Any attempt to "crack" (decrypt) encrypted or hashed passwords is strictly prohibited.
  2. Passwords must not be shared with others except in emergency situations. In emergency situations, a password may be shared with a supervisor but must be changed immediately once there is no longer an emergency need. Examples of unauthorized sharing include sharing passwords with administrative assistants, coworkers or spouses.
    1. A password must never be inserted into plain text emails, stored unencrypted in computer files, or written down.
    2. When changing a password, the new one must not have been used within the last 12 months. It is a violation of this policy to circulate quickly through passwords to bypass this provision.
    3. A password and user ID must share fewer than six (or, if shorter, the length of the user ID) consecutive common characters.
    4. A password must not be based on personal information, such as Social Security number, name or date of birth.
    5. A password should avoid words found in any English or foreign language dictionary.
    6. All users are responsible for maintaining the security of their passwords. In the event that an account is believed to have been compromised, the person detecting the incident should report the incident immediately to the Technology Support Center at support@rowan.edu. An account is deemed compromised if it is known or reasonably suspected that the account is being used by an unauthorized party. A compromise will affect the functionality of any account, and the account will not be restored until the risk associated with any such compromise has been mitigated.
    7. Vendor-supplied default and/or blank passwords shall be immediately identified and reset upon installation of the affected application, device, or operating system.
  3. To ensure that passwords are of adequate strength, passwords for users, systems, applications, and devices must meet the following Information Security requirements:
    1. Password Requirements 
      1. A password must contain at least one letter and at least one numerical digit.
      2. A password must contain at least one of these characters: !@#$%&*+={}?<>"'
      3. A password must not: start with a hyphen, end with a backslash (), or contain a double-quote (") anywhere except as the last character.
    2. Password Expiration: Every 180 days
    3. Minimum Length: 8 characters
    4. Lock-Out Period: 30 minutes, following a maximum of 10 failed attempts to log in.
    5. Renewed Log In Required: After 30 minutes of inactivity

VI.  NON-COMPLIANCE AND SANCTIONS

...