A growing number of information security threats result from unauthorized access to data stored on computers. Frequently, access to such data is controlled through the use of password authentication. The failure to protect data through the use of strong passwords can result in incidents that expose Sensitive Information and/or impact critical University services. Adherence to this policy is essential to ensure the security of information at the University, including Mission-Critical devices and devices storing or processing Sensitive Information.
Under the direction of the President, the Chief Information Officer and the Director of Information Security shall implement and ensure compliance with this policy. The Vice Presidents, Deans, and other members of management will implement this policy in their respective areas.
This policy applies to any faculty member, staff member, student, temporary employee, contractor, outside vendor, or visitor to campus ("User") who has access to University-owned or managed information or the Rowan network through computing devices owned or managed through Rowan or through permission granted by Rowan University.
"Information Security Incident": Includes any incident that is known or has the potential to negatively impact the confidentiality, integrity, or availability of Rowan University information. This can range from the loss of a laptop or PDA to the virus infection of an end-user work station to a major intrusion by a hacker.
"Mission-Critical Resource": Includes any resource that is critical to the mission of the University and any device that is running a mission-critical service for the University or a device that is considered mission critical based on the dependency of users or other processes. Mission-critical services must be available. Typical mission-critical services have a maximum downtime of three consecutive hours or less. Mission-critical resources for Information Security purposes include information assets, software, hardware, and facilities. The payroll system, for example, is a Mission-Critical Resource.
"Password Circulation": An attempt to bypass the basic password requirement that prohibits reusing the same password within a specified period of time by changing the password repeatedly within a brief period of time in order to be able to reuse the password earlier than intended by the policy.
"Password Policy Enforcement": Password rules must be enforced according to the standards defined in the University's Password Policy for General Users.
"Sensitive Information": Sensitive Information includes all data, in its original and duplicate form, which contains:
"Protected Health Information" as defined by HIPAA
Student "education records," as defined by the Family Educational Rights and Privacy Act (FERPA)
"Customer record information," as defined by the Gramm Leach Bliley Act (GLBA)
"Card holder data," as defined by the Payment Card Industry (PCI) Data Security Standard
Sensitive data also includes any other information that is protected by University policy or federal or state law from unauthorized access. This information must be restricted to those with a legitimate business need for access. Examples of sensitive information may include, but are not limited to, social security numbers, system access passwords, some types of research data (such as research data that is personally identifiable or proprietary), public safety information, information concerning select agents, information security records, and information file encryption keys.
All passwords are to be treated as confidential Sensitive Information. This policy must be followed where technically feasible to the greatest extent possible.
Violation of this policy may subject the violator to disciplinary actions, up to or including termination of employment or dismissal from a school, and may subject the violator to penalties stipulated in applicable state and federal statutes.
By Direction of the CIO:
SVP and Chief Information Officer