ROWAN UNIVERSITY POLICY

Title: General User Password Policy

Subject: Information Security
Policy No: ISO:2013:10
Applies: University-wide
Issuing Authority: Information Security Office - Chief Information Security Officer
Responsible Officer: Vice President for Information Resources and Chief Information Officer

Date Adopted: 07-01-2013

Last Revision: 06-01-2014

Last Review: 09-01-2014

I.    PURPOSE

A growing number of information security threats result from unauthorized access to data stored on computers. Frequently, access to such data is controlled through the use of password authentication.  The failure to protect data through the use of strong passwords can result in incidents that expose Sensitive Information and/or impact critical University services. Adherence to this policy is essential to ensure the security of information at the University, including Mission-Critical devices and devices storing or processing Sensitive Information.

II.    ACCOUNTABILITY


Under the direction of the President, the Chief Information Officer and the Chief Information Security Officer shall implement and ensure compliance with this policy. The Vice Presidents, Deans, and other members of management will implement this policy in their respective areas.

III.   APPLICABILITY


This policy applies to any faculty member, staff member, student, temporary employee, contractor, outside vendor, or visitor to campus ("User") who has access to University-owned or managed information or the Rowan network through computing devices owned or managed through Rowan or through permission granted by Rowan University.

IV.  DEFINITIONS

A.  "Information Security Incident": Includes any incident that is known or has the potential to negatively impact the confidentiality, integrity, or availability of Rowan University information. This can range from the loss of a laptop or PDA to the virus infection of an end-user work station to a major intrusion by a hacker.

B.. "Mission-Critical Resource": Includes any resource that is critical to the mission of the University and any device that is running a mission-critical service for the University or a device that is considered mission critical based on the dependency of users or other processes. Mission-critical services must be available. Typical mission-critical services have a maximum downtime of three consecutive hours or less. Mission-critical resources for Information Security purposes include information assets, software, hardware, and facilities. The payroll system, for example, is a Mission-Critical Resource.

C.  "Password Circulation": An attempt to bypass the basic password requirement that prohibits reusing the same password within a specified period of time by changing the password repeatedly within a brief period of time in order to be able to reuse the password earlier than intended by the policy.

D.  "Password Policy Enforcement": Password rules must be enforced according to the standards defined in the University's Password Policy for General Users.

E.  "Sensitive Information": Sensitive Information includes all data, in its original and duplicate form, which contains:

Sensitive data also includes any other information that is protected by University policy or federal or state law from unauthorized access. This information must be restricted to those with a legitimate business need for access. Examples of sensitive information may include, but are not limited to, social security numbers, system access passwords, some types of research data (such as research data that is personally identifiable or proprietary), public safety information, information concerning select agents, information security records, and information file encryption keys.

V.  POLICY

A.  All passwords are to be treated as confidential Sensitive Information. This policy must be followed where technically feasible to the greatest extent possible.


B.  Where technically feasible, passwords must not be shared with others except in emergency situations. In emergency situations, a password may be shared with a supervisor but must be changed immediately once there is no longer an emergency need. Examples of unauthorized sharing include sharing passwords with administrative assistants, coworkers or spouses.

C.  To ensure that passwords are of adequate strength, passwords for Users, systems, applications, and devices must meet, to the degree technically feasible, the following Information Security requirements:

    1. Password Requirements 
      1. Password Expiration - Every 90 days
      2. Minimum Length - 8 characters
      3. Lock-Out Period - 30 minutes, following a maximum of 10 failed attempts to log in.
      4. Renewed Log In Required - After 30 minutes of inactivity

VI.  NON-COMPLIANCE AND SANCTIONS

Violation of this policy may subject the violator to disciplinary actions, up to or including termination of employment or dismissal from a school, and may subject the violator to penalties stipulated in applicable state and federal statutes. 
 

 By Direction of the CIO:



__________________________________
Mira Lalovic-Hand,
VP and Chief Information Officer