Go back

4:039 Password Management

 

Austin Peay State
University
Password Management


POLICIES
Issued:  March 25, 2017

Responsible Official:  Vice President for Finance and Administration

Responsible Office:  Information Technology
 

 


Policy Statement


It is the policy of Austin Peay State University to establish minimum requirements with respect to password construction in order to protect date stored on Austin Peay State University information systems.


Purpose


The purpose of this policy is to establish minimum requirements with respect to password construction in order to protect data stored on computer systems on all Austin Peay State University information systems and networks. 


Procedures



Policy
  1. A Combination of a personal user login ID for identification and a unique password for authentication will be required of all users before they are allowed access to Austin Peay State University networks and systems.
  2. Passwords will be used for authentication of access to all Austin Peay State University networks and systems except where stronger authentication methods are deemed necessary.
  3. The effectiveness of passwords to protect access to Austin Peay State University information directly depends on strong construction and handling practices.

Password Construction
  1. All users must construct strong passwords for access to all Austin Peay State University networks and systems, using the following criteria where technically feasible:
    1. Must be a minimum of 8 characters in length.
    2. Must be composed of a combination of at least three of the following four types of characters:
      1. Upper case alphabetic character
      2. Lower case alphabetic character
      3. Numeric character
      4. Non-alphanumeric character
    3. Or, as an alternative:
      1. A pass-phrase of a minimum of 14 characters 

Password Management
  1. The following requirements apply to end-user password management:
    1. Storage and Visibility
      1. Passwords must not be stored in a manner which allows unauthorized access.
      2. Passwords will not be stored in a clear text file.
      3. Passwords will not be sent via unencrypted email.
    2. Changing Passwords
      1. Users must change their passwords at least every 365 days.
      2. Users who process or access restricted data (such as protected health information, student FERPA data, social security numbers, or other personally identifiable information) must change their passwords at least every 120 days.
      3. Users with privileged accounts (such as those with root or administrator level access) must change their passwords at least every 120 days.
      4. Passwords must be changed immediately if any of the following events occur:
        1. Unauthorized password discovery or usage by another person;
        2. System compromise (unauthorized access to a system or account):
        3. Insecure transmission of a password;
        4. Accidental disclosure of a password to an unauthorized person; or
        5. Status changes for personnel with access to privileged and/or system accounts.

Password Protection
– System Accounts
  1. System Accounts can be defined as:      
    1. Accounts used for automated processes without user interaction.
    2. Accounts used for device management.
  2. System Accounts are not required to expire but must meet the password construction requirements above.
  3. Vendor provides passwords must be changed upon installation using the password construction requirements above.

Compliance and
Enforcement
  1. The policy applies to all users of Austin Peay State University information resources including students, faculty, staff, temporary workers, vendors, and any other authorized users.
  2. Persons in violation of this policy are subject to a range of sanctions determined and enforced by Austin Peay State University.
  3. Justifications for exceptions to this policy must be documented by Austin Peay State University.

Revision Dates


APSU Policy 4:039 – Issued: March 25, 2017


Subject Areas:

Academic Finance General Human
Resources 
Information
Technology 
Student
Affairs 
        X  

 


Approved


President: signature on file