Abstract:  JSU must establish a standard for creation of strong passwords, the protection of those passwords, and the frequency of change. Policy Number: 50000.021 Effective Date: 1/29/2019 Review/Revised Date: 3/13/2023  Category: Information Technology Policy Owner: CIO/Information Technology Policy Contact: CISO/Information Technology

Policy Statement

The purpose of this policy is to provide guidelines and best practices for the creation of strong and secure JSU passwords for gaining access to resources and services including but not limited to user-level accounts, system-level accounts, web accounts, e-mail accounts, screen saver protection, voicemail, and local router logins. Passwords serve to protect user accounts; however, a poorly constructed password may result in the compromise of individual systems, data, or the JSU network.

 

Definitions

• JSU Employee- employees (full time or part time), contractors, consultants, temporary and other workers, adjuncts, researchers, including all personnel affiliated with third parties.
• Passphrase- A passphrase is a longer version of a password and is, therefore, more secure. A passphrase is typically composed of multiple words. Examples include “It’s time for vacation” or “block-curious-sunny-leaves
• JSU Privileged Users- a trusted user who has been authorized to have administrative access to critical systems (full time or part time) where critical JSU data sets are stored inside/outside (ex. cloud platforms) of the JSU network to perform their job duties. These users may consist of JSU IT employees ( CIO, CTO, System Administrators, Database Administrators, Network Administrators, Email Administrators, Webmasters, Application Developers) and other employees as defined in the JSU employee definition 2.1 who are given administrative access to critical systems (full time or part time) where critical data sets are stored.

 

Employee Adherence

This policy applies to all JSU employees, contractors, consultants, temporary and other workers, including all personnel affiliated with third parties who have or are responsible for an account (or any form of access that supports or requires a password) on any system that resides at any JSU facility, has access to the JSU network, or stores any non-public JSU information.

 

Policy

General Password Policy

Anyone who is not a Data Center employee, an authorized staff member, or authorized vendor is considered a visitor. All visitors to the Data Center(s) must adhere to the following procedures:

 All JSU system-level passwords (e.g., root, enable, NT admin, application administration accounts, etc.) must be changed on at least a quarterly basis.

• All production system-level passwords must be part of the JSU administered global password management database.
• Passwords to critical resources and systems must not be inserted into email messages or other forms of electronic communication. If it must be sent in this form it must not be sent in plain text form.
• All user-level and privileged user account passwords (e.g., email, web, desktop, computers, etc.) must be changed at least every six months.

 

General JSU Password Creation Recommendations

In order to create strong and secure pass words JSU recommends all employees, vendors, contractors and third party personnel use a minimum of 15 or more characters to create passwords.  In addition, we highly encourage the use of passphrases to create secure passwords made up of multiple words. 

Poor, or weak, passwords have the following characteristics:

• Contain eight characters or less.
• Contain personal information such as birthdates, addresses, phone numbers, or names of family members, pets, friends, co-workers or fantasy characters.
• Contain number patterns such as aaabbb, qwerty, zyxwvuts, or 123321.
• Contain words that can be found in a dictionary (English or foreign).

JSU User-level Strong, passwords will have the following characteristics:

• Contain both upper and lower case characters (e.g., a-z, A-Z)
• Contain digits and punctuation characters as well as letters e.g., 0-9, !@#$%^&*()_+|~-=`{}[]:”;'<>?,./)
• Are at least 15 alphanumeric characters long at a minimum, not a word in any language, slang, dialect, jargon, etc. and are not based on personal information, names of family, etc.
• Passwords should never be written down or stored on-line.

 

JSU Privileged user-level Strong, passwords will have the following characteristics:

• Contain both upper and lower case characters (e.g., a-z, A-Z)
• Contain digits and punctuation characters as well as letters e.g., 0-9, !@#$%^&*()_+|~-=`{}[]:”;'<>?,./)
• Are at least 20 alphanumeric characters long at minimum, not a word in any language, slang, dialect, jargon, etc. and are not based on personal information, names of family, etc.
• Passwords should never be written down or stored on-line.

                 

Password Protection Standards

• JSU employees, vendors and contractors should not use the same password for JSU accounts as passwords for access to other non-JSU accounts (e.g., personal ISP account, option trading, benefits, etc.).
• JSU employees should not share account passwords, or password format with unauthorized persons, and/or family members.
• JSU employees are responsible for protecting assigned passwords using best practices such as not posting passwords in/on visible areas (e.g. computer monitors, sticky notes, desks, walls, boards).
• If a JSU Employee is aware that an account or password is suspected to have been compromised, the employee must report the incident to the IT Security personnel which will provide assistance with changing all passwords immediately.

 

Policy Compliance

• Any JSU employee found to have violated this policy may be subject to disciplinary action, up to and including revocation of access privileges, or termination of employment.   In addition to University discipline, users may be subject to criminal prosecution under federal, state or local laws; civil liability; or both for unlawful use of any IT System.

 

Related Standards, Policies, and Processes