Purpose
Users who access Barry University systems are responsible for taking the appropriate steps as outlined in this policy to select and protect their passwords. A poorly chosen password may result in unauthorized access and exploitation of Barry University's resources. This policy defines the protocols for the creation, protection, and use of passwords for systems owned, managed, or otherwise under the responsibility of Barry University. This policy applies to anyone with access to these systems.
Definitions
Sensitive Information:
Information whose loss, misuse, unauthorized access, or modification, could adversely affect the interest or the conduct of the University, or could adversely affect an individual’s right to privacy, particularly information protected under HIPAA, Florida Information Protection Act, FERPA, General Protection Data Regulation and other privacy laws and regulations.
Privileged Account:
A privileged account is one with a high level of access to a system, typically used by a systems administrator to log into servers, network hardware, databases, and other applications they administer.
Service Account:
An account for which a systems administrator is responsible but is used by systems rather than by users. These accounts run automated processes like scheduled tasks, deployments, and monitoring services. If these accounts also have high levels of access to resources, they are also considered Privileged Accounts.
Policy
All passwords shall adhere to strong password guidelines as reflected in this policy. Higher risk systems (those which typically provide access to critical or sensitive data or control privileged BARRY UNIVERSITY PASSWORD POLICY Page 2 of 3 Password Policy accounts) shall implement additional security measures. All passwords shall adhere to the standards described below. Higher risk systems require additional protections, such as generating stronger passwords, Multi-Factor Authentication (MFA), etc.
Password Standards:
Passwords shall adhere to the following minimum standards except when it is unsupported by the system in which case every effort should be made to adhere as closely as possible.
- All passwords shall adhere to strong password guidelines as reflected in the strong password requirements KB article.
- All default passwords for devices and systems SHALL be changed before production use (e.g. this includes switches, appliances, cameras, etc).
- Systems that contain or control access to sensitive data shall utilize the following capabilities for authentication where available:
- Single Sign On (SSO) - allows access to multiple systems using only one successful authentication per session.
- Multi-Factor Authentication (MFA) - requires two or more methods to log into an information System.
- All standard user passwords shall have an expiration period of no more than 180 days.
- All Privileged device and system account passwords shall be changed at minimum of once per 360 days.
- If a Privileged or system account requires an exception to this policy, please contact the Information Security Office
- The previous ten passwords shall not be used.
- Minimum password age shall be one day (the amount of time between password changes).
- Account lockouts shall be enforced on all systems where supported.
- Passwords shall not be written down or stored in files that are not secured or encrypted.
- Passwords shall not be sent via email or other electronic methods unless they encrypted in transit.
- Individual passwords shall never be shared with anyone, including coworkers or IT staff.
- IT staff assisting users may provide One Time Passwords (OTP) that shall be immediately changed by the user.
- Shared System/service passwords used to protect servers, devices, applications, hosted services, or files shall be stored using a secured method that logs the use of the credentials.
Additional Requirements:
- It is recommended that privileged accounts require passwords with a length of 12 or more characters.
- The use of password managers is highly recommended to ensure unique and complex passwords for each system this is accessed. A list of recommended password managers can be found at our knowledgebase.
- Passwords for Barry University accounts shall be different from passwords used for personal accounts (e.g. personal email, personal bank accounts, etc.).
- Where possible, users shall not use the same password for various Barry University access needs.
- Your Barry ID number shall not be included in your password.
- Personal information such as birthdates, addresses, phone numbers, or names of family members, pets, friends, and fantasy characters shall not be included in your password. Page 3 of 3 Password Policy
- Work-related information such as building names, system commands, sites, companies, hardware, or software shall not be included in your password.
- Individuals should not save passwords when prompted to save them by the web browser.
Compromised Passwords:
- Passwords suspected to have been compromised shall be changed immediately, and the incident reported to Information Security Office.
- If the account for that user has access to sensitive data or systems that control access to sensitive data, the incident will be investigated by the Information Security Office to determine the severity.
Compliance
Failure to comply with the policy may:
- Subject faculty or staff to disciplinary action up to and including termination under the Progressive Discipline Policy and/or Faculty Handbook.
- Subject a student to disciplinary action as described in the University’s Student Handbook.
- May result in termination of relationship or agreement with vendor
Review Cycle
This policy will be reviewed every three years or as necessary. The review process will be managed by the Information Security Office.
Version History
Version | Modified Date | Approved Date | Approved By | Version Comments/Summary |
1.0 | July 1, 2017 | ECA | Document Origination | |
2.0 | July 25th 2022 |
Updated Password requirements Added Password Manager suggestions Added Review Cycle |