Nov 21, 2024  
Policies 
    
Policies

Technology Division


08:13:01 Computer Passwords

 
  1. Introduction: Tennessee Board of Regents Access Control Policy 1.08.03.00 requires all institutions to control user access to information assets based on three separate areas: individual accountability, need to know, and least privilege.The purpose of this policy is to establish a minimum standard for creation of strong passwords, the protection of those passwords, and the frequency of change to ensure protection of institutional information assets.
  2. A combination of a personal user login id or identification and a unique password for authentication will be required of all users before they are allowed access to institutional networks and systems. Everyone, (students, faculty, staff, adjuncts, contractors and vendors, etc.), that require this access is provided an individual user-id and password. At Chattanooga State Community College, this is referred to as your TigerID and password.
  3. The effectiveness of passwords to protect access to the institution’s information directory depends on strong construction and handling practices. Users must provide government-issued picture ID for positive proof of identity when receiving account access. 
    1. Users are required to select a new password immediately after their initial login.
    2. Users should change their passwords immediately if they think their accounts have been compromised.
    3. All user level passwords, (e.g., email, web, desktop computer, etc.), especially those users who process or access restricted data, (such as protected health information, student FERPA (Family Educational Rights and Privacy Act) data, Social Security Numbers, PCI (Payment Card Information) or other personally identifiable information), will be required to change their passwords at least every 120 days. This is an automated access change request.
    4. User with privileged accounts (such as root or administrator level access) must change their passwords every 120 days.
    5. Student accounts are exempt from changing their passwords.
    6. System accounts are not required to expire but must meet the password construction requirements in this policy. System account passwords will be changed when someone leaves ChSCC employment that had this level of system access.
    7. Vendor provide passwords must be changed upon installation using the password construction requirements in this policy.
    8. User accounts that have system-level privileges granted through group memberships or programs must have a unique user-id and password from all other users on that account.
    9. All user passwords will be automatically locked out after five attempts to login. Accounts will be automatically reset within 10 minutes. Users should call the Technology Service Desk for help, if need. Password accounts not used for 365 days will be disabled and reviewed by Technology and appropriate supervisor for possible deletion.
  4. Passwords must be changed as soon as possible if any of the following events occur:
    1. Unauthorized password discovery or usage by another person;
    2. System compromise (unauthorized access to a system or account);
    3. Insecure transmission of a password;
    4. Accidental disclosure of a password to an unauthorized person;
    5. Status changes for personnel with access to privileged and/or system accounts.
  5. Passwords must not be inserted into email messages or other forms of electronic communication, unless encrypted. The following requirements apply to end-user password management.
    1. Passwords must not be stored in a manner, which allows unauthorized access.
    2. Passwords will not be stored in a clear text file.
    3. Passwords must not be stored in a manner that allows unauthorized access - including writing them down and storing them in your office.
    4. Do not use the “Remember Password” feature of applications (e.g., Outlook, etc.)
    5. Don’t store passwords in a file on ANY computer system (including mobile devices) without encryption. Passwords should not be visible on a screen or hardcopy.
  6. All user passwords that allow access to all institution networks and systems must be constructed using the following criteria where technically feasible.
    1. Must be a minimum of 8 characters in length.
    2. Must be composed of a combination of at least three of the following four types of characters:
      1. Upper case alphabetic character;
      2. Lower case alphabetic character;
      3. Numeric character;
      4. Non-alphanumeric character. (If feasible as some systems do not recognize certain non-alphanumeric characters.)
      5. Password cannot be a repeat of the last 24 passwords.

 

References:

NIST Special Publication 800-53 Rev 5, Security and Privacy Controls for Information Systems and Organizations, September 2020

State of Tennessee Department of Finance and Administration Strategic Technology Solutions 2:4:01, 8/3/2020

Tennessee Board of Regents (TBR) Information Technology Policy 1:08:03:00, 5/14/2019 (replaces TBR Password Management G-051 and TBR Policy G-052 Access Control, 9/26/2014    

Chattanooga State Community College (ChSCC) Technology Policy 08:17 Computer Access, 2/28/2021

 

Submitted to Policy Review Committee on February 21, 2022

Submitted to Policy Review Board on March 28, 2022

Approved by the Policy Review Board on April 13, 2022

 

Previous Versions:

Submitted to Policy Review Committee on February 28, 2021

Submitted to Policy Review Board on March 22, 2012

Approved by Policy Review Board on April 21, 2021

 

Submitted to Policy Review Committee on June 14, 2019

Submitted to Policy Review Board on July 22, 2019

Approved by Policy Review Board on July 31, 2019

 

Submitted to Policy Review Committee on October 24, 2018

Submitted to Policy Review Board on November 30, 2018

Approved by Policy Review Board on December 6, 2018