Jun 26, 2019  
Policies 
    
Policies

Technology Division


08:13:01 Computer Passwords

 
  1. Introduction: Tennessee Board of Regents Guideline G-51 Password Management requires all institutions to control user access to information assets based on three separate areas: individual accountability, need to know, and least privilege.The purpose of this policy is to establish a minimum standard for creation of strong passwords, the protection of those passwords, and the frequency of change to ensure protection of institutional information assets.
  2. A combination of a personal user login id or identification and a unique password for authentication will be required of all users before they are allowed access to institutional networks and systems. Everyone, (students, faculty, staff, adjuncts, contractors and vendors, etc.), that require this access is provided an individual user-id and password. At Chattanooga State Community College, this is referred to as your TigerID and password.
  3. The effectiveness of passwords to protect access to the institution's information directory depends on strong construction and handling practices.
    1. Users are required to select a new password immediately after their initial login.
    2. All user level passwords, (e.g., email, web, desktop computer, etc.), especially those users who process or access restricted data, (such as protected health information, student FERPA (Family Educational Rights and Privacy Act) data, Social Security Numbers, PCI (Payment Card Information) or other personally identifiable information), will be required to change their passwords at least every 120 days. This is an automated access change request.
    3. Users should immediately change their password if they suspect it has been compromised.
    4. User accounts that have system-level privileges granted through group memberships or programs must have a unique user-id and password from all other users on that account.
    5. User passwords will be automatically locked out after five attempts to login. Banner system allows only three attempts before locking out. Users will need to enter a service request through the technology service request system. Each password reset due to the five failed login attempts or three failed login attempts (Banner) will be tracked to ensure security of the account. Each password reset due to the five failed login attempts or three failed login attempts (Banner) must be entered into the daily log by anyone resetting the password. Password accounts not used for 365 days will be disabled and reviewed by Technology and appropriate supervisor for possible deletion.
  4. Passwords must not be inserted into email messages or other forms of electronic communication, unless encrypted. The following requirements apply to end-user password management.
    1. Passwords must not be stored in a manner, which allows unauthorized access.

2.  Passwords will not be stored in a clear text file.

3.  Passwords must not be stored in a manner that allows unauthorized     access - including writing them down and storing them in your office.

4.   Do not use the "Remember Password" feature of applications (e.g., Outlook, etc.)

5.   Don't store passwords in a file on ANY computer system (including mobile devices) without encryption. Passwords should not be visible on a screen or hardcopy.

  1. All user passwords that allow access to all institution networks and systems must be constructed using the following criteria where technically feasible.
    1. Must be a minimum of 8 characters in length
    2. Must be composed of a combination of at least three of the following four types of characters:
      • Upper case alphabetic character;
      • Lower case alphabetic character;
      • Numeric character;
      • Non-alphanumeric character. (If feasible as some systems do not recognize certain non-alphanumeric characters.)

 

References:

  1. State of Tennessee Department of Finance and Administration Strategic Technology Solutions 2:01, 12/15/2016
  2. Tennessee Board of Regents (TBR) Information Technology Policy 1:08:00:00, 9/26/2014
  3. Tennessee Board of Regents (TBR) Password Management G-051, 9/26/2014
  4. Tennessee Board of Regents (TBR) Policy G-052 Access Control, 9/26/2014    
  5. Chattanooga State Community College (ChSCC) Technology Policy 08:17 Computer Access, 9/30/2018

 

 

Submitted to Policy Review Committee on October 24, 2018

Submitted to Policy Review Board on November 30, 2018

Approved by Policy Review Board on December 6, 2018