Purpose: The purpose of this document is to provide standards that must be maintained for minimizing security risk to the University's information technology resources.

1. Password Security: Appropriate security and access controls based on the criticality of the system must be implemented and enforced to protect passwords that provide access to network resources. The following password strength rules are minimum requirements that must be followed by the user and enforced as far as possible by the system for any system active on the University's network in which accounts are provided.
   
   
   • Encryption of Passwords: All passwords stored on a system must be encrypted.
     
     
   • Format of Passwords: The following format restrictions are designed to help prevent passwords from being compromised.
     
     
     • Passwords must be a minimum of 8 characters.
     • Passwords (with the exception of mainframe passwords) must incorporate at least 3 of the following: upper case, lower case, numbers, and special characters (i.e. punctuation and symbols).
     • Passwords must not include any portion of the user's logon name or the user's first or last name or a word commonly found in any dictionary.
       
       
   • Password expiration: Passwords must be set to expire at least once per year.
     
     
   • Reuse of old Passwords: Users must be prevented from reusing their previous three passwords.
     
     
   • Account locking: The system must be set to deny access for a period of time consistent with the criticality of the system after 6 consecutive, unsuccessful logon attempts.
     
     
2. Encryption: Web accessible applications that transmit non-public information are required to include a statement explaining the presence or lack of encryption and appropriate log out procedures.
   
   
3. Access: To prevent unauthorized access to University resources, changes in role or separation from the University must result in corresponding changes or deletion of information technology account access privileges. It is the responsibility of the unit to which the person reported to ensure that these changes occur.
   
   
4. Operating Systems/Network Applications: System administrators are responsible for installing operating system and network applications updates of all manufacturer recommended security patches and for turning off all identified unnecessary services.
   
   
5. Virus Protection: It is the responsibility of each unit to ensure that the University-provided virus protection software is installed and enabled on unit computers. Unit computers must be set to update virus definitions daily. A scan of local storage must be scheduled to run minimally weekly.
   
   
6. Physical Security: The physical security of the University's information technology resources (including, but not limited to the facility, equipment, software and information) must be maintained. Individuals and units are responsible for implementing security measures for the resources within their purview, commensurate with the criticality of each information technology resource.
   

Last updated on July 1, 2003