Password Standard Responsible Parties Prepared By Document Version Number Phone Number Suzanne Baker Version 1.1 314-977-4185 Effective Date 7/12/2013 Last Updated 7/12/2013 Department(s) Responsible ITGS:IT Governance Services Name of Responsible Department Person Suzanne Baker Group(s) Responsible ITGS:IT Compliance Services Name of Responsible Group Person Suzanne Baker Approved By IT Governance Committee Date of Approval 7/12/2013 Date of Last Review 6/13/2013 Date of Next Review 6/13/2014 Audience This document applies to all Saint Louis University (SLU) departments and the ITS Division. This standard will be published on the ITS website. Responsibilities Executive Sponsor Key Stakeholders Document Management Implementers Chief Information Officer ITS Division, ITGS:IT Governance Services, ITGS:IT Compliance Services, Information Security The department director is responsible for ensuring the publication, notification, and maintenance of this document, as well as approving all major revisions to this standard. IT Governance Services is responsible for ensuring that the requirements in this document are implemented. Page 1 of 5
Table of Contents Revision History... 3 Scope... 4 Purpose... 4 Standard... 4 Affected Applications... 5 Other Documents Referenced... 5 Questions About This Standard... 5 Approval and Amendments... 5 Page 2 of 5
Revision History Version Number* 1.0 Prepared By Description of Changes Date of Approval Approved By Suzanne Baker 1.1 5/10/2013 *Minor revisions should be indicated by changing the minor number (i.e. 1.3 to 1.4 would indicate a minor revision). Minor revisions include, but are not limited to, changes in verbiage or minor procedure changes that do not require the standard to be rerouted through the approval process. *Major revisions should be indicated by changing the major number (i.e. 1.4 to 2.0 would indicate a major revision). Major revisions include significant content changes that require the standard to be rerouted through the approval process. Page 3 of 5
Scope This standard applies to the Information Technology Services division (ITS) and SLU Divisions that support and perform IT functions, including but not limited to distributed IT functions, and all Saint Louis University Information Technology Resources. Purpose The purpose of this standard is take one of the first steps to help ensure compliance and security with Saint Louis University accounts and access to SLU Information Technology Resources that include data, software, hardware, networks, IT Systems, databases and removable media. Standard User Account Standard Passwords must follow a few rules: At least 8 characters long At least 1 lowercase letter, 1 uppercase letter, and 1 number Cannot contain the following phrases: password, test, welcome, username, your first or last name Can only contain the following special characters #, $,%,?, *, ^. Cannot be a previously used password Technical Standards Passwords must be stored or transmitted in an encrypted format Access to password.slu.edu will be disabled after five consecutive unsuccessful logins Passwords must be changed every six months For Payment Card Industry applications, passwords must be changed every 90 days System Administrator Account Standard System administrator passwords include passwords for servers, desktops, applications, and networks. System administrator accounts need to follow the National Institute Standard Technology controls which are listed below: At least 8 characters long At least 1 lowercase letter, 1 uppercase letter, and 1 number Cannot contain the following phrases: password, test, welcome, username, your first or last name Can only contain the following special characters that are allowed by each specific system Cannot be a previously used password Technical Standards Passwords must be stored or transmitted in an encrypted format Access to password.slu.edu will be disabled after five consecutive unsuccessful logins Passwords must be changed every six months For Payment Card Industry applications, passwords must be changed every 90 days Page 4 of 5
Special Regulatory Controls Standard Some systems will require additional controls and standards around passwords due to specific regulations that Saint Louis University must meet. If your system is required to meet Federal Information Security Management Act (FISMA) please contact IT Governance for specific standards. Exceptions to the Standard Exceptions to this password standard can be made in the event the system (application) cannot support the password requirements. System administrators must inform IT Governance of exceptions so that can be noted as a risk. Affected Applications Application Name Version Business Owner All Systems that require passwords Other Documents Referenced Document Number Document Name Online Location Review current ITS Policies/Standards/Processes Review current ITS Procedures Questions About This Standard If you have questions about this standard, please contact the director of the department responsible for authoring this document as listed above. Approval and Amendments Changes to this standard may be necessary from time to time. At a minimum, this standard will be reviewed and approved annually. All changes to this standard will go through the published revision and approval process. This standard, including a record of all changes, will be maintained by the department responsible for authoring this document as listed above. Page 5 of 5