Policy: Password Requirements

Tags PCI

  1. PURPOSE

    1. The purpose of this policy is to establish a standard for the creation of strong passwords, the protection of those passwords, and the necessity to routinely change those passwords that are used to connect to Massasoit Community College (Massasoit) information technology resources. This policy must be read in conjunction with the Acceptable Use Policy.

  2. SCOPE

    1. This policy applies to any person utilizing Massasoit information technology resources. The following persons (“users”) are authorized to use Massasoit information technology resources: (1) current faculty; (2) current staff; (3) current students; (4) authorized contractors or vendors; and (5) authorized visitors.

  3. POLICY

    1. Passwords are an important safeguard of information security. A poorly chosen password may result in unauthorized access and/or exploitation of college resources, including personal identifiable information (PII). All users with access to college systems are responsible for taking the appropriate steps to select and secure their passwords as outlined below.
    2. All user-level and system-level passwords must conform to the password security procedures defined by Information Technology Services, including:
      1. Passwords must be changed whenever an account compromise is suspected,
      2. Passwords must be at least 15 characters long. (PCI DSS 4.0 8.3.6)
      3. Password history is set to 24, which is the number of unique passwords that must be set before an old password can be reused, (PCI DSS 4.0 8.3.7)
      4. Passwords are locked after (5) unsuccessful attempts.
    3. Each user is responsible for maintaining the confidentiality of passwords that are used to gain access to Massasoit systems and services.
    4. Passwords should not be shared with anyone. All passwords are to be treated as sensitive and confidential information.
    5. Passwords should not be written down or stored/transmitted electronically without the use of encryption.
    6. Users should never attempt discovery of a system or another user’s passwords, either manually or utilizing an automatic password cracking system.
    7. User accounts that have system-level privileges granted through group memberships or programs must have a unique password from all other accounts held by that user to access system-level privileges.
    8. Any user suspecting that his/her password may have been compromised must report the incident to Information Technology Services and change all passwords immediately.

  4. MULTI-FACTOR AUTHENTICATION

    1. All Massasoit faculty, staff, vendor, and other accounts provisioned in the Massasoit.edu domain will be required to use Multi-Factor authentication (MFA) to access the Virtual Private Network (VPN) and all applications that use Single-Sign-On. (PCI DSS 4.0 8.3.1.a)

  5. ENFORCEMENT

    1. Any person found to have violated this policy, intentionally or unintentionally, may be subject to disciplinary action, up to and including loss of access rights, expulsion from the college or termination of employment. Depending upon the nature of the violation of this policy, a user may also be subject to civil liability and/or criminal prosecution.
Print Article