Skip to content. | Skip to navigation

Advanced Search…
Personal tools
You are here: Home Policies and Standards ISO ISO PS008 Passwords

ISO PS008 Passwords

Policies and Standards
ISO PS008 Passwords
[Previous]  [Next]  [Policy Home]

Policy Name: Passwords
Policy Number: IS PS008
Effective Date: July 23, 2007
Review Date: July 23, 2008
Last Revision Date: July 23, 2007
Last Revision By: Bruce W. Edwards
Contact Name: Bruce W. Edwards
Contact Email: ISOPolicy@louisville.edu
Approved By: Compliance Oversight Council
Version: 1.0

POLICY:

All computer accounts must be password protected to help maintain the confidentiality and integrity of electronic data as well as to help protect the University's computing resources and infrastructure. This policy establishes a minimum standard for creation of strong passwords, the protection of those passwords, and the frequency of change.

STANDARDS:

Administrative Standards:

General

  • Passwords to University accounts and devices must be kept confidential.

UofL Network and/or Enterprise Software Accounts
(In addition to the general standard above, these standards apply to UofL Network and Enterprise Software accounts)

  • Account holders should set up their challenge questions to facilitate self-service password resets (go to ULink).
  • Notification of password expiration will be provided to account holders 30 days in advance of the password expiration and three additional times: 15, five, and one day before expiration.

Technical Standards:

General

  • Passwords should expire every 90 days.
  • Passwords to systems containing sensitive information, including electronic Protected Health Information (ePHI) must expire no less often than every 180 days.
  • Passwords should be at least 8 positions in length.
  • Passwords to systems containing sensitive information, including ePHI must be at least 8 positions in length.
  • Strong passwords should be used. A strong password will include a combination of:
    • Alphabetic, including both upper and lower case: A to Z and a to z.
    • Numeric: 0 to 9.
    • Special Characters such as: ~!@#$%^&*( )+=[ ] { } ? < >, etc.
  • Passwords to systems containing sensitive information, including ePHI, must require at least two of the three criteria specified immediately above.
  • Passwords should not consist solely of personal information or words found in a dictionary (any language). Ideally, this information should not be used. If used, the use of at least two of the three types of strong password characters noted above as part of the password is required.
  • Password use and security can be facilitated using the password hint web site. For more information go to ULink and see the "Password Self Service" section.

UofL Network and/or Enterprise Software Accounts
(In addition to the general standards above, these standards apply to UofL Network and Enterprise Software accounts)

  • Passwords expire every 180 days and meet the sensitive information complexity requirements.

SCOPE / APPLICABILITY:

All persons while conducting/performing work, teaching, research or study activity or otherwise using University resources. Scope/Applicability also includes all facilities, property, data and equipment owned, leased and/or maintained by the University or affiliates.

POLICY AUTHORITY / ENFORCEMENT:

The University's Information Security Officer (ISO) is responsible for the development and oversight of these policies and standards. The ISO works in conjunction with University Leadership, Information Technology, Audit Services and others for development, monitoring and enforcement of these policies and standards.

POLICY REVIEW:

This policy will be reviewed annually to determine if the policy is in compliance with the applicable security regulations and University direction. In the event that significant regulatory changes occur, this policy will be reviewed and updated as needed.

COMPLIANCE:

Failure to comply with these policies and standards and/or any related information security and/or information technology policy, standard or procedure may result in disciplinary action up to and including termination of employment, services or relationship with the University and/or action in accordance with local ordinances, state or federal laws.

REVISION HISTORY:

Version / Revision Date / Description

1.0 / July 23, 2007 / Original Publication

This policy is subject to change or termination by the University at any time. This policy SUPERSEDES all prior policies, procedures or advisories pertaining to the same subject.

Approved July 23, 2007 by the Compliance Oversight Council
Shirley C Willihnganz, Executive Vice President and University Provost, Chair of the Compliance Oversight Council

[Next]

Document Actions

10/27/2008
University of Louisville Selects GuardianEdge to Protect Sensitive Data for Faculty, Staff, Doctors and Researchers

  • GuardianEdge, the leader in enterprise endpoint data protection, today announced that the University of Louisville has selected the GuardianEdge Hard Disk Encryption, Smartphone Protection and Device Control solutions to safeguard data for faculty and staff, doctors and researchers. [Click here for more information]

10/20/08
Fourth Annual Cyber-Security Awareness Week was a BIG Success!

08/25/08
Safe computing starts with knowing the rules of the road (InfoSec Bulletin #7 - August 25, 2008)

08/20/07
Information Security Policies
and Standards Approved: