Password Policy

RELATED COLLEGE POLICIES 

Acceptable Use of Information Technology Resources Policy, Electronic Mail Policy, Remote Access Policy, Privacy Policy 

POLICY CATEGORY 

Information Technology Services (ITS) 

APPROVAL AUTHORITY 

President’s Leadership Team 

POLICY OWNER 

Vice President, Information Technology Services and Chief Data Officer 

POLICY STAKEHOLDER 

Data and Technology Council 

CONFIDENTIAL LEVEL Public, Internal, Confidential:  Public 

APPROVAL DATE 

9/2019 

EFFECTIVE DATE 

9/2019 

REVIEW FREQUENCY 

Annual 

 
PURPOSE/SCOPE

The purpose of this policy is to establish a standard for the creation of strong passwords, the protection of those passwords, and the frequency of change for those passwords that are used to connect to Bristol Community College (“Bristol” or “college”information technology resources. This policy must be read in conjunction with the Acceptable Use of Information Technology Resources Policy 

This policy applies to any person utilizing Bristol’s information technology resources. The following persons (users) are authorized to use Bristolinformation technology resources: (1) current faculty; (2) current staff; (3) current students; (4) authorized contractors or vendors; and (5) authorized visitors. 

POLICY 

Passwords are an important aspect of information security. A poorly chosen password may result in unauthorized access and/or exploitation of college resources, including confidential information of students, alumni, applicants, faculty and staff. All users with access to college systems are responsible for taking the following appropriate steps to select and secure their passwords. 

  • All user-level and system-level passwords must conform to the guidelines defined by ITS; 
  • Each user is responsible for maintaining the confidentiality of passwords that are used to gain access to Bristol systems and services; 
  • Passwords should not be shared with anyone. All passwords are to be treated as sensitive and confidential information. It is permissible to share your password with ITS support personnel for troubleshooting purposes only and users should change their password immediately after the work is performed; 
  • Passwords should not be written down, stored, or transmitted electronically without the use of encryption; 
  • Users should never attempt discovery of a system or another user’s passwords, either manually or utilizing an automatic password cracking system; 
  • User accounts that have system-level privileges granted through group memberships or programs must have a unique password from all other accounts held by that user to access system-level privileges; 
  • Any user suspecting that his/her password may have been compromised must report the incident to the ITS Help Desk and change all passwords. 

ENFORCEMENT 

Any person found to have violated this policy, intentionally or unintentionally, may be subject to disciplinary action, up to and including loss of access rights, expulsion from the college, or termination of employment. 

ROLES AND RESPONSIBILITIES 

This section provides details on the college personnel who will take part in the development, approval, and to whom the policy applies. 

ROLE 

RESPONSIBILITY 

Information Technology Services 

  • Ensure awareness and compliance with this policy; 
  • Review this policy periodically and update as needed in response to environmental and/or operational changes; 
  • Ensure that this policy and all component policies and procedures are maintained and implemented; 

All Users 

  • Understand and adhere to this policy;  
  • Safeguard user IDs and passwords; 
  • Immediately report suspected violations of this policy to manager or Information Technology Services. 
REFERENCES 

This section provides a crosswalk for this policy to the applicable best practice security frameworks, both within Massachusetts and at the national level.  

Framework 

CIS Critical Security Controls v6.1 

Regulations and Requirements 

PCI DSS - MA 201 

Supporting 

Standards and Procedures 

  • CSC  5 - Controlled Use of Administrative Privileges 
  • CSC 14 - Controlled Access Based on Need to Know 
  • CSC 16 - Account Monitoring and Control 

 

  • PCI Requirement 2 - Do not use vendor-supplied defaults for system passwords and other security parameters 
  • PCI Requirement 8 - Identify and authenticate access to system components. 
  • PCI Requirement 12 - Maintain a policy that addresses information security for all personnel. 
  • MA 201 CMR 17:00 - Section 17.04 
  • COBIT 5 DSS05 - Manage Security Services 
  • COBIT 4.1 - DS5.3 Identity Management  
  • DS5.4 User Account Management 
  • NIST Core Framework - PR.MA-2, PR.PT-3, PR-AC-3, PR-AC-4, PR.AT-2 

REVISION HISTORY 

This section contains information on the approval and revision history for this policy.  

Version Number 

Issued Date 

Approval 

Description of Changes 

1.0 

3/2016 

Massachusetts CIO Council 

Development and adoption of collaborative and standardized IT policies 

1.0 

7/2016 

Massachusetts Community College Counsel’s Office 

Recommendation on contents provided by college counsel 

1.0 

12/2016 

Standardized Control Framework 

Mapping of Controls from COBIT to CIS Critical Security Controls v6.1 

1.0 

9/2019 

President’s Leadership Team 

Policy adoption 

 
POLICY CONTACT 

Name:Jo-Ann Pelletier 

Title:Vice President, Information Technology Services and Chief Data Officer 

Phone:774.357.2412