PURPOSE:
The purpose of this policy is to establish standards for the creation all passwords and their critical role in protecting ICOM data
SCOPE:
The scope of this policy includes users who meet any of the following criteria:
• Users responsible for an account (or any form of access that supports or requires a password) on any system that resides at or is owned by ICOM
• Users with access to ICOM's network
• Users who store any non-public ICOM information.
POLICY:
Passwords are a vital aspect of computer and application security. They are the front line of
protection for user accounts. A poorly chosen password can compromise ICOM's data systems
and services. As such, all users (including contractors and vendors with access to ICOM's
systems) are responsible for taking the appropriate steps, outlined below, to select and secure
their passwords.
When available, Multi-Factor Authentication (MFA) should be used to protect confidential
and/or restricted information
RESPONSIBLE OFFICIALS:
Director of IT/Information Security Authority, Faculty, Staff, Students, and all others who access ICOM systems and network.
PROCEDURES:
GENERAL
-
Change your passwords periodically.
-
The frequency of password change is generally based on the privilege or access level of the account. Accounts with greater privilege or access should have their passwords changed more frequently.
-
If your password has been compromised or you suspect it's been compromised, change your password immediately. Change your password by a) visiting console.jumpcloud.com or b) change it in the application you are using, and then contact the helpdesk
at help@idahocom.org -
Passwords must not be inserted into email messages or other forms of electronic communication.
PASSWORD PROTECTION STANDARDS:
Password protection is a vital part of any security plan, so please observe the following
standards:
-
Do not use the same password for IOCM accounts as for other non-ICOM accounts, such as personal ISP account, benefits, banking, and other accounts.
-
Do not share ICOM passwords with anyone, including administrative assistants or secretaries.
-
All passwords are to be treated as sensitive ICOM information.
-
When IT works on your computer, please arrange to be available to type in your password as needed. If that is not possible, change your password immediately before and after the work is done.
Good practices to follow:
-
Don't reveal a password over the phone to ANYONE
-
Don't reveal a password in an email message to ANYONE
-
Don't reveal a password to a supervisor
-
Don't write passwords down and save them
-
Don't talk about a password in front of others
-
Don't hint at the format of a password (e.g., "my family name")
-
Don't reveal a password on questionnaires or security forms to ANYONE
-
Don't share a password with family members
-
Don't reveal a password to co-workers (e.g., when going on vacation or leave of any kind)
-
Don't store passwords in a file on ANY computer system (including a smartphone or similar devices) without encryption.
If someone demands a password, refer that person to this document or have that person call a staff member of the information technology department.
POLICY OWNER:
Chief Information Officer/Information Security Authority
APPROVAL:
Effective: 8/23/21
Last Reviewed: 3/27/24
Review Requirement: Annual