Policy No.:ETP-A -27-1 Effective:03/18/12
KSAU-HS King Saud bin Abdulaziz University for Health Sciences
UNIVERSITY King Saud bin Abdulaziz University for Health Sciences
EDUTECH CorporateOffice of Educational Technology Services
DIRECTOR Director of the Corporate Office of Educational Technology Services
IT Information Technology
THIRD PARTY Any individual, group contractor, vendor or agent not registered as a University student, Faculty or staff
The purpose of this policy is to prevent the unauthorized use of KSAU-HS computer workstations, servers, systems, network and security devices, applications and data by establishing strong password standards and for the protection of user and system passwords.
The policy applies to all University computers and devices that store corporate information. It applies to all users of the University network, using any device that has access to the network.
- POLICY - ETP-22-1 Help Desk Service Policy
- All University-owned workstations and servers must be protected using a user ID and password combination. The initial user ID and password for accessing workstation, application, network, servers and devices will be issued by Edutech.
- The user must change the password to a strong password before the first use as per the following guidelines:
- Passwords for typical user accounts should be at least 8 characters in length; administrative passwords should be at least 15 characters in length.
- A password cannot be a word or phrase that can be found in any dictionary or a word spelled backwards.
- It should contain at least one upper case letter, one non-alpha character and at least one special character (e.g., !@#$%^&).
- Must not be a common pattern found on a standard keyboard or any other common pattern of letters or numbers.
- It should not be based on personal information such as birthdays, addresses, names, etc.
- All users must protect the secrecy of theirs passwords. The following guidelines must be followed when handling passwords:
- Passwords must not be written down and left in a place where unauthorized persons might discover them.
- All user account passwords must be changed every six months and cannot be reused.
- Password can never be included in unencrypted emails or other form of electronic communications.
- Passwords must always be encrypted when held in storage for any significant period of time or when transmitted over communications system.
- Users must have different password for University access other than their personal access such as personal e-mail, bank account, social network, etc.
- Never reveal your password to anyone over the phone, including HelpDesk personnel.
- Do not share your passwords with assistants, co-workers, family members, or friends. All passwords must be treated as confidential.
- Do not use the "Remember Password" feature of any application.
- Do not store your passwords in any portable electronic device such as PDAs or cell phones.
- Password changes can only be made when requested in person and the user should hold a valid University ID or other approved photo ID in case they are a third party, such as contractors.
- To prevent password guessing attacks, the account will be suspended after five consecutive unsuccessful attempts and will be deactivated only by the authorized administrator. For administrative accounts the account will be disabled for 30 minutes after 3 consecutive unsuccessful attempts.
- Whenever an unauthorized party has compromised a system, Edutech or the relevant network Administrator, system administrator or application administrator or any IT staff involved must immediately change every password on the involved system. Even suspicion of a compromise likewise requires that all passwords be changed immediately. Under either of these circumstances, a trusted version of the operating system and all security-related software must also be reloaded. Similarly, under either of these circumstances, all recent changes to user and system privileges must be reviewed for unauthorized modifications.
- All vendor-supplied default passwords e.g. default passwords supplied with routers, switches or software such as operating systems and databases must be changed before these are deployed into a live environment.
- Any abuse of passwords must be reported to the Edutech Department who will decide on what follow-up action to take. Passwords must always be changed if it is known or suspected that another person has become aware of the password. Where a third party is found in possession of a users password that account will be disabled. In this situation the valid user should report to the Edutech Department.
Director Corporate, Educational Technology Service
King Saud bin Abdulaziz University for Health Sciences