Password Management

Category: Operations
Number: OPS-050-035
Audience: All University employees and students
Issued: May 10, 2007
Revised: February 26, 2018
Owner(s): AVP (Information Services)
Approved by: VP (Administration)
Contact: Associate Vice-President (Information Services) - 306-585-5646

Introduction

Authentication mechanisms such as passwords are the primary means of protecting access to computer systems and data. It is essential that these authentication mechanisms be strongly constructed, as per the Password Management Standard, and properly managed, as per the Authentication Management Standard, in a manner that prevents their compromise.

A poorly constructed, managed or aged password may result in unauthorized access and/or exploitation of University information or resources. The following policy statement and associated standards, roles and responsibilities are required to ensure reasonable access and account security.

Scope

This policy applies to all passwords and other authentication mechanisms used at the University.  In scope is any mechanism providing authentication for accessing or utilizing University of Regina’s accounts, systems, applications, or data.  This use may include, but is not limited to, the following: Evergreen computers, University-issued email accounts, file and print services, student information systems, and other University electronic services, systems and applications. This policy covers unit, faculty, and departmental resources as well as resources managed centrally.

The scope of this policy includes:

  • All holders of University of Regina computer accounts.
  • All information systems or applications that create, modify, or transmit information that is non-public, confidential, sensitive, restricted, or of institutional value to the University of Regina
All University owned workstations/systems that require authentication to access them.

Policy

All University of Regina data, information, applications and systems that are not intended for public access require authentication.

Authentication mechanisms must be constructed and maintained to assert security commensurate with the level of system access or type of data access granted to the account.  The Password Management Standard shall be utilized to assign the required strength attributes of passwords for an account.

Systems must be utilized and configured to protect passwords during issuance, storage and transmission.  The Authentication Management Standard shall be utilized to determine appropriate measures and precautions.

Sharing of individually assigned authentication mechanisms is not permitted.  For example, no one may require another to share the password to an individually assigned university account.

Roles and Responsibilities

All members of the University of Regina Constituency are responsible for:

  • protecting the password or authentication method associated with an individually assigned university account,
  • reporting any suspected incidents of assigned authentication compromise. Anyone who reasonably believes his or her password to be known by anyone else must change it immediately,
  • any activity occurring due to non-compliance with the standards associated with this policy.

 Application Owners are responsible for:

  • verifying that information systems under their control, and those intended for acquisition or development by their unit, comply with this policy and associated standards.

AVP Information Services (or Designate) is responsible for:

  • providing Authentication Management Standards and centralized authentication mechanisms to facilitate compliance with this policy and associated standards.

Consequences for Noncompliance

Non-compliance with this policy and associated standards may result in removal of access, suspension of account, or removal of a device, system, or application from the University network.

Related Information