Skip to main content Skip to site utility navigation Skip to main site navigation Skip to site search Skip to footer
Login
Hide Menu
Menu

Password Management Procedure

Ref. No. Executive sponsor Policy steward Approval authority First approved Last reviewed Effective date Next review
64.03 Vice President, College Services and Strategy Chief Information Officer          
  1. Purpose
    1. The purpose of this procedure is to establish requirements and guidelines for creating and managing passwords.
  1. Scope
    1. This procedure is associated with the NSCC Information Security Policy 64.01. All definitions, general roles and responsibilities, and compliance measures contained with Policy 64.01 apply to these procedures.
    2. This procedure applies to all NSCC Community members, and any vendors, contractors, and third parties conducting business with NSCC.
  1. Definitions
Term Definition
3.1 NSCC Community A member of the NSCC Community under this procedure includes, but is not limited to the following:
  1. Employee: any person who is employed by NSCC or provides services to NSCC under an employment contract.
  2. Student: any person enrolled in study at NSCC.
  3. Volunteer: any person performing work for NSCC in an unpaid capacity.
  4. Contractor: any individual or company (and its employees) who provides services to NSCC under a service contract (i.e. a non-employee-employer relationship)
  5. Community Member: any person working in collaboration with NSCC for a business or academic purpose or an external community member
3.2 Authentication The process of determining if someone is who, or what they are declaring to be. Passwords are commonly used for authentication for computer networks.
3.3 Alphanumeric character A character that is a letter or a number.
3.4 Manager, Digital Innovation & Technology The individual within an organization responsible for security policies, procedures, and controls in support of the security and compliance goals of the business.
3.5 Passphrase A sequence of characters used to confirm the identity of an individual requesting access to a computer system, website, etc. In contrast to a password, a passphrase typically has fewer complexity requirements but greater length resulting in a net increase in both security and usability.
3.6 Password A sequence of characters (numbers, letters, special characters) used to confirm the identity of an individual requesting access to a computer system, website, etc.
3.7 Special character A non-alphanumeric keyboard character. Examples include punctuation marks and typographic symbols such as the number sign (#), asterisk (*), percent (%), as well as space ( ).
  1. Policy
    1. This procedure has been written to establish a standard for creation of strong passwords, explaining basic password protection and covering when passwords expire. This procedure defines the password controls for any entity who currently, or in the future, may be granted access to NSCC information systems, services or individual devices that require a password for authentication.
    2. Enforcement Responsibility
      The procedure will be monitored by the Director, Digital Innovation & Technology and any suggested changes should be submitted through that office. The Director, Digital Innovation & Technology, Manager, Digital Innovation & Technology, Security Analyst and all department managers will be responsible for maintaining and enforcing this procedure.
    3. Password Requirements
      1. The password must be a minimum of 12 characters.
      2. The password cannot contain any part of your name or full name.
      3. The password must contain a certain degree of complexity, must contain upper and lower case letters, numerals and non-alphanumeric characters.
      4. You must not reuse any of your 6 most recent passwords.
      5. Do not use the same password you currently use of have previously used for any other of purposes. (Personal email, e-commerce websites, internet forums, etc.)
    4. Password Guidelines
      The following guidelines should be followed when creating a password. The password should be:
      1. Long enough to be hard to guess;
      2. Hard to guess intuitively – even by someone who knows the person creating the password well; and
      3. The password should not contain any of the following:
        1. The name or nickname of the individual creating the password, or any individual or pet the individual creating the password knows;
        2. Any date or number important to the individual creating the password; or
        3. A famous verbatim quotation from literature or popular culture.
    5. Password Protection
      1. Never share your password with another person
      2. If a document, service or device containing or having access to your password has been lost, stolen, or compromised you must immediately change your password and notify the Digital Innovation & Technology (DI & Tech) department
      3. The DI & Tech department technical staff must positively identify the employee in order to complete the password reset request. There are no generic or shared Active Directory accounts/passwords.
      4. Exceptions must be approved by DI & Tech Management.
      5. DI & Tech staff are to use and follow the Local Admin Password Solution (LAPS) practice.
    6. Password Reset
      1. A lockout will after 5 failed login attempts. Accounts will remain locked out for a period of 15 minutes or until the user remedies it through the Password Management Tool or contacts technical support.
      2. The DI & Tech department technical staff will not provide password changes over the phone if the password is forgotten.
      3. Any employee requests to change/reset passwords via DI & Tech staff require DI & Tech Manager approval.
    7. Administrative Passwords
      1. Administrative passwords are to be limited in use. Provisioned based on job role/duties. Only to be used for absolute administrative functions.
      2. Personnel with Administrative accounts will also have limited privileged accounts for day-to-day use.
      3. Administrative accounts are not to be used outside of administrative tasks, no elevated accounts to be use for day to day tasks.
      4. All DI & Tech staff will use Multi-Factor authentication (if option is technically available)
      5. The “Run As” functionality will be used to run specific administrative tasks while logged into systems under limited account access.
      6. LAPS is to be used as default local admin password solution
    8. All exception requests, temporary or permanent, must be approved in writing by the Director, Digital Innovation & Technology.
    9. All revisions to this procedure will be made in accordance with the NSCC Policy Development, Renewal and Approval Policy (78.01) and Procedures (78.02)
  1. Policy Supports

Related Policies & Procedures

64.01 Information Security Policy
64.02 Information Security Classification Procedure
64.03 Password Management Procedure
64.04 Access Control Procedure
64.05 Physical and Environmental Security Procedure
64.06 Physical Access to IT Infrastructure Procedure
64.07 Secure Disposal or Reuse of Equipment Procedure

Top