Greater Saskatoon Catholic Schools
I.T. Password Procedures
Solid password procedures are perhaps the most important security control an organization can employ.† Since the responsibility for choosing good passwords falls on the users, a detailed and easy-to-understand policy is essential.
The purpose of this document is to specify guidelines for use of passwords.† Most importantly, this policy will help users understand why strong passwords are a necessity, and help them create passwords that are both secure and useable.† Lastly, this policy will educate users on the secure use of passwords.
This policy applies to any person who is provided an account on the organization's network or systems, including: employees, guests, contractors, partners, vendors, etc.
The best security against a password incident
is simple: following a sound password construction strategy.† Greater Saskatoon Catholic Schools mandates
that users adhere to the following guidelines on password construction:
∑ Passwords must be at least 8 characters
∑ At least one character must be an upper case letter
∑ Passwords must be comprised of a mix of upper and lower case characters
∑ At least one character must be digit from 0 to 9
∑ Passwords should not be comprised of an obvious keyboard sequence (i.e., qwerty)
∑ Passwords should not include "guessable" data such as personal information about yourself, your spouse, your pet, your children, birthdays, addresses, phone numbers, locations, etc.
Creating and remembering strong passwords
does not have to be difficult.†
Substituting numbers for letters is a common way to introduce extra
characters - a '3' can be used for an 'E,' a '4' can be used for an 'A,' or a
'0' for an 'O.'† Symbols can be
introduced as well: an 'S' can become a ',' or an 'i'
can be changed to a '!.'
Another way to create an easy-to-remember strong password is to think of a sentence, and then use the first letter of each word as a password.† The sentence: 'The quick brown fox jumps over the lazy dog!' easily becomes the password 'Tqbfjotld!'.† Of course, users may need to add additional characters and symbols required by the Password Policy, but this technique will help make strong passwords easier for users to remember.
Passwords should be considered confidential
data and treated with the same discretion as any of the organization's
proprietary information.† The following
guidelines apply to the confidentiality of organization passwords:
∑ Users must not disclose their passwords to anyone
∑ Users must not share their passwords with others (co-workers, supervisors, family, etc.)
∑ Users must not write down their passwords and leave them unsecured
∑ Users must not check the "save password" box when authenticating to applications
∑ Users must not use the same password for different systems and/or accounts
∑ Users must not send passwords via email
∑ Users can only re-use passwords after four password changes.
4.3 Change Frequency
In order to maintain good security, passwords should be periodically changed.† This limits the damage an attacker can do as well as helps to frustrate brute force attempts.† Greater Saskatoon Catholic School employees will be required to change their password twice a year.
4.4 Incident Reporting
Since compromise of a single password can have a catastrophic impact on network security, it is the userís responsibility to immediately report any suspicious activity involving his or her passwords to the IT Manager. Any request for passwords over the phone or email, whether the request came from organization personnel or not, should be expediently reported. When a password is suspected to have been compromised the IT Manager will request that the user, or users, change all his or her passwords.
This policy will be enforced by Superintendents of Education. Violations may result in disciplinary action, which may include suspension, restriction of access, or more severe penalties up to and including termination of employment. Where illegal activities or theft of GSCS property (physical or intellectual) are suspected, GSCS may report such activities to the applicable authorities.
Authentication-A security method used to verify the identity of a user and authorize access to a system or network.
Password-A sequence of characters that is used to authenticate a user to a file, computer, network, or other device.† Also known as a passphrase or passcode.
Revision 1.0, 8/9/2011
Revision 2.0, 8/13/2012