Site-specific menu

• Information Technology
• About
• For Students
• For Faculty and Staff
• News
• Rules and Policies
  • Academic Applications
  • Copyright and Ethics
  • Data Security
  • Email
  • Identity Protection
  • Miscellaneous
  • Network and Internet
  • Web
• Directory
• Contact Us

Spotlights

Password Management Policy

Purpose

Western Michigan University (WMU) significantly relies on the use of Universityprovided credentials (Bronco Net ID and password) to provide access authentication to online information technology (IT) resources such as email, institutional data, University websites, academic and personal data, cloud computing processes, and other sensitive services. In particular, passwords are the user’s 'keys' to gain access to University information and information systems. A compromise of these authentication credentials directly impacts the confidentiality, integrity, and availability of IT systems, and University as well as user information. The purpose of this policy is to establish minimum standards for the creation and protection of each person’s University password(s). All users accessing WMU IT resources are bound by the requirements as described in this policy, to create and secure their password(s).

Scope

This policy applies to all WMU IT systems and resources that require password authentication. All system administrators and users of University IT resources are responsible for implementing and maintaining the requirements outlined in this document. Policies and/or standards adopted by a college or administrative unit must be consistent with this policy, but may provide supplemental controls, guidelines, and further restrictions.

This policy also applies to certain non-WMU IT systems accounts, such as cloud computing applications, that provide access to sensitive University information and information systems where the exposure may have significant impact on University operations. Do not use the same password for WMU accounts as for other non-WMU access, such as, online banking, personal ISP accounts, Facebook, MySpace, Twitter, or other social network
accounts. This policy does not apply to password-protected files, encryption key passphrases, or local accounts that do not interface with WMU user account authentication systems (Kerberos, LDAP, and Active Directory)

Policy Statement(s)

Individuals must have a unique identifier and password for each University account.

• All WMU owned electronic devices that access confidential/restricted University data must have password protection enabled.
  
• Passwords must be stored in irreversible encryption format whenever possible.
• Passwords must contain at least eight (8) characters, in combination as follows:
  • At least one upper case alphabetic character.
    
  • At least one lower case alphabetic character.
    
  • At least one numeric character (1, 2, 3, etc.).
    
  • At least one punctuation or symbol character (@, $, #, etc.).
    
  • Do not use ‘ “ or blank spaces as they may not work with all University systems.
    
• Passwords must be changed at least once every 365 days.
  
• Administrator user accounts that have system-level privileges granted through group memberships must have unique passwords for each account(s) held by that user.
  
• The Help Desk and system administrators must verify the identity of users when assigning or resetting passwords.
  
• All vendor supplied default passwords must be changed prior to any application or program's implementation to a production environment.
  

See also Password Guidelines.

Enforcement

The Office of Information Technology (OIT) has the responsibility to enforce this policy through systematic means and/or departmental network administrators, OIT system administrators, and system users. All WMU employees are responsible for complying with this policy. Failure to comply may result in disciplinary sanctions consistent with
current collective bargaining agreements, University policies, and applicable law.

Note

This policy may be amended at any time by the Chief Information Officer of Western Michigan University consistent with current collective bargaining agreements, University policies, and applicable law. Changes will be reviewed by
appropriate University entities prior to posting on OIT’s public website.

References

• Rules for Use of Computing Resources
  Rules for all users of WMU's computing resources
• WMU Data Classification
  The foundation for WMU's data classification policies
• WMU Remote Access Policy
  Security requirements for accessing WMU data remotely
• WMU Information Security Incident Response
  Organizational structure and roles and responsibilities
• WMU Network Policy
  Ensuring the integrity of WMU's video, voice and data networks

Document Action	Group	Date
Direction/purpose	Dr. James Gilchrist, per external audit report	10/2010
Reviewed	Campus Information Security Committee	11/2010
Reviewed and edited	Campus Information Security Committee	12/2010
Reviewed	LAN Managers Group	12/2010
Reviewed and edited	Campus Information Security Committee	01/2011
Approved	Campus Information Security Committee	03/2011