|
New
passwords will be provided, and existing passwords will be
released, only when the identity of the requester can be clearly
established.
Background
Definitions
Exemptions
Procedures
Password Guidelines
Contact Information
Background
The University of Kansas Medical Center provides access to
network, electronic mail and voice mail resources to its students,
faculty, and staff, in support of the University's mission of
teaching, research, and public service. Passwords are assigned for
access to each of these resources to authenticate a user's
identity, to protect network users, and to provide security.
Password protection is one of the most important principles of
network, e-mail and voice mail security. The purpose of this policy
is to outline the procedures used by authorized staff to change or
reveal an existing password to users who have compromised or
forgotten their authorized password to the University's network,
e-mail or voice mail resources. The resources covered by this
policy include, but are not limited to, the University's network
(via campus or remote access), e-mail and voice mail systems.
Although the University strives to manage a secure computing and
networking environment, the University cannot guarantee the
confidentiality or security of network, e-mail or voice mail
passwords from unauthorized disclosure.
Top
Definitions
PASSWORD
Authorized individual password assigned by the University of
Kansas School of Medicine-Wichita's Information Technology Services
department for access to its network, e-mail and voice mail
resources.
UNIVERSITY
The term 'the University' means the University of Kansas Medical
Center.
USER
Anyone who holds a valid account on the University's network,
e-mail and/or voice mail systems.
Top
Exemptions
Everyone who holds, or wishes to acquire, a valid account on the
University's network, e-mail and/or voice mail systems is covered
by this policy. This policy covers users on the Wichita campus as
well as users who access these systems from an off-campus location.
There are no exemptions.
Top
Procedures
I. Password request procedures.
Procedures for processing password requests strive to balance
security requirements and user convenience. These procedures will
be followed by the staff of IT Services for
all password requests for access to the University's network,
e-mail or voice mail resources. (Including new, changed, or
forgotten passwords.)
1. Under no circumstances will existing passwords be revealed by
telephone.
2. Under no circumstances will new passwords be provided by
telephone.
3. Information Technology Services staff will be pleased to handle
requests made in one of the following ways:
- Requests may be made in person at Information Technology Services [B001]
during normal business hours. Photo identification is
required.
- Requests may be faxed to Information Technology Services at
316-293-1888 at any time, but they will be handled during normal
business hours. The fax must include photo identification and
signature.
- New
account requests may be submitted via web
form. New account requests must be verified by the employee's
supervisor.
4.
Confirmation will be given to user by phone, e-mail, or
alphanumeric page when a password change is completed.
5. A network manager must approve any password change requested by
a user's supervisor. Confirmation will be sent to user when a
password change is completed at the request of a
supervisor.
II. Password Protection Responsibilities
System administrators and users assume the following
responsibilities:
- System administrator must protect confidentiality of user's
password.
- User must manage passwords according to the Password
Guidelines
- User is responsible for all actions and functions performed by
his/her account.
- Suspected password compromise must be reported to IT Services immediately.
Top
Password Guidelines
Password are required to meet the following criteria:
- Password
must be 8 to 25 characters in length
- At least one
UPPERCASE letter character (A, B, C, etc.)
- At least one
lowercase letter character (a, b, c, etc.)
- At least one
numeric digit (1, 2, 3 etc.)
- At least one
special character (_-+=)(*&\}]{[.
,><?/ etc.)
Select a Wise Password
- Do
not use any part of the account identifier (username, login ID,
etc.).
- Do
not use a proper name or any word in the dictionary without
altering it in some way.
A
password is harder to crack if you utilize several of these
selection techniques:
- Use
a mix of alpha and numeric characters
- Use
8 or more characters.
- Use
mixed case.
- Use
two or three short words that are unrelated.
- Deliberately misspell words.
- Take the first letter from each word of a phrase.
Keep Your Password Safe
- Do
not tell your password to anyone.
- Do
not let anyone observe you entering your password.
- Do
not display your password in your work area or any other highly
visible place.
- Change your password periodically (every 60 days is
recommended).
- Do
not reuse old passwords.
Additional Security Practices
- Ensure your workstation is reasonably secure in your absence
from your office. Consider using a password-protected screen saver
or logging off when you leave the room.
Contact Information
For information on this policy, please contact IT Services.
|