Overview

Passwords are potentially the most important and least secure aspect of computer security.  A poorly chosen password may result in unauthorized access to your information and any other information you have rights over.  All users, including Faculty, Staff, Students, and any Vendors/Contractors with access to Detroit Country Day School’s network, are responsible for adhering to the guidelines outlined below.

  1. PURPOSE
    • The purpose of this policy is to establish a clear understanding of the password requirements and the expectations Detroit Country Day School has regarding password protection
  2. SCOPE
    • This policy applies to all Detroit Country Day School employees, students, parent volunteers, vendors, and contractors with who have or are responsible for an account (or any form of access that supports or requires a password) on any system that resides on Detroit Country Day School’s network, has access to the Detroit Country Day School network, or stores any non-public Detroit Country Day School information
  3. REFERENCES
    • This policy relies heavily on the recommendations of the National Institute of Standards and Technologies (NIST) Digital Identity Guideline in NIST Special Publication 800-63B updated as of June 2017 (Source)
  4. Policy Compliance
    • The IT Department reserves the right to verify compliance to this policy through various methods including but not limited to internal and external security audits
    • Any exception to this policy must be documented and approved by the Director of IT
    • Any employee found to have violated this policy may be subject to disciplinary action
  5. Password Protection and Privacy
    • Passwords must not be shared with anyone including IT staff
    • Passwords must not be communicated via email, chat, or other electronic communication
    • Passwords must not be written or printed and stored on a physical medium
    • Passwords must not be saved in a file on a computer system or mobile device without secure encryption
    • Any User suspecting that his/her password may have been compromised must report the incident to IT staff immediately where they will assist in changing it
  6.  Definitions and Terms
    • Elevated User Access Account – For the purposes of this policy an Elevated Access User (EAU) account is considered any account with privileges to modify operating system configurations, or an account with access to protected information such as personally identifiable information (PII) and/or cardholder data as defined by the PCI DSS

Password Creation

  • Student Password Requirements
    • Passwords must be a minimum of 15 characters long
    • Passwords must be changed once every 365 days
    • Passwords must be unique and cannot be reused
    • Users must not use the same password for their DCDS access as for non-DCDS access (for example, you may not use the same password for your personal email account as your DCDS account)
    • A password filter will be used to prevent weak passwords (such as Password1 or Summer2016 or a password that contains the username)
    • Users are encouraged, but not required, to setup Google Two-Factor Authentication
    • Students 5th grade and lower are assigned a password
  • Faculty and Staff Password Requirements
    • Passwords must be a minimum of 15 characters long
    • Passwords must be changed once every 365 days
    • Passwords must be unique and cannot be reused
    • Users must not use the same password for their DCDS access as for non-DCDS access (for example, you may not use the same password for your personal email account as your DCDS account)
    • A password filter will be used to prevent weak passwords (such as Password1 or Summer2016)
    • Users are encouraged, but not required at this time, to setup Google Two-Factor Authentication
  • Elevated Access User Account Requirements
    • Passwords must be a minimum of 15 characters long
    • Passwords must be changed once every 365 days
    • Passwords must be unique and cannot be reused
    • Users must not use the same password for their DCDS access as for non-DCDS access (for example, you may not use the same password for your personal email account as your DCDS account)
    • A password filter will be used to prevent weak passwords (such as Password1 or Summer2016)
    • Users are required to setup Google Two-Factor Authentication
  • Vendor and Contractor Account Requirements
    • Passwords must be a minimum of 15 characters long
    • Passwords must be changed once every 365 days
    • Passwords must be unique and cannot be reused
    • Users must not use the same password for their DCDS access as for non-DCDS access (for example, you may not use the same password for your personal email account as your DCDS account)
    • A password filter will be used to prevent weak passwords (such as Password1 or Summer2016)
    • Vendor accounts will be deactivated when no longer needed to perform their duties