Passwords are potentially the most important and least secure aspect of computer security. A poorly chosen password may result in unauthorized access to your information and any other information you have rights over. All users, including Faculty, Staff, Students, and any Vendors/Contractors with access to Detroit Country Day School’s network, are responsible for adhering to the guidelines outlined below.
- PURPOSE
- The purpose of this policy is to establish a clear understanding of the password requirements and the expectations Detroit Country Day School has regarding password protection
- SCOPE
- This policy applies to all Detroit Country Day School employees, students, parent volunteers, vendors, and contractors with who have or are responsible for an account (or any form of access that supports or requires a password) on any system that resides on Detroit Country Day School’s network, has access to the Detroit Country Day School network, or stores any non-public Detroit Country Day School information
- REFERENCES
- This policy relies heavily on the recommendations of the National Institute of Standards and Technologies (NIST) Digital Identity Guideline in NIST Special Publication 800-63B updated as of June 2017 (Source)
- Policy Compliance
- The IT Department reserves the right to verify compliance to this policy through various methods including but not limited to internal and external security audits
- Any exception to this policy must be documented and approved by the Director of IT
- Any employee found to have violated this policy may be subject to disciplinary action
- Password Protection and Privacy
- Passwords must not be shared with anyone including IT staff
- Passwords must not be communicated via email, chat, or other electronic communication
- Passwords must not be written or printed and stored on a physical medium
- Passwords must not be saved in a file on a computer system or mobile device without secure encryption
- Any User suspecting that his/her password may have been compromised must report the incident to IT staff immediately where they will assist in changing it
- Definitions and Terms
- Elevated User Access Account – For the purposes of this policy an Elevated Access User (EAU) account is considered any account with privileges to modify operating system configurations, or an account with access to protected information such as personally identifiable information (PII) and/or cardholder data as defined by the PCI DSS