Identification, authentication, and password management are essential to preventing compromise of the Howard Community College (HCC) network. This procedure establishes requirements for the identification and authentication of HCC students and employees, and occasionally contractors, who require access to college computer systems. It also gives information on passwords, the protection of those passwords, and the prescribed frequency of change.
Each employee and student, and contractors, when necessary, are issued unique seven-digit Colleague identification numbers. Once a Colleague identifier is assigned, it is always associated with that account. It is never subsequently assigned to identify another person or account. Social security numbers are not used for access into any electronic system or application.
Network and User Application Accounts
Each student and employee is assigned a unique network account (Windows login) to access the desktop or college computer. Functional accounts, such as those used to access departmental mailboxes, may be issued for specific purposes; however, these accounts should be protected by the departments and treated as confidential information.
Employee accounts expire upon termination of employment. Student accounts do not expire. The associated email account is deleted after one year of course inactivity. The account is deleted after two years of course inactivity.
Upon request, the technology help desk provides approved guest logins for access to the public wireless network. These accounts expire after 24 hours. Transient special-use accounts such as those used to give reaccreditation groups specific access are set to expire within 24 hours after they are expected to no longer be needed.
Identity Management and Passwords
Passwords are an important aspect of computer security. They are the front line of protection for user accounts. A poorly chosen password may result in the compromise of HCC’s entire network. In order to minimize this risk, all HCC employees with access to the college systems are responsible for taking appropriate steps to select and secure passwords. Direction on selecting a password is given when changing it through the password services application. Instructions are also available on the college’s website.
Password protection standards ensure that all passwords are treated as sensitive, confidential college information. Passwords must be unique. Different passwords must be used to access the college network (Windows login) and applications (Colleague, HCC Express, and ImageNow) that require separate authentication. Production passwords must not be included in digital communications sent outside of HCC’s network unless such communications are encrypted. Information technology staff members do not request college staff or students to reveal personal passwords.
Password change intervals require that passwords for accounts with access to payment card industry (PCI)-related data must be changed every 90 days. User accounts that are not used to handle PCI-related data must be changed every 180 days. With limited exceptions, server administration passwords and service accounts must be changed every 90 days.
Policy Manual Review/Revision: 04/11/14