Identification, Authentication, and Password Management Procedure - 61.12.01
College Policy Number/Title:
Identification, authentication, and password management are essential to preventing compromise of the Howard Community College (HCC) network and administrative systems. This procedure establishes requirements for the identification and authentication of HCC students and employees, and occasionally contractors, who require access to college network and administrative systems. It also gives information on passwords, the protection of those passwords, and the prescribed frequency of change.
Each employee, student, and contractors, when necessary, are issued unique Colleague identification numbers. Once a Colleague identifier is assigned, it is always associated with that account. It is never subsequently assigned to identify another person or account. Social security numbers will not be used for access into any electronic system or application.
Network and User Application Accounts
Each student and employee is assigned a unique network account (Active Directory login) to access the desktop or college computer. Functional accounts, such as those used for specific departmental needs , may be issued for specific purposes; and should be protected by the departments and treated as confidential information.
Employee accounts expire upon termination of employment. A credit student’s accounts will expire when the student’s active programs are ended or after two years of inactivity. A non-credit student’s account will expire three months after their last class has ended. A contractor’s account will expire on the date designated by contractor’s sponsor.
Identity Management and Passwords
Passwords are an important aspect of computer security. They are the front line of protection for user accounts. A poorly chosen password may result in the compromise of HCC’s entire network and/or administrative systems. In order to minimize this risk, all HCC employees with access to the college systems are responsible for taking appropriate steps to select and secure passwords. Direction on selecting a password is given when changing it through the password services application. Instructions are also available on the college’s website.
Password protection standards ensure that all passwords are treated as sensitive, confidential college information. Passwords must be unique. Different passwords must be used to access the college network (Active Directory login) and applications such as Colleague that require separate authentication. College passwords must not be included in digital communications unless encrypted. Information technology staff members do not request college staff or students to reveal personal passwords.
Password change intervals require that passwords for accounts with access to payment card industry (PCI)-related data must be changed every 90 days. User accounts that are not used to handle PCI-related data must be changed every 180 days. With limited exceptions, server administration passwords and service accounts must be changed every 90 days.
Effective Date: 05/14/21
President's Office Use: VPIT