INSPIRING BUSINESS INNOVATION
Password Policy
Version: 2.0 Policy Code: DICT-QAP015
رورلما ةملك ةسايس Password Policy
Page 2 of 11
Table of Contents
Property Information ... 3
Document Control ... 4
Information ...4
Revision History ...4
Distribution List ...4
Approval ...4
Executive Summary ... 5
Introduction ...5
Objectives ...5
Entities affected by this Policy ...6
Policy Statement ... 7
Guidelines & Procedures Statements ...7
Responsibilities of the User Statements ...8
Policy Violation ...8
Conclusion ...9
Appendix ... 10
References ... 11
رورلما ةملك ةسايس Password Policy
Page 3 of 11
Property Information
This document is the property information of Imam Abdulrahman bin Faisal University - ICT Deanship.
The content of this document is intended only for the valid recipients. This document is not to be distributed, disclosed, published or copied without ICT Deanship written permission.
رورلما ةملك ةسايس Password Policy
Page 4 of 11
Document Control
Information
Title Classification Version Status
PASSWORD POLICY Public 2.0 validated
Revision History
Version Author(s) Issue Date Changes
1.0 Dr. Zahid – ICT, IAU 01 Jan 2018 Draft
1.1 Muneeb Ahmad – ICT, IAU 17 Sep 2019 Update
1.2 Lamia Abdullah Aljafari 6 Sep 2020 Update
2.0 Dr. Samer Bani Awwad 13 Sep 2021 Update
Distribution List
# Recipients
1 Legal Affairs 2 Website
3 Quality Assurance Department – DICT 4 System Management Department - DICT 5 Network Management Department - DICT 6 Applications Development Department - DICT
Approval
Name Title Date Signature
Dr. Khalid Adnan Alissa Dean of DICT 8th March 2022
رورلما ةملك ةسايس Password Policy
Page 5 of 11
Executive Summary
Passwords are an important aspect of computer security. They are the front line of protection for user accounts. A poorly chosen password may result in a compromise of IAU entire network. The purpose of having a password policy is to ensure a more consistent measure of security for IAUs’ network and the information it contains. The implementation of this policy will better safeguard the personal and confidential information of all individuals and organizations affiliated, associated, or employed by the University. Additionally, this policy establishes a standard for creation of strong passwords, the protection of those passwords, and the frequency of change of passwords.
Introduction
University of Imam Abdulrahman bin Faisal significantly provides access authentication to online information technology resources such as email, institutional data, University websites, library and E- Learning portal, academic and personal data, cloud computing resources, and other sensitive services.
Passwords are the user’s 'keys' to gain access to University information and information systems. A compromise of these authentication credentials directly impacts the confidentiality, integrity, and availability of IT systems, and University as well as user information. This policy establishes minimum standards for the creation and protection of each person’s University password(s). All users accessing IAU IT resources are bound by the requirements as described in this policy, to create and secure their password(s).
Objectives
The following are the objectives of the policy:
1. Defend against unauthorized access of IAU systems that could result in a compromise of personal or institutional data
2. Ensure that ICT resources are used in an appropriate fashion, and support the university’s mission and institutional goals.
3. Encourage users to understand their own rights and responsibilities for protecting their passwords.
4. Protect the privacy and integrity of data stored on the University network.
رورلما ةملك ةسايس Password Policy
Page 6 of 11
Entities affected by this Policy
This policy applies to all persons who have, or are responsible for, an account on any system accessed on the University network or computer systems.
رورلما ةملك ةسايس Password Policy
Page 7 of 11
Policy Statement
Guidelines & Procedures Statements
General Guidelines:
1. Passwords must be changed every 90 days.
2. All passwords must meet the definition of a Strong password described below in the strong password construction guidelines section.
3. Each successive password must be unique. Re-use of the same password will not be allowed.
4. Any temporary password will expire at 23:59:59 of the date issued.
5. A user account will be temporarily locked for three (3) minutes after 3 consecutive failed logins:
a. Account Lockout Duration: 15 mins.
b. Account Lockout Threshold: 3.
c. Reset Account Lockout Counter: 30 mins.
6. The "reset password" process will be applied to users who logs in for the first time.
Poor, weak passwords have the following characteristics:
1. The password contains less than eight characters.
2. The password is a word found in a dictionary (English or foreign).
3. The password is a common usage word such as:
a. Name of family, pets, friends, co-workers, fantasy characters, etc.
b. Computer terms and names, commands, sites companies, hardware, software.
c. Birthdays and other personal information such as addresses and phone numbers.
d. Word or number patterns like aaabbb, 111222, zyxwvts, 4654321, etc.
e. Any of the above spelled backward like fesuoy, damha, etc.
f. Any of the above preceded or followed by a digit (e.g., secret1, 1secret).
رورلما ةملك ةسايس Password Policy
Page 8 of 11 Strong Password Construction Guidelines:
1. Are at least eight alphanumeric characters long 2. Passwords do not contain user ID
3. Contain no more than two identical characters in a row and are not made up of all numeric or alpha characters
4. Contain at least three of the five following character classes:
a. Lower case characters b. Upper case characters c. Numbers
d. “Special” characters (e.g. @#$%^&*()_+|~-=\`{}[]:";'<>/ etc) e. Contain at least eight alphanumeric characters.
Responsibilities of the User Statements
Users are responsible for assisting in the protection of the network and computer systems they use.
The integrity and secrecy of an individual's password is a key element of that responsibility. Everyone has the responsibility for creating and securing an acceptable password per this policy. Failure to conform to these restrictions may lead to the suspension of rights to University systems or other action as provided by University Policy.
Policy Violation
Anyone who violate this policy will be subject to any or all the following actions:
• Suspension of the university internet account/access.
• The referral of the case to the University Legal Department along with supporting evidence for an appropriate action.
• The case may be forwarded to the Communication & Information Technology Commission (CITC), Saudi Arabia who may initiate criminal investigation per the e-crimes regulations.
More information regarding these regulations may be found at the following link:
English Version:
http://www.citc.gov.sa/en/RulesandSystems/CITCSystem/Pages/CybercrimesAct.aspx
رورلما ةملك ةسايس Password Policy
Page 9 of 11 Arabic Version:
http://www.citc.gov.sa/ar/RulesandSystems/CITCSystem/Pages/CybercrimesAct.aspx
Conclusion
By enforcing the acceptable use policy, we aim to achieve the following outcomes:
1. Better informed university community regarding acceptable and unacceptable use of university ICT resources.
2. Responsible IAU community regarding the value and use of ICT resources.
رورلما ةملك ةسايس Password Policy
Page 10 of 11
Appendix
The following terms are used in this document:
Access - Connection of University, personal or third party owned devices to ICT Infrastructure facilities via a direct or indirect connection method.
Authorized User - An individual who has been granted access to University ICT services
Expiration - Date at which password for access to University systems is required to be changed meeting strong password standards.
Information Resources - Assets and infrastructure owned by, explicitly controlled by, or in the custody of the university including but not limited to data, records, electronic services, network services, software, computers, and Information systems.
رورلما ةملك ةسايس Password Policy
Page 11 of 11
References
1. Acceptable Use Policy
--- End of Document ---
