(1) The purpose of this Policy is to establish a (2) Passwords and multi-factor authentication are a crucial aspect of cyber security and are the front line of protection for user and (3) All (4) This Policy applies to all (5) All user level passwords must be changed at least annually. (6) A user must change their password if instructed to do so by a member of the TDS secops team. (7) Passwords used at UNE must be unique to UNE and not the same as passwords used for other applications such as Facebook, Gmail, Twitter etc. (8) All administrative privileged ('super user') accounts must not be remotely accessible. System administrators must log in to a host using their standard non-privileged account and then log in to the (9) In the event that a (10) Multi-factor authentication should be used in combination with passwords on systems that support multi-factor authentication unless authorised (11) Passwords must not be shared or disclosed under any circumstances (including inserting into (12) Passwords must be protected at all times and you must not: (13) All UNE passwords must be at least 10 characters in length. (14) All passwords for (15) Passwords must not be easy to guess and must be safe from (16) All applications, including applications running on cloud services and mobile devices that request password authentication, must use secure encrypted communication channels for password transactions. (17) All applications must use strong encryption and/or hashes for password storage unless explicitly authorised (18) Applications requiring login must use UNE's centralised authentication and authorisation infrastructure unless authorised (19) Applications must avoid implementation of 'ad hoc' authentication and authorisation processes. Where this cannot be avoided, the processes adopted must be approved by the Chief Information Officer. (20) The Vice-Chancellor and Chief Executive Officer, pursuant to Section 29 of the University of New England Act 1993 makes this University Policy. (21) The Policy Steward, the Chief Information Officer, is authorised to make procedures, that are consistent with this Policy, for the operation of this Policy. Matters of non-compliance may be a breach of the Code of Conduct and may be addressed under the disciplinary provisions of the relevant Enterprise Agreement. (22) (23) This Policy operates as and from the (24) Notwithstanding the other provisions of this Policy, the Vice-Chancellor and Chief Executive Officer may approve an exception to this Policy where the Vice-Chancellor and Chief Executive Officer determines the application of this Policy would otherwise lead to an unfair, unreasonable or absurd outcome. (25) This Policy is supported by the University Executive through the oversight of the Security Council. (26) Applications means is a software program that runs in the cloud, on a server, your computer or mobile device. For example; Finance One, Callista, Web Kiosk, web browsers and e-mail, are all applications. The word "application" is used because each program has a specific application for the user.Password Policy
Section 1 - Overview
Section 2 - Scope
Top of PageSection 3 - Policy
General
Disclosure and protection
Password strength
Section 4 - Authority and Compliance
Authority
Compliance
Section 5 - Quality Assurance
Top of Page
Password leakage/disclosure will be verified by external monitoring services
Automated reporting to Security Operations
Section 6 - Definitions (specific to this Policy)
View Current
This is the current version of this document. To view historic versions, click the link in the document's navigation bar.
Security Awareness is quality assured through embedded testing in the training courses
Automated reporting to People and Culture
The management of Information Security is both self-assessed and independently measured
Security Council with maturity and performance reported