ñ

Policy 7002 — Password Policy and Procedures

Policy section:
Section 7000-7099 Computing Services
Policy number:
7002
Subject:
Password Policy and Procedures
Group:
Institutional
Approved By:
President
Approved date:
April 14, 2000
Effective date:
April 14, 2000
Revised:
February 1, 2017
Administered by:
Director of Computing Services

1. Purpose

The purpose of this policy is to protect data on University computer and information-storage systems by ensuring the creation and protection of strong passwords.

2. Scope

This policy applies to all individuals using any University computer system or other data storage device used to store or process university information.

3. Authority for Password Requirements

Password requirements will be set to ensure a balance between complexity and usability.  The Director of Computing Services is responsible for recommending and the Vice-President, Finance and Administration is responsible for approving password requirements.

4. Password Requirements

Passwords must have a minimum length of 14 characters.

5. Password Requirement Guidelines

Individuals are responsible for creating their own passwords that are compliant with the requirements set out in section 4.
The following is a guide for creating passwords:

  • a. Include characters other than lowercase letters in a password, such as uppercase letters, digits, and punctuation to improve the security of a password, if not used in a predictable pattern.
  • b. Do not use a word modified slightly with a single number added at the end or with well-known substitutions such as a zero used in place   of the letter 'O'. These are easily predictable patterns.
  • c. Do not use the same password for University systems as is used for personal accounts or other organizations.
  • d. Do not use words that appear in a dictionary.
  • e. Do not include your name, the names of family members or pets, or other easily obtainable personal information in a password.
  • f. Do not use a word spelled backwards.
  • g. Do not use a combination of characters that someone watching could easily recognize as the password is entered.
  • h. When changing passwords, the new password should be different from the old one.

6. Password Protection

  • Passwords must not be recorded on paper or online.
  • Passwords must not be recorded in a visible location in a workspace (e.g. a sticky note attached to a monitor or keyboard).
  • Passwords must not be shared with anyone.
  • Passwords must not be sent by e-mail.

7. Other Considerations

Administrator passwords should deserve additional attention. Administrator account access should only be granted to those requiring such access to perform their work.
Administrator accounts should not be shared.

8. Review

This policy and procedure shall be reviewed at least every three years and either amended or confirmed.

Electronic Data Retention and Destruction Procedure

1. Background & Purpose

1.1 The University has electronic information, including records which are defined as personal information under the Right to Information and Protection of Privacy Act (“RTIPPA”) and has obligations regarding the safe keeping of this information.

1.2 Records can be categorized as low, medium, or high risk where risk is measured based on the impact to the University or a 3rd party if the record was to be inappropriately accessed.

1.3 This document sets guidelines for Users on the retention, destruction and/or sanitization of ñ Electronic Information (data destruction).

1.4 The Vice President Finance and Administration has issued this document under the authority of the Use and Security of Electronic Information and Systems Policy.  Questions about this standard may be referred to helpdesk@mta.ca.

2. Responsibilities of Users

2.1 Users should only retain information as long as required for its intended use.

2.2 Prior to deleting electronic information users must take into consideration the requirements of the Archives Policy 6300.  Consult with the University Archivist if in doubt.

2.3 Users are responsible for ensuring that ñ Electronic Information is always removed from a Device (Desktop, laptop, tablet, smart phone) before the device is transferred to another individual, sold, or discarded. The information needs to be removed even if it does not appear to be Medium, or High Risk. Users should contact the Helpdesk (helpdesk@mta.ca) if they require data destruction assistance.

3. Responsibilities of Service Providers

3.1 Where a third party Service Provider has received copies of ñ Electronic Information for the purpose of ñ work, the Service Provider must destroy all of the information in its possession within seven days of the completion of the project or termination of the agreement, whichever first occurs, using destruction methods compliant with this policy and give the ñ contract owner a signed confirmation of destruction.

3.2 Where data destruction is not feasible, The ñ contract owner may consult with Computing Services to determine appropriate alternate controls.

4. Approved Destruction Methods

4.1 Any of the following are approved methods of data destruction:

  1. 4.1.1 using a software utility, such as "Secure Erase", that erases, overwrites or encrypts the data;
  2.  
  3. 4.1.2 magnetically erasing (degaussing) the data;
  4.  
  5. 4.1.3 formatting a Device after encrypting it; or
  6.  
  7. 4.1.4 using a machine that physically deforms or destroys the Device to prevent the data from being recovered.

4.2 Using the “Empty Recycle Bin/Trash”, “Delete”, “Remove”, and “Format” operating system commands do not destroy data and therefore are not acceptable methods for preparing media for transfer or disposal.

4.3 Data destruction methods must comply with the minimum standards set out in the IT Media Sanitization (ITSP.40.006 v2) publication issued by the Government of Canada.

4.4 Wherever encryption is used before formatting a device, it must be AES-128/256 bit encryption with strong passwords or passphrase.  See Password Policy and Procedures - 7002

4.5 Questions about whether a mode of destruction is an approved method can be directed to helpdesk@mta.ca

5. Special Cases

5.1 To reuse flash memory devices (e.g. SD memory cards, USB drives) containing ñ Electronic Information, the User can encrypt the whole device. After encryption, the User can format the device and reuse it safely.

5.2 Smartphones must have all data removed (factory reset) prior to being transferred to another person or being turned in for recycling; note that some smartphones have removable memory cards that need to be treated the same as flash memory devices and securely sanitized separate from a phone factory reset. Users can contact the CSD Helpdesk if they are uncertain of how to perform a factory reset.

5.3 Other imaging devices with a hard drive (e.g. photocopiers, printers, fax machines, etc.) are also subject to the data destruction requirements; additionally, where possible, these devices should have image overwriting enabled. This is a function where scanned or electronic images of a document are immediately overwritten using a data destruction technique. This function is known by various names, e.g. “Immediate Image Overwrite” (Xerox), “Hard Disk Drive Erase Feature” (Canon), “Hard Disk Overwrite Feature” (HP)
 


Related Documents
Use and Security of ñ Electronic Information and Systems Policy - 7031