Purpose
This document explains the password requirements for all staff of the Engineering Department.
If you are looking for information about what makes a good password, and password complexity requirements, please see information about changing your password.
Information
It is intended that information is protected in whatever form, including, but not limited to, paper documents, electronic data and the spoken word. Information should be protected while at rest and when it is handled, processed, transmitted or conveyed.
IT Assets
IT assets include all devices and hardware/software components of the IT infrastructure, applications and data stores.
Users
This policy relates to all members of Engineering Department staff and students working on or with University IT assets and facilities of the Engineering Department and the University of Cambridge.
Motivation
The Engineering Department’s data (whether belonging to The University of Cambridge or held in trust on behalf of its collaborators, researchers, technicians, clients or business partners) are important assets: improper disclosure, modification or destruction of these assets may result in harm to the University.
The Engineering Department’s information must be protected to reduce risk of compromise of the information or IT facilities and to comply with the minimum cyber security standard of Cyber Essentials.
Policies
Policy 1
All user accounts used to carry out any work for the Engineering Department shall be password protected using strong passwords. Please see NCSC guidance on passwords.
Policy 2
No individual user account password shall be shared, borrowed or re-used in other systems (except via SSO) and should not be written down except in a password manager (Please see NCSC guidance on password managers.) or unless kept safe (Please see NCSC guidance on passwords). It is recommended that all users memorise their Raven password and not write it down anywhere.
Policy 3
Passwords for highly privileged accounts, social media accounts and infrastructure components shall be changed from default values and shall also be strong. Users with highly privileged accounts shall not use these for high-risk functions. (Please see NCSC guidance section: Prioritise securing important or vulnerable accounts.)
Policy 4
All user account passwords and highly privileged account passwords must be changed when and if there is any suspicion of compromise.
Policy 5
All default passwords much be changed at first login, following NCSC guidance on passwords and where possible stored in a password manager. (This includes all unique pre-configured passwords on routers and firewalls and all user and administrator accounts on devices)
Policy 6
Multi-factor authentication shall be used where technically possible.
Policy 7
If we suspect an account has been compromised we will disable the account. We will require the user to authenticate with a member of the IT Support Team in order to re-enable the account. University or Government Photographic ID must be provided (e.g. a passport or driving licence).
Enforcement
- For students, failure to comply may evoke the student disciplinary procedure
- For staff, failure to comply may evoke the staff disciplinary procedure
- For contractors and visitors, failure to comply may evoke the staff disciplinary procedure for those responsible for the visitor/contractor
Exceptions
This policy currently only applies to members of staff working on or with University IT assets and facilities of the Engineering Department and the University of Cambridge.
Stakeholders
Those who need to be involved in the revisions of this document are:
- The Head of ICS (Paul Taylor)
- The Information and Cyber Security Team (formerly the Computer Emergency Response Team)
Definitions
For the purpose of this document, a glossary of terms is available here.
Review Plan
This policy is expected to be reviewed on an annual basis or after an event such that it requires change before the anniversary. This could be the change to another related document or a related requirement.
Current version revised: 2nd May 2023