1.0 Objective:

At Lehigh University information is a valuable asset and must be protected from unauthorized disclosure, modification, or destruction. Prudent information security policies, standards, guidelines, and procedures must be implemented to ensure not only the safety and security of those within our community, but also ensure that the confidentiality, integrity, and availability of information and associated services are not compromised, and the academic and business missions of the University can safely and successfully be maintained. To that end, the management of user account access plays a vital role in protecting an individual’s online identity as well as much of their and others’ personally identifiable information, as well as critical Lehigh infrastructure, operations, and data assets.

2.0 Purpose:

The purpose of this policy is to provide guidance about how Lehigh University secures user accounts from compromise on systems operated by Library and Technology Services, including, but not limited to, electronic mail systems, academic and administrative file servers, and administrative databases.

3.0 Audience & Scope:

This policy applies to all users including employees, students, contractors, and all other third parties who access information systems owned or utilized by Lehigh University and are provisioned Lehigh computing accounts.

4.0 Policy:

Lehigh University has expanded the use of both intra and internet-based electronic resources to the extent that having the highest level of electronic security is critical to protect on-line data related to University student information, instruction, research, and administrative systems. While this policy is directly applicable to computer systems operated by Library and Technology Services, conformity with this policy is strongly recommended for all departments operating their own internal computing resources. In addition to this policy, user accounts must comply with the requirements of our Acceptable Use of Computer Systems and Facilities Policy.

While experts no longer agree that passwords should be required to change periodically, Library and Technology Services is committed to protecting our community through scheduled password changes. The rate of data breaches and disclosures in conjunction with increases in phishing and credential attacks reinforces the need for routine password management. In keeping with the realities of an academic environment, all students, faculty, and staff are required to change their primary network passwords (i.e., LAN, e-mail, etc.) every 6 months - typically, once in the Fall semester and again in the Spring semester; those accounts scheduled to expire in the Summer months will remain open until September. Additional passwords to administrative systems will be required to change every 6 months on an ongoing basis.

Passwords themselves must be at least 8 characters in length with at least one alphabetic character and one numeric or punctuation character; proper names, dictionary words and common passwords should be avoided as passwords. As an additional security measure, no unencrypted passwords will be accepted by any systems operated by Library and Technology Services - a matter handled by the web browser, e-mail client, or other software through which a connection is established.

In specific areas of compliance where either longer or more complex passwords, greater change frequency, or multi-factor authentication is required (i.e. PCI/DSS compliant passwords) users will be required to follow any more restrictive policy for those areas than this general access policy.

4.1 Implementation of Policy

Passwords on all new computing accounts are set to expire 6 months from the date the account is opened. Upon implementation of multi-factor authentication user accounts will expire every 12 months. For primary network passwords, daily e-mail warnings will be sent to the account starting two weeks prior to the password expiration and continuing until the password is changed or until the password expires; the e-mail messages will direct individuals to the password change web page at http://www.lehigh.edu/change where the password can be changed. Passwords on administrative systems are handled directly by those systems. Upon expiration of those passwords, the user will be prompted to change the password upon the next login, or, depending on the system, may have a small number of grace logins prior to requiring a password change. During the password creation process, passwords are inspected to be in compliance with the above Statement of Policy.

Any user who is locked out of his or her account or who has forgotten a password can go to the account maintenance web page at http://www.lehigh.edu/forgot and reset the password through the challenge questions set when the account was created or last modified. Those who are unsuccessful with this process, as well as any user locked out of an administrative account, will need to bring a valid University picture identification card to the Computing Center, room FM 394 or FM 294 (primary network passwords only), to have the password reset. Those unable to appear in person with an id card will be required to contact the Accounts Office by phone for identity verification.

4.2 Account Naming Conventions

Account naming is through an automated process when the person is added to the Banner system. The naming syntax used is basically the individual's three initials, a unique (sequential to the process) one-digit number or character (starting at 2), and a two digit year. For first year students, the two digit year is the expected year of graduation; for everyone else, the two digit year is the year the account was opened. Accounts opened prior to the fall of 2004 consist of the first four characters of this naming convention (i.e., without the year).

5.0 Exceptions:

None

6.0 Enforcement:

7.0 Definitions:

8.0 Reference Documents:

9.0 Additional Contacts:

Identity & Access Management, iniam@lehigh.edu

Effective Date: 05/04/2015 
Last Updated/Reviewed: 03/12/2018 
Revision Number: 1.0.1