Information Technology

User Accounts and Passwords Policy

Responsible Official: Chief Information Security Officer
Responsible Office: Information Technology 
Effective Date: November 12, 2024
Last Revision Date: November 12, 2024

Associated Documents

• Computer User Agreement
• User Accounts and Passwords Standard
• Data Classification and Handling Guidelines

Policy Statement

Users of Reed IT resources shall comply with account and password management security best practices based on National Institute of Standards and Technology (NIST) security controls.

Scope

This policy applies to all systems, networks, and applications within Reed that require user authentication, especially those that process, store, or transmit sensitive information, including Personally Identifiable Information (PII), Protected Health Information (PHI), education records under FERPA, and other regulated data.

Policies

1. All user accounts must be secured with a password or other credential which must comply with Reed’s password standards.
2. Users shall not share their passwords, or otherwise provide access to, their Reed account or password to another individual.
3. Users shall not use another user’s Reed password, attempt to capture or guess another user’s Reed password, or otherwise attempt to access another user’s Reed account.
4. Users shall not use their Reed password for personal purposes. Examples include Facebook, Netflix, or other third party entities. 
5. Users with an academic or administrative need to access non-licensed websites or other third party entities shall:
   1. Make best efforts not to use their Reed password.
   2. Use a materially different password than their regular Reed password if there is a requirement to use a Reed User ID (e.g.: registering for a conference with Reed email address).
   3. Make best efforts to avoid storing sensitive data in such sites.
6. Users shall make a reasonable effort to protect their passwords or other credentials and to secure IT resources against unauthorized use or access. For example, users should not store passwords in plain text in a computer file.
7. Reed passwords or credentials and accounts are provided at the discretion of Reed College and subject to the following terms of use:
   1. Reed College has a legal obligation to access and provide any data (personal or otherwise) stored on Reed College systems requested as part of litigation or other lawful requests.
   2. Authorized personnel may inspect any data transmitted or stored using IT resources for auditing, troubleshooting, or similar purposes.
8. All systems must enforce Reed’s password policies and standards where possible.
9. Multi-factor authentication is highly encouraged and should be used whenever possible
10. Any individual suspecting that their password or other credentials may have been compromised must report the incident to Computer User Services (CUS@reed.edu) in IT and change all relevant passwords.

Noncompliance 

Noncompliance with this policy may result in the suspension or revocation of computing privileges. Anyone who violates this policy may be held liable for damages to Reed College assets, including but not limited to the loss of information, computer software and hardware, lost revenue due to disruption of normal business activities or system down time, and fines and judgments imposed as a direct result of the violation. Refer to the Reed College User Agreement. 

External Governing standards, policies, and procedures 

Gramm-Leach-Bliley Act (GLBA)

1. Protect Financial Information: Ensure that passwords used to access financial data are compliant with GLBA’s Safeguards Rule. This includes regular updates to passwords and the use of MFA for sensitive information.
2. Documentation and Review: Maintain records of password policies and review them regularly to ensure they meet GLBA requirements.

Family Educational Rights And Privacy (FERPA)

1. Safeguard Educational Records: Ensure that passwords protect access to student educational records, with strict controls to prevent unauthorized access as required by FERPA.
2. Audit Trails: Keep detailed audit trails of password changes and access attempts for systems managing educational records, ensuring compliance with FERPA regulations.

Oregon Consumer Privacy Act (SB619)

1. Support Consumer Privacy Rights: Ensure password practices support compliance with Oregon SB619 by protecting consumer data and allowing consumers to exercise their rights, such as data access and correction.
2. Data Protection Assessments: Include password management practices in Data Protection Assessments (DPAs) required under Oregon SB619.

Definitions 

Credentials – In the context of authentication, the term “credential” refers to a key that uniquely identifies a user to a system. A credential is most commonly in the form of a “username and password” authentication token that is bound to a particular user. Some other examples of credentials are biometric identifiers (e.g. thumbprint scan) and digital identification mechanisms such as smartcards and multi-factor authentication.

IT Resource – (At Reed College) All Information Technology (IT) resources that are the property of Reed College and include, but are not limited to, all network-related systems; business applications; network and application accounts; administrative, academic and library computing facilities; college-wide data, video and voice networks; electronic mail; video and web conferencing systems; access to the Internet; voicemail, fax machines and photocopiers; classroom audio/video; computer equipment; software and operating systems; storage media; Intranet, VPN, and FTP.

• IT Resources include resources administered by IT, as well as those administered by individual departments, college laboratories, and other college-based entities.

System – (In Information Technology [IT]) A computer system consists of hardware components that work with software components to achieve a defined outcome.

• The main software component that runs on a system is an operating system that manages and provides services to other programs that can be run on the computer. Computer systems may also include peripheral devices such as printers, A/V equipment, operating machinery, etc.

Third Party – (In Information Technology [IT]) A vendor. Can be applied to any vendor (“third party provider”), but mostly used regarding “vendor software” to distinguish it from software developed “in house.”

User – Any person who makes any use of any Reed IT resource from any location (whether authorized or not). 

Revision History