Password Management Policy & Standards

[Carlos Lobato <clobato () NMSU EDU>]

All,


I highly appreciate the discussion regarding this topic and would highly appreciate to hear from you more on the 
specifics of how are you addressing the frequency of changing passwords?


Additionally, if you are changing your passwords, is this requirement applicable to all types of accounts including 
service accounts, highly privileged accounts, student accounts, ect.?


If you are not changing your passwords at all, please let me know as well as including your reasoning.


Carlos


From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Carlos 
Lobato
Sent: Wednesday, February 24, 2016 5:19 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Password Management Policy & Standards



Hello Colleagues,



I'm working on promoting institutional compliance with our current password policy, which requires regular password 
changes every 120 days for all accounts.



However, I would like to know if some of you have created a table or matrix listing all of your type of accounts and if 
password expiration dates vary depending on the type of account, which would be based on risk.



If you have a listing, I would highly appreciate a link or a copy to your document.  I am using various resources 
including the NIST SP 800-118 and I can share with the group after I finish my analysis and potentially re-write our 
current NMSU password policy to make more realistic.



Thank you so much for any input that you may have.



Carlos,



Carlos S. Lobato, CISA, CISSP, CPA

IT Compliance Officer



New Mexico State University

Information and Communication Technologies

MSC 3AT PO Box 30001

Las Cruces, NM  88003



Phone (575) 646-5902

Fax (575) 646-5278