Events

Subscribe to KUMC Events Calendar via Outlook

RSS RSS of Events

Information for:

Students
Faculty & Staff
Researchers
Patients
Prospective Employees
Alumni | Donors

Academics

ANGEL | JayDocs
The Beat
Enroll & Pay
Dykes Library
Academic Calendar
More Student Services

Email Outlook
myKUMC myKUMC
SharePoint SharePoint
HR/Pay HR/Payroll System

Patient Clinical Logging
Secure File Transfers
VPN

KUMC Leadership
Facilities & Maintenance
Human Resources
Information Resources

  1. KUMC A-Z:
  2. A
  3. B
  4. C
  5. D
  6. E
  7. F
  8. G
  9. H
  10. I
  11. J
  12. K
  13. L
  14. M
  15. N
  16. O
  17. P
  18. Q
  19. R
  20. S
  21. T
  22. U
  23. V
  24. W
  25. X
  26. Y
  27. Z
  28. all

Password Policy

Principle
Password protection is one of the most important principles of computer security, as passwords represent the primary and often only line of defense against unauthorized or inappropriate access to the University's business, research or academic information and system.

Purpose
The purpose of this policy is to establish the standards for creation and management of passwords used on any University or UKP computing system or application.

Resources Covered By This Policy
Applies to all electronic devices connected to the University network including but not limited to computer workstations and servers, network switches and routers, specialized medical devices, etc.

Individuals and Groups Covered By This Policy
Everyone who holds, or wishes to acquire, a valid account on the University's network, e-mail and/or voice mail systems is covered by this policy. This policy covers users on the Kansas City and Wichita campuses as well as users who access these systems from an off-campus location. There are no exemptions.

Definitions

Password: A series of letters, numbers and\or symbols that is used to authenticate an individual's identity and which is used to grant access to the University of Kansas Medical Center's computing and voicemail resources.

Password lifetime: The length of time a password may be used before it can be changed.

Password history: A list of previous passwords used by a specific user account.

User: Anyone who holds a valid account on the University's network, e-mail and/or voice mail systems.

Responsibilities

System administrators and users assume the following responsibilities:

  • System administrator must protect the confidentiality of passwords on their systems and configure their systems to meet the requirements set forth in this policy.
  • Users must create and manage passwords according to the standards outlined below.
  • Each user is responsible for all actions and functions performed by his/her account.
  • Suspected password compromise must be reported to Information Security (8-3333) immediately.

I. Password Standards

Passwords for access to the KUMC network and computer systems must meet the following requirements:

  • Consist of a minimum of 8 and a maximum of 16 characters.
  • Contain a minimum of one upper-case letters.
  • Contain at least one number.
  • Contain at least one special characters from the following set: 
    ! " # $ % & ' ( ) * + , - . / :
    ; < = > ? @ [ \ ] ^ _ ' { | } ~
  • Have a maximum password lifetime of 365 days. (Passwords must be changed on an annual basis.)
  • Passwords must not be reused for a minimum of 10 cycles.

To minimize the risk of someone guessing your password:

  • Use two or three short words that are unrelated.
  • Deliberately misspell words.
  • Take the first letter from each word of a phrase.
  • Do not use any part of the account identifier (your login ID, name, etc.).
  • Do not use a proper name or any word in the dictionary without altering it in some way.

II. Password Protection Requirements

  • Passwords must never be shared or revealed to anyone other than the authorized account owner (unless approved by the Director of Information Security).
  • Passwords must never be written down or stored in a way in which they could be viewed by someone other than the authorized account owner.  If a password must be stored, it must be encrypted using an encryption method approved by Information Security.
  • Users should never use their KUMC network password for non-KUMC "personal" accounts (e.g., personal email).
  • Initial passwords for a user account should be unique and configured to require that the password be changed immediately when the user logs on for the first time.
  • Systems will be configured to lockout user accounts after 5 unsuccessful login attempts.  The account will remain locked for 15 minutes or until reset by an administrator.
  • Passwords must be changed immediately if it is suspected that the user ID and password have been disclosed to an unauthorized person or if a system has been compromised or is under the suspicion of having been compromised.
  • Passwords used for applications, scripts, Internet websites, system processes, and other automated processes must not be stored in readable format where an unauthorized individual may view them.
  • All vendor-supplied default passwords for application software or hardware devices must be changed immediately after being placed on the University network.

Procedures

Procedures for processing password requests strive to balance security requirements and user convenience. These procedures will be followed by Customer Support staff for all password requests (including new, changed or forgotten passwords) for access to the University's network, e-mail or voice mail resources.

1. Account owners are encouraged to answer several password challenge questions which will allow them to reset their own password in the event that they have forgotten it.  To setup their personalized challenge questions and answers, users should login to the myKUMC portal and select "Change your password challenge questions" from the Computing tab.

2. Customer Support staff will be pleased to handle requests made in one of the following ways:

  • Requests may be made in person at Customer Support [3021 Taylor] from 7 a.m. to 6 p.m. Monday through Friday. Photo identification is required.
  • Requests may be faxed to Customer Support at (913) 588-2579 7 a.m. to 9 p.m. Monday through Friday. The fax must include photo identification and a signature. Nights, weekends, and holidays, requests may be faxed to Computer Operations at (913) 588-4924.

3. New or existing passwords will be revealed by telephone only if the following conditions are met:

  • The new user is contacted at their authorized work phone number, and
  • The user's identity is verified based upon a personal identifier, information on an access request form, etc.

4. The Director of Information Security must approve any password change requested by a user's supervisor. Confirmation will be sent to user when a password change is completed at the request of a supervisor.

Exceptions

Requests for exceptions to this Policy may be granted only under special circumstances. Any requests must be submitted in writing to the Director of Information Security for approval. The KUMC Information Security Exception Form is available for this purpose.

Exceptions will be permitted only on receipt of written approval from Information Security. Information Security will retain documentation of currently permitted exceptions and will review them on an annual basis.

Contact Information

For information on this policy, please contact:

Steffani Webb
Associate Vice Chancellor for Information Resources
Chief Information Officer
University of Kansas Medical Center
1014 Taylor, 3901 Rainbow Blvd
Kansas City, Kansas 66160
(913) 588-7300

Sherry Callahan
Director of Information Security
Department of Information Resources
University of Kansas Medical Center
1020 Taylor, 3901 Rainbow Blvd
Kansas City, Kansas 66160
(913) 588-0966

Last Review Date: March 13, 2011
Last Revision Date: March 13, 2011

Last modified: Jan 22, 2013