Carmel Catholic High School Employee Password Policy    


Scope

This policy outlines the guidelines for managing passwords and login credentials within the school for access to sensitive and student-specific data. It follows Carmel's Belong, Believe, and Become values to foster a cybersecurity culture that protects our school by ensuring security and integrity. This policy applies to all employees, volunteers, and contractors with access to the school's systems and networks. The policy will be based on NIST Special Publication 800-63B and will ensure compliance with SOPPA and HIPAA.




Requirements

  • Type: Passphrase

  • Minimum Length: 16 characters

  • Special Characters: Not Required

  • Passphrase Age: Passwords must be changed every 180 days/twice a year.

  • Passphrase History: No reuse of passphrases.

  • Guideline: Passphrases must not contain the user's username, first or last name, or any easy-to-guess information such as birth date.

  • Lockout:  Account lockout protocol; after 5 failed login attempts, for 15 minutes.


Changes

  • Forced Passphrase Change: Upon initial login, users must change the default password provided to them. Upon resetting a passphrase, users must change the password provided. Upon possible compromised passphrase, the user must change their passphrase.  

  • Passphrase Expiration Warning: Operating Systems will notify the end user 14 days before a passphrase change is required. The user can not circumvent passphrase updates and must plan accordingly.  


IT Passphrases

  • With limited access, IT passphrases will be stored using a secure cryptographic password manager.

  • IT passphrases will be randomly generated using a passphrase manager.

  • IT passphrases will never be shared.

  • Anyone user with elevated IT access will be required to change their password every 60 days.


Multi-Factor Authentication (MFA)

  • MFA is required for any user with elevated IT access. 

  • Google Authenticator will be utilized on user phones along with user passphrases.


Single Sign-On (SSO)

  • The Technology Department will maintain single sign-on for all possible applications to reduce the number of passwords and increase security. Carmel’s core SSO will consist of Active Directory, synchronized with Google Workspace and Veracross. 


Access Control

  • Least Privilege Principle: Employees should only have access to the information and systems necessary to perform their job duties.

  • Role-Based Access Control (RBAC): Implement RBAC to assign appropriate permissions based on an employee's role and responsibilities.


Compliance and Enforcement

  • Compliance:  Conduct regular internal audits to check adherence to the password policy. Review and update the password policy yearly to reflect current cybersecurity threats and best practices. Utilize reporting in Google Workspace and Windows Server. 

  • Enforcement: Non-compliance with this policy may result in restricted access or disciplinary actions. 

Definitions

  • NIST: National Institute of Standards and Technology, a non-regulatory agency of the U.S. Department of Commerce.

  • Multi-Factor Authentication (MFA): A layered approach using multiple (two) forms of evidence to verify a user's identity.

  • Single Sign-On (SSO): This is a session and user authentication service that permits a user to use one set of login credentials.

  • IT Passphrases: System, Administrator, and Service account passphrases.

  • Passphrase: A memorized sequence of words or other text that is used to authenticate a user's identity.






**This policy will be reviewed annually and updated as necessary to reflect best practices in cybersecurity and data protection.