ARP 15.51


PART 1: PURPOSE

To protect the integrity of NMSU IT resources and data, account passwords must be utilized which comply with NMSU IT standards.  This rule specifies the general requirements, and links to the more specific standards required, based on the level of authorized access per user.  Users of any NMSU-authorized account which accesses NMSU IT resources and data are subject to this rule.

 

PART 2:  PASSWORD REQUIREMENTS

Each account user is required to adhere to the password standards set forth in this rule.  Most password standards fall into two categories:  1) General user account password requirements and 2) Privileged user account requirements.  Password standards are established based on legal requirements and IT security best practices, differentiated by the type of data or IT resource the account is authorized to access. A password is most secure the longer it is and the easier it is to remember. NMSU encourages the use of a passphrase for account passwords.

 

PART 3:  DUTY TO MAINTAIN CONFIDENTIALITY AND TO REPORT SECURITY CONCERNS

    1. Assignment of an NMSU account, typically required to perform one’s job, grants access to NMSU IT resources and data, potentially including access to NMSU Affiliate data or confidential proprietary data.  Each user is responsible to protect this access. Never share your account password with any other person, including a supervisor. NMSU will never ask you for your password via an unsolicited email, phone call, screen pop-up or in-person request.
    2. NMSU accounts are most commonly compromised when a user responds to an Email phishing scam. Never click a link in an unsolicited email, without first verifying the authenticity of the link.
    3. Account owners should immediately report a possible password compromise to the NMSU helpdesk or abuse@nmsu.edu and set a new password on the account.
    4. The account policy standards linked above provide more detailed information.  These standards are incorporated into this rule by reference and users must review and abide such standards.  ICT is authorized to update and amend the standards, provided they remain posted and notice is given to the university community each time they are changed.