Document Comments

Bulletin Board - Review and Comment

Step 1 of 4: Provide comments and feedback

How to make a comment

1. Use the Protected Document to open a comment box for a specific section, part, heading or clause.

2. Enter your feedback into the comment box and click ‘save comment’.

3. There is an opportunity to leave general comments and feedback on the second page.

4. Complete all three pages – make sure you ‘save and continue’ and ‘finalise submission’ before leaving the bulletin board.

5. You will be emailed a pdf copy of your comments. If you don’t receive this, your comments may not have saved correctly.

 

 

Important Information

The following tips will help to avoid losing your comments or corrupting your entries:

  1. Sessions may time out, so submit multiple responses instead of trying to complete a long document in one session. 

  2. Avoid jumping between web pages/applications while logging comments.

  3. Log comments for one document at a time. Complete and submit all comments for one document before commenting on another.

  4. Use paste as plain text in the comment boxes if you need to copy and paste from another source (e.g. Word, email or other web content). 

  5. You can’t save your progress, so if you need to stop, submit your current set of comments. The system will email you a copy of your comments so you can identify where you were up to and add to them later.

  6. Complete all three stages and ‘finalise submission’ before leaving the bulletin board. 

 

Information Technology Procedure - Passwords

Section 1 - Purpose

(1) This procedure supports the Information Technology Policy and sets out Charles Sturt University's (the University) standards regarding passwords and personal identification number management (including strength, quality, creation, protection, storage, re-use and resetting) and maintenance.

Scope

(2) This procedure applies to all authorised users who:

  1. access the University's information and communication technology (ICT) systems
  2. create and manage passwords and/or personal identification numbers (PIN) used to access the University's ICT systems
  3. are responsible for managing a University ICT system account that supports or requires passwords or PINs to access, and
  4. are responsible for systems that manage, transport and store University credentials.
Top of Page

Section 2 - Policy

(3) See the Information Technology Policy.

Top of Page

Section 3 - Procedures

(4) Passwords, combined with multi-factor authentication (MFA), are the primary authentication credential used by the University's ICT systems to verify the identity of individuals wanting to gain authorised access.

(5) Poor choice of passwords and/or poor password management may present an unacceptable risk to staff, students and University information in the form of unauthorised disclosure, loss of integrity and/or information availability.

Responsibilities

(6) The Division of Information Technology is responsible for the provisioning, storage and management of centralised password datasets used for authentication to applications and ICT services listed in the University's Applications Portfolio.

(7) Authorised users are responsible for:

  1. password creation, use and management, associated with their University credentials, and
  2. reporting any actual or suspected password compromises through:
    1. the IT Service Desk (for authorised users excluding students), or
    2. SX Service Centre (for students).

(8) Application custodians of systems that are not listed in the Applications Portfolio or not using centralised authentication systems are required to comply with this procedure regarding the provisioning, storage and management of password datasets used for authentication.

(9) Exemptions to this procedure must be approved in writing by the Chief Information and Digital Officer.

(10) At the discretion of the Chief Information and Digital Officer, ICT systems that do not comply with this procedure may be removed from operation until compliance can be demonstrated or an exemption approved.

(11) Failure to comply with this procedure through deliberate, malicious or negligent behaviour may result in disciplinary action as per the University's misconduct processes.

Password strength and changing

(12) All passwords are classified as highly sensitive, as per the University’s Information Classification and Handling Procedure.

(13) User password strength and complexity is based on the minimum requirements for single-factor authentication as defined by the Australian Government Information Security Manual (ISM). These minimum requirements will also be applied to systems and passwords using multi-factor authentication.

(14) All passwords must meet the following requirements for strength and frequency of change:

Account type Password strength Change frequency
Authorised user accounts At least eight characters long and including at least three of the following:
  1. lowercase letters 
  2. uppercase letters 
  3. numbers
  4. special characters ($%#)
120 days
 
 
Privileged user accounts At least 11 characters long and including at least three of the following:
  1. lowercase letters 
  2. uppercase letters 
  3. numbers
  4. special characters ($%#)
It is strongly recommended that passwords be at least 15 characters long to enhance security and reduce the risk of compromise.
 90 days
Service accounts Same as privileged user accounts 180 days (some exceptions apply)

(15) Passwords for all accounts must be:

  1. difficult to guess and not be:
    1. a single dictionary word such as names, pets, fantasy characters
    2. numbers such as birthdays, anniversaries or phone numbers
    3. word or number patterns such as qwerty, aaabbb or 123456
    4. any of the above preceded or followed by a digit such as secret1 or 1rover
    5. the same as, or a variation of, the associated username
  2. unique and not the same as passwords used for non-University accounts such as personal social media accounts, personal emails accounts and online banking.

(16) Passwords must not be re-used for six consecutive changes.

(17) Passwords cannot be changed by the authorised user more than twice a day.

(18) Personal identification numbers (PINs) must be difficult to guess and not a repetition of the same digit.

Password use and storage

(19) Passwords and PINs are only to be used by an authorised user and must not be:

  1. shared with anyone under any circumstances, or
  2. written down or recorded in physical or clear text electronic format.

(20) Password manager software may be used where:

  1. passwords are not stored in plain text
  2. access to the password manager software is not shared.

(21) If the confidentiality of a password or PIN is in doubt, it must be changed immediately.

(22) If the confidentiality of a password or PIN has been compromised, Division of Information Technology will:

  1. lock the associated account
  2. advise the account holder
  3. manage the associated risk, and
  4. direct the user to change their password/PIN.

(23) The use, storage and/or transport of plain text passwords is prohibited.

(24) Authentication systems must not store passwords or PINs in a viewable or recoverable format.

(25) A record of all account registration, history, status and revocation must be kept for seven years and six months after expiration or revocation (whichever is later).

Applications and systems

(26) To facilitate compliance with this procedure, the University's applications and systems must use centralised enterprise authentication systems and multi-factor authentication, where practicable. 

(27) Alternate authentication mechanisms that do not use passwords or PINs (e.g. biometric authentication, tokens, certificates) may only be used after consultation with and approval from the  Chief Information and Digital Officer or delegate.

(28) Forgotten, expired or locked-out passwords must be re-set and not recovered.

(29) Authentication mechanisms must disable user and privileged accounts for a period of 30 minutes after five consecutive failed authentication attempts.

(30) Authentication mechanisms involving the use of passwords must use secure, strong encryption protocols in the transport of account information.

(31) Applications must provide role management to allow one authorised user to undertake the functions of another without the need to share passwords.

Top of Page

Section 4 - Guidelines

(32) Nil.

Top of Page

Section 5 - Glossary

(33) This procedure uses terms as defined in the Information Technology Policy, as well as the following:

  1. Applications Portfolio - means the University’s official register of application assets. This does not include items such as network systems, database management systems, active directories systems etc.
  2. Authorised user account - see the Information Technology Policy glossary.
  3. Multi-factor authentication - means the use of more than one authentication method for access to an application or system.
  4. Privileged account - means an account used by authorised users to access ICT systems at an administrative or higher level function than that of a user account.
  5. Role management - means the mechanism by which an application manages the functions an authorised user can perform and the data which an authorised user has access to within the application.
  6. Service account - means an account that an application or service uses to interact with an operating system, database or integration service and cannot be used for authorised user or privileged account functions.
  7. Single-factor authentication – means the use of only one authentication method for access to an application or system.
  8. System or application custodian - means executive staff with recognised responsibility and ownership of University information or ICT assets as identified in the Applications Portfolio; or, for non-registered systems, the primary budget centre manager that has established the non-registered system.