• it must be routinely changed
• it must adhere to a minimum length as established by [SharePoint Portal Owning Organization]
• it must be a combination of alpha and numeric characters it must not be anything that can easily tied back to the account owner such as: user name, social security number, nickname, relative’s names, birth date, etc.
• it must not be dictionary words or acronyms password history must be kept to prevent the reuse of a password Stored passwords must be encrypted, including maintaining encryption standards on the SharePoint SSO database.
• SharePoint user account passwords must not be divulged to anyone.
• SharePoint Portal Owning Organization] contractors will not ask for user account passwords.

Security tokens (i.e. Smartcard) must be returned on demand or upon termination of the relationship with [SharePoint Portal Owning Organization].

If the security of a password is in doubt, the password must be changed immediately.

Administrators must not circumvent the Password Policy for the sake of ease of use.

Users cannot circumvent SharePoint password entry with auto logon, application remembering, embedded scripts or hardcoded passwords in client software. Exceptions may be made for specific SharePoint applications (like automated backup or SSO) with the approval of the [SharePoint Portal Owning Organization]. In order for an exception to be approved there must be a procedure to change the passwords.

SharePoint aware devices must not be left unattended without enabling a password protected screensaver or logging off of the device.

SharePoint password change procedures:

• authenticate the user to the [SharePoint Portal Owning Organization] helpdesk before changing password
• change to a strong password
• the user must change password at first login

In the event SharePoint passwords are found or discovered, the following steps must be taken:

• Report the discovery to the [SharePoint Portal Owning Organization] Help Desk
• Take control of the passwords and protect them
• Transfer the passwords to an authorized person as directed by the [SharePoint Portal Owning Organization]

• Passwords must be changed at least every 60 days.
• Passwords must have a minimum length of 8 alphanumeric characters.
• Passwords must contain a mix of upper and lower case characters and have at least 2 numeric characters.The numeric characters must not be at the beginning or the end of the password. Special characters should be included in the password where the computing system permits. The special characters are (!@#$%^&*_+=?/~`;:,<>|).
• Passwords must not be easy to guess
• Passwords must not be your employee number
• Passwords must not be your name
  
• Passwords must not be family member names
• Passwords must not be your nickname
• Passwords must not be your social security number
• Passwords must not be your birthday
• Passwords must not be your license plate number
• Passwords must not be your pet's name
• Passwords must not be your address
• Passwords must not be your phone number
• Passwords must not be the name of your town or city
• Passwords must not be the name of your department
• Passwords must not be street names
• Passwords must not be makes or models of vehicles
• Passwords must not be slang words
• Passwords must not be obscenities
• Passwords must not be technical terms
• Passwords must not be school names, school mascote, or school slogans
• Passwords must not be any information about you that is known or is easy to learn
• Passwords must not be any popular acronyms
• Passwords must not be words that appear in a dictionary
• Passwords must not be reused for a period of one year
• Passwords must not be shared with anyone
• Passwords must be treated as confidential information

• Any and all [SharePoint Portal Owning Organization] SharePoint security controls must not be bypassed or disabled.
• SharePoint Security awareness by [SharePoint Portal Owning Organization] personnel must be continually emphasized, reinforced, updated and validated.
• All [SharePoint Portal Owning Organization] SharePoint users are responsible for managing their use of SharePoint and are accountable for their actions relating to SharePoint security. Users are also equally responsible for reporting any suspected or confirmed violations of this policy to the appropriate management responsible for SharePoint security incident handling.
• User SharePoint account passwords shall be protected by the individual user from use by, or disclosure to, any other individual or organization. All security violations shall be reported to respectful SharePoint security incident handling management.
• Access to, change to, and use of SharePoint Account Managmenet Policy must be strictly secured. SharePoint information access authority for each user must be reviewed on a regular basis, as well as each job status change such as: a transfer, promotion, demotion, or termination of service.
• On termination of the relationship with the Sharepoint user all security policies for [SharePoint Portal Owning Organization] apply and remain in force surviving the terminated relationship.
• [SharePoint Portal Owning Organization] server custodian departments must provide adequate access controls in order to monitor SharePoint systems to protect business data and associated programs from misuse in accordance with the needs defined by owner departments. All SharePoint access must be properly documented, authorized and controlled, following [SharePoint Portal Owning Organization] standardized processes.

• Copyright Act of 1976
• Foreign Corrupt Practices Act of 1977
• Computer Fraud and Abuse Act of 1986
• Computer Security Act of 1987
• The Health Insurance Portability and Accountability Act of 1996 (HIPAA)