SharePoint user authentication is a means to control who has access to the SharePoint environment. SharePoint access gained by a non-authorized entity can cause loss of information confidentiality, integrity and availability that may result in loss of revenue, liability, loss of trust, or embarrassment to [Organization].
The purpose of the [Organization] SharePoint Password Policy is to establish the rules for the creation, distribution, safeguarding, termination, and reclamation of the [Organization] user authentication mechanisms.
The [Organization] SharePoint Password Policy applies equally to all individuals who use any [Organization] SharePoint resource.
SharePoint Portal Password Policy
All SharePoint user passwords, including initial passwords, must be constructed and implemented according to the following [Organization] rules:
it must be routinely changed
it must adhere to a minimum length as established by [Organization]
it must be a combination of alpha and numeric characters it must not be anything that can easily tied back to the account owner such as: user name, social security number, nickname, relative’s names, birth date, etc.
it must not be dictionary words or acronyms password history must be kept to prevent the reuse of a password Stored passwords must be encrypted, including maintaining encryption standards on the SharePoint SSO database.
SharePoint user account passwords must not be divulged to anyone.
SharePoint Portal Owning Organization] contractors will not ask for user account passwords.
Security tokens (i.e. Smartcard) must be returned on demand or upon termination of the relationship with [Organization].
If the security of a password is in doubt, the password must be changed immediately.
Administrators must not circumvent the Password Policy for the sake of ease of use.
Users cannot circumvent SharePoint password entry with auto logon, application remembering, embedded scripts or hardcoded passwords in client software. Exceptions may be made for specific SharePoint applications (like automated backup or SSO) with the approval of the [Organization]. In order for an exception to be approved there must be a procedure to change the passwords.
SharePoint aware devices must not be left unattended without enabling a password protected screensaver or logging off of the device.
SharePoint password change procedures:
authenticate the user to the [Organization] helpdesk before changing password
change to a strong password
the user must change password at first login
In the event SharePoint passwords are found or discovered, the following steps must be taken:
Report the discovery to the [Organization] Help Desk
Take control of the passwords and protect them
Transfer the passwords to an authorized person as directed by the [Organization]
SharePoint Portal Password Policy
Passwords must be changed at least every 60 days.
Passwords must have a minimum length of 8 alphanumeric characters.
Passwords must contain a mix of upper and lower case characters and have at least 2 numeric characters.The numeric characters must not be at the beginning or the end of the password. Special characters should be included in the password where the computing system permits. The special characters are (!@#$%^&*_+=?/~`;:,<>|).
Passwords must not be easy to guess
Passwords must not be your employee number
Passwords must not be your name
Passwords must not be family member names
Passwords must not be your nickname
Passwords must not be your social security number
Passwords must not be your birthday
Passwords must not be your license plate number
Passwords must not be your pet’s name
Passwords must not be your address
Passwords must not be your phone number
Passwords must not be the name of your town or city
Passwords must not be the name of your department
Passwords must not be street names
Passwords must not be makes or models of vehicles
Passwords must not be slang words
Passwords must not be obscenities
Passwords must not be technical terms
Passwords must not be school names, school mascote, or school slogans
Passwords must not be any information about you that is known or is easy to learn
Passwords must not be any popular acronyms
Passwords must not be words that appear in a dictionary
Passwords must not be reused for a period of one year
Passwords must not be shared with anyone
Passwords must be treated as confidential information
SharePoint Portal Password Policy Supporting Information
Any and all [Organization] SharePoint security controls must not be bypassed or disabled.
SharePoint Security awareness by [Organization] personnel must be continually emphasized, reinforced, updated and validated.
All [Organization] SharePoint users are responsible for managing their use of SharePoint and are accountable for their actions relating to SharePoint security. Users are also equally responsible for reporting any suspected or confirmed violations of this policy to the appropriate management responsible for SharePoint security incident handling.
User SharePoint account passwords shall be protected by the individual user from use by, or disclosure to, any other individual or organization. All security violations shall be reported to respectful SharePoint security incident handling management.
Access to, change to, and use of SharePoint Account Managmenet Policy must be strictly secured. SharePoint information access authority for each user must be reviewed on a regular basis, as well as each job status change such as: a transfer, promotion, demotion, or termination of service.
On termination of the relationship with the Sharepoint user all security policies for [Organization] apply and remain in force surviving the terminated relationship.
[Organization] server custodian departments must provide adequate access controls in order to monitor SharePoint systems to protect business data and associated programs from misuse in accordance with the needs defined by owner departments. All SharePoint access must be properly documented, authorized and controlled, following [Organization] standardized processes.
Violation of this policy may result in disciplinary action which may include termination for employees and temporaries; a termination of employment relations in the case of contractors or consultants; dismissal for interns and volunteers; or suspension or expulsion in the case of a student. Additionally, individuals are subject to loss of [Organization] SharePoint access privileges, civil, and criminal prosecution.
Compliance / Regulation Contributed to by this Policy
Copyright Act of 1976
Foreign Corrupt Practices Act of 1977
Computer Fraud and Abuse Act of 1986
Computer Security Act of 1987
The Health Insurance Portability and Accountability Act of 1996 (HIPAA)