Please upgrade your browser

For the best experience, you should upgrade your browser. Visit our accessibility page to view a list of supported browsers along with links to download the latest version.

Information Security - Account and Password Policy

This policy sets out the account and password requirements for anyone granted permission to use College IT services (e.g. software, computers and network) and those responsible for managing them.

This policy was last reviewed by the Information Security Working Group in April 2020.

This policy was last approved by Information Security Working Group in April 2020.

Purpose and scope 

The Information Security policies provide everyone (e.g. students, staff, third parties) with clear and consistent instructions, on how to protect themselves, others and College IT assets (e.g. data and services) from ever-evolving cyber threats. The policies, associated processes and procedures help reduce information-related risk to tolerable levels. 

This policy sets out the account and password requirements for anyone granted permission to use College IT services (e.g. software, computers and network) and those responsible for managing them. The College operates on the principle of least privilege, and therefore only the appropriate level of access will be provided. 

Non-compliance puts everyone at risk (including the College) from cyber threats and legal and regulatory penalties. Therefore, this may lead to the removal of IT equipment, services and account privileges. In some cases, disciplinary measures might be pursued, which may also lead to legal action. A breach may result in damage to you, your colleagues and friends, such as loss of control over personal data, discrimination, identity theft or fraud and financial loss. 

Accounts and passwords

Passwords verify an individual's identity and allow access to a device, application or website and therefore maintains the confidentiality of systems and information. Consequently, they must remain secure and a secret (known only by the account owner). 

Individuals given access to College IT services will be issued a unique ID which may include an email address. It is their responsibility to take the following reasonable steps to protect them. 

Accounts (e.g. [email protected] or [email protected] ) must: 

● be for the sole use of the individual issued to; 

● not be shared with others; 

● be logged out when finished; 

● be removed / disabled when no longer required. 

In some circumstances, an individual delegates responsibility for managing another email account but only with clear written permission from the owner. Delegation does not require sharing of account details, so please contact [email protected] for assistance. 

Passwords must

● remain unique (never use the same password for both personal and 

College accounts), confidential and secure; 

● be changed if an account has been (or suspected of being) compromised; 

● be at least 12 characters long; 

● never be shared, not even with IT Services. 

Under no circumstances should an individual request someone’s password. If they do, signpost them to this policy and if they continue, report it their line manager or IT Services. 

High-risk accounts

System-level and high privileged accounts pose a greater risk to College assets as they have extensive access to services and resources. Therefore additional steps are required: 

Individuals must: 

● periodically review privileged access and remove when no longer required; 

● respect the rights of all users, the integrity of the systems and data; 

● follow the change management process for 

● provision and revocation of privileged rights; 

● be aware they are personally responsible for privileged accounts and place them in a position of considerable trust; 

● use system or service accounts for scripts, services or other automated processes; 

● use a separate standard account for daily use if responsible for a privileged account (e.g. local, domain administrator); 

● not use an administrator account to login, unless the purpose of the session is solely to make administrative changes; 

● not conduct any general web browsing or access email using a privileged account; 

● not use privileged access to make any changes that will compromise the security or integrity of a device, application or website. 

Individuals should: 

● secure accounts that have access to sensitive data (e.g. personally identifiable information) using multi-factor authentication where possible. 

Information security policy suite 

● Information Security Policy

● Account and Password Policy

● Acceptable Use Policy

● Information Handling Policy

● Home and Remote Access to Services Policy. 

https://www.rca.ac.uk/more/about-rca/official-information/governance-new/policies-new/information-security-home-and-remote-access-services-policy/

Related policies 

● Data Protection Policy; 

● Data Breach Policy. 

Information security guidance 

● Information security training (mandatory)

For more information or to provide feedback please email 

[email protected]

This page was last updated on 

21 May 2020

This page is reviewed and updated every 6 months.