Information Systems Security Policy

Provisions: For purposes of this document, information technology (IT) will refer to the hardware, software, and infrastructure that will be used to provide automated solutions to Jay Group. Information Technology (IT) will refer to the staff and consultants responsible for implementing and maintaining said automated solutions for Jay Group.

This document establishes information technology (IT) planning, acquisition, support, and security procedures for Jay Group.

Its purpose is to provide the procedures and policies for the coordination of the Organizations’ automated IT solutions to preserve integrity of the data and systems within Jay Group’s established network infrastructure and support resources.

Information Technology is responsible for managing the selection process, operation, maintenance, and distribution of automated technology solutions related to the computer systems of Jay Group. IT develops and maintains the infrastructure of the network which includes wiring, network connectivity hardware, internet service, network access for staff and/or consultants, and any other associated hardware or software that enables electronic access and storage of materials on Jay Group computers and related systems.

Information Technology also is responsible for the security and integrity of Jay Group’s electronic assets. These responsibilities include the development, dissemination, and continuous updating of procedures and policies related to the computer systems and electronic assets of Jay Group. These responsibilities also include the review of the technical credentials for consultants, vendors, technical staff, and technology partners for Jay Group. Along with the review of the technical credentials for staff positions at Jay Group that require specialized technical ability and experience, the IT staff is also responsible for assessing the technical suitability for employment with Jay Group for all projects and departments. Certain aspects of the security integrity, and continued operation of the network and computer systems is also the responsibility of the users of those systems. This document will outline those responsibilities and the procedures for integrating the networked computer systems into the day-to-day operations of Jay Group.

Policy: Jay Group provides all employees with access to computer systems and office automation systems for use relevant to individual job responsibilities and professional development. To ensure that information technology and information services are used to further Jay Group philosophy and objectives and to provide structure regarding its use, the following guidelines will apply.

Applicability: All employees, clients, vendors, independent sales representatives, as well as anyone else connecting to Jay Group Systems are covered under this policy.

 

Security

Logical security of Jay Group’s data and computer systems is the responsibility of all employees and consultants who are provided access to the systems.

  1. Employees will not utilize any options that allow for automatic login or retention of login information such as passwords. Using automatic login functions that could allow other users to gain access to organizational data systems or network services is prohibited. Password sharing is also strictly prohibited. This policy is especially important for employees who access Jay Group network services from their home computers and employees who use Jay Group’s portable (laptop) systems.
  2. No employee will share personal access information with other staff or non-employees for any reason. Employees who share personal access information are subject to immediate loss of all access and disciplinary action up to and including immediate termination of employment.
  3. Any employee who accesses systems or files or provides access to systems or files to other staff or non-employees without proper authorization is subject to disciplinary action up to and including immediate termination of all access to the computer systems and immediate termination of employment.
  4. If it is deemed necessary for reasons of extended absence, illness, termination or inability to complete necessary work that an employee (secondary) must access another employee’s (primary) files, a security request must be submitted before access is given. Access to another user account will not be permitted except for special circumstances, (ie termination of employee and use of terminated employees account is the only way to gain access to the files or resources). In these instances, IT will temporarily change all access login information for the accounts of the primary employee which is to be accessed by the secondary employee under the following conditions: A security request is submitted through the help desk database requesting access to the data or resource; The request must be submitted by the user’s supervisor, manager, or director; The request is kept within the helpdesk database and retained for audit trail; The Administrator will grant individual access rights to the user at the most restrictive level; and The Administrator will advise the user when rights have been granted.
  5. Upon return to active status by the first employee, the primary accounts will again be changed to provide access to the primary employee and terminate access of the secondary employee.
  6. Administrators must test and evaluate access periodically to ensure they are working properly. Deviations from policy must be documented, reported to management and corrected.

 

Non-employees of Jay Group will not be provided access to organizational data files or computer systems without prior written request for that access by the department Manager

  1. Non-employees include temporary staff, consultants, contractors, and any individuals or groups who are not bound by Jay Group’s policies and procedures.
  2. Requests for access will be reviewed by IT and discussed with department Director or the Director’s designated contact within that department, if necessary, before any access is provided.
  3. Approved access for non-employees will not, under any circumstances, allow the ability to access sensitive or confidential data or any access to the network that could cause damage, loss of data, theft of data, or loss of network stability.

 

IT will provide access to computer systems and data appropriate to the employee’s job responsibilities.

  1. Changes in employee status must be communicated to the IT Administrators by the employees Supervisor using the Security Request Form.
  2. If any change in employee status requires different system access, this change of status, must be provided to IT through a help desk security request five days prior to that change of status becoming effective.

 

Any breach of security procedures for the computer systems and/or organizational data will be corrected immediately by IT, without notification to the employee responsible for the breach of security.

  1. After the breach in security is corrected, HR along with the employee’s Director and supervisor will be notified and appropriate action will be taken by HR and the Director. This action may include termination of the employee.
  2. Any employee who breaches security which causes a loss of data, theft of data, loss of network services, or causes damage of any type may be held financially responsible for recovery of the data, services, or equipment affected by the breach.

 

Jay Group maintains areas of the building designated for network operations. These areas house servers and other crucial equipment vital to the operation of the network. These areas will remain locked at all times and access will be given to authorized personnel only.

  1. Physical access to servers and the network operations area will be given only to those personnel who have responsibilities for maintaining that equipment. – Access defined in the Data Center Security Policy
  2. These areas are controlled by additional security access procedures that include punch button access codes, rack level key access, and badge readers to gain entry to the area.
  3. Network and communications equipment must be located in a physically secure area where access is restricted to individuals authorized by management, and office traffic is minimized. Physical access controls must incorporate, but not be limited to some of the following techniques: Door locks (e.g. key, electronic, cards); Security procedures, which include controlled access procedures (e.g., photo ids, visitor procedures, access lots) to the data centers.
  4. Access will only be provided to those areas that are required by the staff to perform any of their job responsibilities.
  5. Consultants or other vendors, staff, or contractors who may have need for temporary access to this area will be escorted at all times by an authorized staff person. At no time is any individual or party who is not authorized to access this secure area to be left unattended.
  6. Accounts, passwords, and remote access telephone numbers must not be displayed nor imbedded within the network or applications. Any storage of group or admin passwords must be kept within a controlled and auditable database for reporting and tracking.
  7. Areas designated for network operations may be remotely monitored by security surveillance mechanisms including audio and video monitoring. All recordings will be kept for a minimum of 90 days.

 

Jay Group issues mobile equipment to some employees. Additional requirements apply as follows:

  1. All users of mobile equipment must sign a Mobile Equipment Security Awareness Form. The original form will be retained in the user’s Human Resource personnel file. (Appendix A – Mobile Equipment Form)

 

PC Security

  1. For security purposes, employees are responsible to lock their workstation when walking away from their desk to prohibit others from unauthorized utilization of their access. Logon/Logoff Procedures can be found in (Appendix A – Logon/Logoff Procedures)
  2. Workstations will be set by group policy to automatically lock after 15 minutes of inactivity.
  3. Employees must log out of all systems at the end of the working day.
  4. Access to JG systems will be provided to named employees only. No generic, group or temporary non named accounts will be created and under no circumstances will users share their account. (Appendix A – Password Policy)

 

Requesting Assistance

Requests for assistance with computer systems will be submitted via the Help Desk Request Form available on JayNet.

  1. All staff is required to use this process for requesting assistance of any kind related to computer or network issues.
  2. Help desk requests, when submitted through this form, are automatically entered into the HelpDesk database to provide detailed information for IT staff and the ability to track time and resolution procedures.
  3. Help desk requests are maintained for reporting purposes, time management planning for IT, and identification of future training needs for Jay Group staff.
  4. By using this process, staff is assuring that their requests for assistance will receive the necessary time and attention of IT to resolve computer related issues.
  5. The only exception to this process is when there is no possible access to the web form to submit the request. (An example of this situation would occur if a staff person were offsite at a conference or training and was unable to connect their computer to the web.) In this instance, the alternate procedure for requesting assistance would be to contact a staff person at Jay Group and have that staff person submit the request for the employee who needs assistance.

 

Remote Access to Jay Group Network

Employees may be provided remote access to Jay Group’s network. Access will be granted only to those employees who require this access to complete or fulfill their job responsibilities.

  1. Remote access will be granted to employees only through a help desk security request. This request must be submitted by the employee’s supervisor or manager.
  2. Remote access is to be utilized for work related business only. While an employee is connected to Jay Group network they must adhere to all processes and procedures as if they are at a Jay Group facility.

 

Misuse of remote access privileges will result in cancellation of the remote access.

Non employees required to remotely access Jay Group systems are required to use a secure VPN connection, run antivirus software with up-to-date antivirus, and run a personal firewall.

 

New Employee Processing

New employee information will be submitted to IT by the supervisor immediately after position acceptance. A minimum of 5 days notification is needed prior to the first day of employment to allow time for ordering and receipt of equipment and software, updating inventory records, system personalization, reconfiguration of existing equipment, and network service access assignments.

Submission of new employee information is handled through a help desk security request. This form logs the new employee information into a database for reference by the IT staff that will create the necessary access accounts.

Upon receipt of the New Employee Request, IT will initiate network access appropriate to the employee’s responsibilities. This access information will be provided by the manager or supervisor through the above mentioned form.

Upon completion of the system and account setup process, the security request will be marked completed and the supervisor will receive an email stating that the request is complete.

The new employee and her/his manager or supervisor need to coordinate with Training and Development for initial computer training. Initial orientation to the computer systems will vary based on the user’s experience and job responsibilities at Jay Group.

The new employee will receive her/his password and login information for access to network services at the time of training.

It is the employee’s responsibility to schedule further training as necessary.

New Employees will be provided a copy of the Information Security Policy. They are required to read and then sign the acceptance form, along with their supervisor.  This form is to be retained by HR within the employees file.  Spot checks may be done by IT management to verify signing of form.

 

Employee Termination Process

For security reasons, IT will need to be informed of employee separations immediately by HR or employee manager when HR is unavailable.

In situations of employee involuntary separation, IT must be informed simultaneously.

Access to data files used by the terminating employee will be reassigned after a help desk security request has been submitted. Files to be reassigned will be identified by the department manager of that employee. This information needs to be relayed to IT to coordinate the transfer of files and security of any sensitive data.

  1. The employee and manager or supervisor will be responsible for identifying data to be transferred and initiating the transfer of that data. IT will assist with that transfer if necessary. It is not the responsibility of the IT Department to be custodians for the data of the terminating employee.
  2. IT will disable all system accounts on the organization’s network upon final termination status.
  3. Any Jay Group hardware, software, archived data files or other company property will be returned to the organization prior to the last day of employment. IT will inventory appropriate materials assigned to the employee to ensure that all items have been returned. It is the responsibility of the supervisor to coordinate returns of hardware, software, and data files to Jay Group’s control.
  4. Jay Group will not be responsible for maintaining or transferring any personal data contained on the organization’s computer systems as all data on company systems is the property of Jay Group.

 

Administration – General

Administrators and operators must be defined to prevent, detect, and correct unauthorized access to the network’s hardware, software, and data to ensure the network’s continued operation and security surrounding the network.

IT Management is responsible for identifying and defining the specific individuals that will perform administrator and operator functions.

These individuals will be responsible for maintaining the overall security of the network and will be responsible for enforcing all network compliances affecting Jay Group as well as any industry standard security measures.

All administrators must be adequately trained to perform their required functions and responsibilities.

Administrators are responsible for:

  1. Obtaining appropriate approval of all changes.
  2. Updating or writing procedures for network security.
  3. Defining appropriate access rights
  4. Ensuring there is a proper security request with all pertinent information for the creation, modification or deletion of an account.
  5. Create a valid and unique user name
  6. Assign the proper security to the account
  7. Allocating and assigning standard directories and shares
  8. Applying network password restrictions (see Password Policy)
  9. Applying user log-in restrictions (see Account Management)
  10. Auditing network changes through manual review of logs or with automated reporting tools.

 

Administrators are responsible for procedures for network configuration.

Administrators are responsible for network security monitoring.

Administrators are responsible for tracking and reporting violations and suspicious activity immediately to management.

 

Administration of Directories and Shares

Administrators are responsible for ensuring network directories and shares are adequately maintained including:

  1. Logically organizing directories and shares to enable access security features to be assigned.
  2. Adhering to default directory and share permissions
  3. Application software should be installed in the same directory on all servers and/or workstations to simplify administration and troubleshooting.

 

Administration Network Configuration

For continued functionality and operation of a network, appropriate action must be taken to ensure the configuration is planned and properly implemented.

  1. All network component changes must be performed using individual user accounts where applicable. Group or admin accounts may be used in the event of no other access available or changes can only occur by using the admin or group account.  Any use of an admin or group account must be documented to ensure appropriate auditing.
  2. All network security changes must be documented.
  3. Installation configuration standards for servers, routers, switches, firewalls, and critical systems must be maintained and reviewed every 6 months or sooner if current standards are no longer adequate.
  4. Network diagrams must be maintained and updated when changes are made. Network diagrams will be reviewed every 3 months and must be kept within a secured area on the network file system.
  5. All architectural changes to the network must be reviewed and approved by Network Architect or Technical Services Manager if Architect is unavailable.
  6. Administrators must perform all network configuration changes.
  7. A list of servers and network gear must be maintained along with function.
  8. A list of approved and supported software must be maintained.

 

Electronic Communications

Provisions: Electronic communications, including computer files, voice mail, electronic mail (“e-mail”), are not anonymous. Sender and receiver can be determined and the content of any message may be viewed by others within Jay Group. A password is not intended to ensure the privacy of electronic communications. Instead, it serves to provide a minimum level of security to Jay Group media by restricting access to only those who bear valid passwords. Preventing a person from outside of Jay Group from gaining access to Jay Group internal media is not the same as affording privacy to the communications of media users. However, ALL work-related information should be regarded as confidential. This policy reaffirms Jay Group’s policy on Confidentiality as outlined on pages X – X of the Employee Handbook. – HR – is this in our handbook?

Confidentiality Statement: E-mail is not a private form of communication and should not be used to send personal information or discuss private matters about anyone, including yourself, unless disclosure of that information within Jay Group is acceptable to you. This also applies to voice mail and computer files. Any defamatory, threatening or derogatory remark about any person or group of persons is prohibited. Any employee who violates this policy may be subject to disciplinary action, up to and including termination.

 

**DISCLAIMER

This e-mail message and any files transmitted with it are intended for the use of the individual or entity to which they are addressed and may contain information that is privileged, proprietary and confidential. If you are not the intended recipient, you may not use, copy or disclose to anyone the information contained in this message. If you have received this e-mail in error, please notify the sender and delete this e-mail message. The contents do not necessarily represent the opinion of Jay Group.

 

Appropriate use of the Internet

Internet access is primarily provided by Jay Group for business purposes only. Any personal use of the internet should be kept to a minimum.  If a user is found to be using the internet for excess personal use or creates a business impact as a result of their actions said user may have their access severely limited or shut off.  Such a violation could involve disciplinary action as well as termination.

Jay Group uses a product called Websense to restrict access to unsafe sights or those deemed inappropriate for viewing by HR. If a sight is blocked and the user requires access to it for business purposes they may submit a request by following the instructions on the block page.  These will be reviewed by both HR and IT and a determination will be made.

Only those employees or officials who are authorized to speak to the media, to analysts or at public gatherings on behalf of Jay Group may speak/write in the name of the company to any newsgroup or chat room. Other users may participate in newsgroups or chats in the course of business when relevant to their duties, but they do so as individuals speaking for themselves.

Jay Group has established an Internet firewall to ensure the safety and security of the company’s networks. Any employee who attempts to disable, defeat, or circumvent any company security will be subject to disciplinary action.

 

Inappropriate uses of the Internet

Uses that violate Jay Group’s policies:

  1. No employee may use the Internet to access or convey information, or for any use that is in violation of, or prohibited by, any Jay Group policy.
  2. Use that is protected by State and/or Federal law.

 

No employee may use the Internet to access or convey information in an unlawful manner, or for any unlawful purpose.

  1. This includes downloading or copying information or programs in violation of copyright and software licensing laws.
  2. Use to gain unauthorized access to other computer systems.
  3. Use to intentionally distribute or receive destructive programs (i.e., viruses and/or self replicating code), etc.

 

Other inappropriate uses:

  1. Internet access may not be used for any employee’s commercial or profit-generating activities.
  2. Internet access may not be used for personal advertisements, solicitations, promotions, or any other like purposes.

 

Downloading documents, programs, and other executable files:

  1. The downloading of programs and other applications poses a substantial risk of computer-virus infection and potential problems with incompatibility with existing hardware and software programs on Jay Group Network.
  2. Use of the internet generally does not require that the user download programs. As a general guide, if you are told that you must first download software in order to view or access a web-site, DO NOT proceeds without approval from the Information Technology Department.

 

Anonymous or encrypted communications:

  1. Communications using any electronic mode are not anonymous; sender and receiver can be determined and the content of any message may be viewed by others within Jay Group.
  2. All electronic communications must have your name attached, and no messages may be transmitted under a false or assumed name.
  3. No electronic communication may be encrypted in an effort to avoid security review by Jay Group.
  4. Users shall not attempt to obscure the origin of any message.

 

Interception of electronic communications:

  1. Not withstanding the above, no employee may access, retrieve, read, or listen to electronic communications of another individual without the prior consent of that individual or the authorization of the Department Manager or the Human Resources Director.

 

Internet access privileges:

  1. Under no circumstances should an employee ever be logged in under someone else’s user name or use any machine on which they have not logged in under their own name unless expressly authorized by the account holder.
  2. When an employee uses a machine not assigned to him/her, they should, out of courtesy, ask permission of the employee who is assigned to that particular machine.

 

Internet security:

  1. Accessing Internet sites may identify to third parties both the user’s name and Jay Group’s name. Appropriate caution must be exercised in accessing sites.
  2. Disclosing privileged and/or confidential information must be avoided. Many web sites have software that can identify the user accessing the site – when you access sites, be aware that your access may be tagged or identified with your name and Jay Group’s name.
  3. The intentional access and use of sites in a manner that could compromise Jay Group in any way is strictly prohibited and could result in disciplinary action up to and including termination.

 

Monitoring of internet use

Jay Group tracks all internet usage for all employees, visitors or vendors, while using Jay Group provided equipment and or connected to the corporate network, no exceptions.

Jay Group reserves the right to review and disclose such records or information with or without prior notice.

Violations of electronic communications policy

  1. Employees who violate Jay Group’s Internet Policy may be disciplined, up to and including termination of employment.
  2. Jay Group reserves full discretion to change these guidelines, limit internet access to certain areas or to certain individuals, or discontinue internet access altogether, if conditions (such as disregard of these guidelines, a security breach, or decreased productivity) warrant.

 

E-Mail Policy

All e-mail and associated system resources are the property of Jay Group. E-mail is subject to the same restrictions on its use, and the same review process, as is any other company-furnished resource provided for the use of employees. Its use and content may be monitored at any time.

E-mail usage must be able to withstand public scrutiny. Users must comply with all applicable legislation, regulations, policies and standards. This includes complying with copyright and license provisions with respect to both programs and data.

Users may not:

  1. use e-mail for commercial solicitation or for conducting or pursuing their own business interests or those of another organization
  2. use e-mail to distribute hoaxes, chain letters, or advertisements; and/or send rude, obscene or harassing messages
  3. use e-mail to propagate viruses, knowingly or maliciously
  4. send or receive any credit card information

 

Users must not send, forward and/or reply to large distribution lists concerning non-Jay Group business. In addition, users must consider the impact on the network when creating and using large, work-related distribution lists.

Alleged inappropriate use of the e-mail technology will be reviewed by management on a case by case basis and may, for employees, lead to disciplinary action up to and including dismissal. For contractors, it may lead to cancellation of the contractual arrangement.

Users are responsible for ensuring that their use of e-mail technology is appropriate and consistent with this policy.

Users should carefully consider the intended audience, tone, formality, and format for all e-mail messages.

Any message received which is intended for another person should be returned to the sender. All copies of the misdirected message should be deleted after it has been returned to the sender.  An incorrectly addressed message should only be forwarded to the intended recipient if the identity of that recipient is known and certain.

The sending of large attachments (for example, greater than 10 megabytes) to large distribution lists should be avoided because of the impact on the network. If there is a need to send a large e-mail, please contact the help desk at extension 6320 for assistance.

If a message is sent to a distribution list, recipients should consider whether the response needs to go to everyone on the list or just to a select group.

The misinterpretation of an e-mail message may occur. Missing body language and tone can cause what was meant as a casual or humorous message to be taken other than intended.  If a message generates an emotional response, the recipient should carefully consider what an appropriate or professional response is. Also, the recipient should consider if a response is needed at all and react accordingly.

E-mail is not to be used as a personal advertisement tool. E-mail is not to be used to sell, or exchange personal items.

 

Virus, Spyware and Malware Policy

In this day of constantly proliferating computer viruses, Jay Group needs to be concerned about protecting the data that is stored on its computer systems from contamination by both annoying and destructive programs.

Server Protection:

  1. Real time software protection is required on all Jay Group servers.
  2. All files on the network will be subject to on access scanning as well as weekly scans.

 

Client Protection:

  1. Real time software protection is required on all computer workstations attached to applicable Jay Group computer file servers.  This includes all mobile computer equipment and workstations accessing Jay Group servers from home or other remote locations.  Weekly scans will be performed.

 

This software must scan all local drives at the workstation whether the file is received from a data source at Jay Group, or from and outside source (floppy disk, Intranet, Internet, email).

This software must detect known viruses, spyware and malware, report the detection to centralized management system and be able to take appropriate automated action.

The software must be capable of receiving automatic updates from a central server that continually checks for new updates.

The Administrator for Virus Protection is responsible for the following:

  1. Reviewing automated messages from the central management server when new violations occur or if an outbreak is detected.
  2. Running weekly reports to ensure signatures are kept up to date on servers and workstations.
  3. Reviewing any alerts from sources industry standard sources on possible new viruses and taking appropriate measures within Jay Group Network.
  4. Monitoring all viruses reporting from the virus detection software and reporting any significant events to management.

 

Review and Modification of the Information Systems Security Policy

This policy will be reviewed every six months or sooner as deemed necessary by the Data Security Team. Notification of changes to these policies and procedures will be disseminated to all staff by the Human Resources.

 

APPENDIX A

Logon/Logoff Procedures

Password Policy

Data Center Access List

Security Request Form

Mobile Equipment Form

 

Logon/Logoff Procedure

When a user logs onto Jay Group systems he/she has the ability to access sensitive electronic data for both Jay Group and our clients.  Your Username and Password are what gives you this access.  Certain User profiles have more access rights than others.  This is the reason why users are prohibited from sharing their profiles with other users.  Sharing your username is not the only security risk that we face.  Securing you PC when you are not at your desk is just as important.  The following are a few guidelines that Jay Group employees must follow:

Guidelines:

  1. When you leave your desk Jay Group security policy states that you must lock your workstation.  This can be accomplished by pressing ctrl+alt+delete and then selecting lock computer
  2. If you are to be away for longer than 15 minutes please log out of any AS/400 connection or after 15 minutes this logoff will happen automatically.
  3. If you plan on leaving your desk for an extended amount of time, one hour or more please close all open applications and log off, after two hours you will be automatically logged off.

 

Password Policy

Responsibility

Department Supervisors and Managers are responsible for the creation of all new employee security requests.

The Security Administrators are responsible for the maintenance and auditing of all security including passwords for Jay Group logons.

All individuals that are provided with a user logon to any system are responsible for the confidentiality of those logons.  Your logon consists of a username and password and will not be shared or discussed with any other employee.  A violation of this policy will result in one of the following:

  1. First Offense:  Verbal and documented warning and counseling by the supervisor/Manager
  2. Second Offense:  Written warning

 

If the violation is of sufficiently serious nature, suspension and/or discharge on any of the Offenses may be exercised. The employee may also be held legally liable depending upon the seriousness of the offense.

Writing your password down and keeping it in a visible or guessable area is also a breach of security and will be treated the same.

 

Password Criteria

The following criteria are on a system-by-system basis and may vary slightly.

  1. New user accounts are created with the temporary password: (will be randomly generated)
  2. This password is valid for 30 days, if the account is not used by the end of the 30 days it is locked out.
  3. The first time that you log on you will be prompted to change your password.  Please keep in mind the following requirements:
  4. Your Username is not case sensitive, however your password is.
  5. Your password must be 8 characters or more up to 64.
  6. Should start with a letter.
  7. Should not be the same as username
  8. Should NOT duplicate letters (ex. fluffy, ff)
  9. Must contain letters, and at least 1 number
  10. May contain other characters (!@$&^)
  11. May be a phrase (SmilebEhappY)
  12. Remember your password is not to be shared with anyone and it is a violation of the JG security policy to do so.
  13. Account Lockout: Lockout will occur after 5 bad logon attempts. Lockout duration is forever or until an administrator unlocks the account.
  14. Changing passwords: If you have forgotten your password or your password has been disable/locked your Manager/Supervisor will be responsible for contacting the Security Administrator or Helpdesk. Help desk hours are Monday through Friday from 8 am to 5:00 pm.  Off hours password resets may be accomplished by calling the afterhours help desk line 6320.

 

Audit

An audit of all company level passwords will be conducted on a random basis by the security administrator to ensure that the password policy is being enforced and that a password has not been “forced” to be outside the requirements of the password policy.  Any passwords that have been created outside of the policy guidelines will be changed when found and require the user to reset that password immediately.