Skip to Search Skip to Global Navigation Skip to Local Navigation Skip to Content
Handbook of Operating Procedures
  • Policy Process

    • Handbook of Operating Procedures
    Chapter 11 - Information Technology
    Previous Publication Date: April 4, 2023
    Publication Date: April 16, 2024
    Policy Reviewed Date: November 27, 2023
    Policy Owner: VP for Information Technology


    11.12 Password/Passphrase Change Policy

    I. POLICY STATEMENT

    It is the policy of The University of Texas at San Antonio (UTSA) to provide an effective and efficient platform for the information needs of a diverse academic and research community. Effective technology infrastructure must provide a highly secure environment that provides the needed confidence that information is protected from unauthorized uses inconsistent with the missions of UTSA. Passwords/Passphrases are a key aspect of information security and are the front line of protection for User accounts.

    II. RATIONALE

    All UTSA employees, contractors, vendors, and other individuals with access to the UTSA network(s) are responsible for protecting this aspect of the information security system and shall adhere to this policy. This Policy establishes a standard for the creation of strong passwords/passphrases.

    III. SCOPE

    This policy applies to all UTSA staff, faculty, and student workers who have access to any Information Technology Resource that supports or requires a password/passphrase that resides in or is connected to any UTSA Information System.

    IV. WEBSITE ADDRESS FOR THIS POLICY

    http://www.utsa.edu/hop/chapter11/11.12.html

    V. RELATED STATUTES, POLICIES, REQUIREMENTS OR STANDARDS

    1. University of Texas System Policies or the Board of Regents' Rules & Regulation
      1. UT System Policy UTS 165, UT System Information Technology Resources Use, and Security Policy.
      2. UT System Policy UTS 178, Required Reporting of Significant Events.
    2. UTSA HOP Policies
      1. UTSA HOP Policy 11.01, Acceptable Use Policy
      2. UTSA HOP Policy 11.06 Application Administrator Policy
    3. Other Policies and Standards
      1. Title 1 Texas Administrative Code, Part 10, Chapter 202, Subchapter C.
      2. Higher Education Opportunity Act of 2008.
        * Please see notation below.

    VI. CONTACTS

    If you have any questions about HOP policy 11.12, Password/Passphrase Change, contact the following offices:

    1. Office of Information Security
      210-458-7974
      informationsecurity@utsa.edu
    2. University Technology Solutions
      210-458-4555
      techcafe@utsa.edu

    VII. DEFINITIONS

    1. Application Administrator: An employee who manages an application on a day-to-day basis. The Application Administrator is responsible for ensuring the application is set up and managed in accordance with UTSA policies and UTSA Security Standards.
    2. Data: Information that is recorded - regardless of form or media – and used to support the mission of UTSA, whether in an administrative, educational, or research capacity. Data may be saved or transmitted in hard copy (printed or written), digital/electronic (including video, audio, images), or other formats.
    3. Data Custodian: The Data Custodian is responsible for the day-to-day maintenance of UTSA Information Technology Resources. In some instances, this responsibility is assigned to a Department, Vice President Unit, or College employee, a third-party vendor, research collaborators, visiting scholars, or UTSA Tech Solutions.
    4. Data Owner: The Department or College manager or agent responsible for the business functions supported by the Information Technology Resources or the individual upon whom responsibility rests for carrying out the program using the Information Technology Resources. The Data Owner collects the Data, is the primary controller of a Data asset, or is the Principal Investigator (PI) of a UTSA-managed research project or sponsored program.
    5. Information System: An interconnected set of Information Technology Resources under the same direct management and control that shares common functionality. An Information System normally includes hardware, software, information, Data, applications, communications, and people.
    6. Information Technology Resources: The procedures, equipment, facilities, software, and Data that are designed, built, operated, and maintained to create, collect, record, process, store, retrieve, display, and transmit information. This may include, but is not limited to, any and all computer printouts, online display devices, mass storage media, and all computer-related activities involving any device capable of receiving email, browsing websites, or otherwise capable of receiving, storing, managing, or transmitting Data including, but not limited to, mainframes, servers, personal computers, notebook computers, hand-held computers, mobile devices, pagers, distributed processing systems, network-attached and computer-controlled medical and laboratory equipment (e.g., embedded technology), telecommunication resources, network environments, telephones, fax machines, printers and hosted services.
    7. Data User: With authorization from the Data Owner, the Data User is any person who accesses, reads, enters, or updates information, Information System, and/or Information Technology Resources whether done individually, through facilitation, or responsibility for an automated application or process.

    VIII. RESPONSIBILITIES

    1. Application Administrator: Follows all applicable procedures as specified in this Policy and related standards. Ensures the application and its Data Custodians are protected against unauthorized access and unlawful use. Notify the OIS and or Tech Café in the case of any security event.
    2. Data Custodian: The Data Custodian assists with the ongoing operational tasks of managing information assets.
    3. Data Owner: Data Owners ensure compliance with this Policy, applying for exemptions when justified, and accepting residual risk when security threats cannot be further mitigated. Data Owners approve or deny requests to access Data, periodically review access assignments and take corrective action if inappropriate access is detected. Data Owners designate Data Custodians. Data Owners also designate Data Users and set the rules and procedures for access to the Data.

    IX. PROCEDURES

    1. Data User Authentication
      1. Every Data User must be assigned a unique user account (UTSA ID) and a password/passphrase for access to the UTSA Information systems. Shared or group user IDs are prohibited unless specifically approved by University Technology Solutions and/or OIS. Information Systems must authenticate using a password or passphrase. The use of non-authenticated UTSA IDs (i.e., those without passwords/passphrases) or UTSA IDs not associated with a single identified Data User is prohibited. Multifactor authentication is required for all Data Users accessing UTSA Information Systems remotely.
    2. Passphrase Creation and Utilization
      1. Passphrases are not the same as passwords. A passphrase is a longer version of a password and is, therefore, more secure. A passphrase is typically composed of multiple words.
        1. All Information Technology Resources (includes desktops, laptops, servers, peripherals, and network hardware such as switches, routers, and firewalls) are covered by on-site warranty agreements with responsive times to meet business continuity needs.
        2. A good passphrase is relatively long and may contain a combination of uppercase and lowercase letters as well as numeric and punctuation characters.

    X. SPECIAL INSTRUCTIONS FOR IMPLEMENTATION

    None

    XI. FORMS AND TOOLS/ONLINE PROCESSES

    None

    XII. APPENDIX

    None

    XIII. Dates Approved/Amended

    04-16-2024
    04-04-2023 (SB17)