Requirements and procedures are in support of governing Columbia University IT Policies and CUIMC Information Security Procedures.
Accounts used at CUIMC—including email—must be kept secure to protect the information that they access. Practices such as sharing an account, using a weak or easy to guess password, writing down usernames and passwords, or neglecting to notify the system administrator(s) of an account no longer being used are examples of improper security that can easily lead to the release of sensitive, confidential or internal information.
Violating account and password use requirements can result in suspension of the account and access to institutional resources including the wired and wireless networks. Some incidents may also result in the need to report to University and federal authorities for academic, occupational and legal discipline and penalties.
Requirements
The following apply for all University accounts.
NOTE: Most requirements can be found in Section III B of the Information Resource Access Control and Log Management policy text.
- Do not share your account and password with others
This is a direct violation of one of the University’s basic policies. It applies even with technical support, since the vast majority of issues can be resolved without revealing an account password. The CUIMC IT Service Desk staff will never ask for your password.
- Keep your password secure and protected
- Do not write down your account and password information, especially near your computer.
- Change your password immediately if you suspect that someone else knows it.
- See Account and Password Management at the bottom of this page for University, CUIMC, and NYPH password management tools.
- Use a good/strong password
A strong password is designed to be very complex and therefore very difficult to crack or guess. To be sufficiently complex, it must:
- Be over 8 characters long
Those for System Administrators or Service Accounts must be at least 16 characters.
- Contain mixed case letters, numbers, and special characters
- Not contain a word that can be found in a dictionary or common proper noun unless the password has more than 12 characters
- You should also avoid using something that would be easy for those who know you to guess, including the name(s) of your spouse, children, pets, favorite sports teams, or a nickname.
- Passwords for MC/CUIMC email accounts must also pass a check against the global banned password list which does not allow known weak passwords and their variants.
- Do not use your existing University password for non-University accounts
A data breach or attack at an external company will leave your account and University information at risk if you use the same password.
- Only use your account for its authorized and intended purposes
- Set an automatic password protected screensaver or lock on computers and devices
- Refrain from using any password saving options in a program or application
If a laptop or other device has stored your password for an email program or website there is one less security barrier for unauthorized access; you are also more likely to forget a password if you do not type it in regularly.
- Passwords are changed every 45-180 days
For centrally managed UNI accounts (only; this does not apply for MC or other accounts), users who have enrolled in Multi Factor Authentication (MFA) for UNI logins to all Columbia University central web applications (i.e., MFA All) are no longer be required to periodically change their UNI passwords.
- Passwords may not be reused until two additional passwords have been used
- Log off from a system, computer or other device when done
This is especially true an area where others can potentially access the equipment or program.
- Do not use non-University systems for institutional business
If external vendors have stored, have access to, receive, operate an information asset, or perform a business function that relates to the use of electronic protected health information (ePHI) then these vendors must have a Business Associates Agreement with Columbia, which has been signed by the HIPAA privacy office.
- Immediately report suspected or confirmed compromise of sensitive and confidential data
- Make sure that accounts no longer in use are reported and disabled
Accounts that are not needed provide malicious attackers with more points of entry to try to access institutional information and resources.
Additional Guidelines
If you have a login for a system, especially one that can access sensitive data, you should expect that the access can be tracked and that you can be held responsible for policies violated under your account if someone else is able to log with your account’s credentials.
Related Information
CUIMC Accounts
See the list of CUIMC Applications and Access for common systems used at CUIMC.
Overlap of Account IDs
There are instances where the same account ID or username provides access to one resource but not another. This is often done for the user’s convenience, but it is important to be aware that the same ID will not necessarily provide access to the same resources that a colleague may have.
It is also important to know that an account password for one ID will not automatically synchronize with other accounts if the password is changed. Common examples include:
- Logging in to myColumbia to view your paycheck and benefits using your Columbia UNI account
Access to myColumbia is created and granted when an employee's information is processed through Human Resources and/or their Department Administrator. The Manage My UNI online tool can be used for assistance.
- Logging in to a department owned computer using an MC Domain account
Access to the MC Domain is granted when requested via the Domain Account Request form, and managed by CUIMC IT. The myPassword website can be used for assistance.
The nature and variety of technical resources used at CUIMC is such that different IT groups can manage different systems, which are not able to synchronize account usernames and passwords
Account and Password Management Tools
- Columbia UNI (University Network ID) - Manage My UNI
Change, reset, and create security questions for your Columbia UNI
- MC Domain and CUIMC email - myPassword
If you have already created security questions in myPassword for your MC Domain and/or CUIMC email account, you can use it to change or reset your password and unlock your account.
- NYPH CWID (Center Wide ID) Accounts – oneID Password Management
For help select the link to the User Guide under the About Your CWID heading.