* Who knows the passwords for systems that perform critical business functions?

* Do we regularly change passwords on critical systems?

* Do we require end users to change their passwords? How often?

* Do we educate end users about good password choices? (e.g. avoid family names and dates, use a password longer than 6 characters, don’t use words found in dictionaries, include numerals in the password).

* Do we discourage sharing of user names and passwords among multiple people?

* Do we provide tools to help people choose strong passwords? (Note: some system administrators use automated tools to scan the user database or password file for easily-guessed passwords.)

* Do our systems “lock out” an account after a pre-determined number of failed login attempts?

* How do we manage which people have privileged access to our systems? Do we periodically review which people have “root” or “superuser” or “administrative” privileges on systems? Do we have a procedure to remove privileges for employees who have left the university? Do we remove privileged access when an employee no longer needs it?

* Do we ensure that in case of emergency someone will have passwords for critical systems (for instance, if the primary system administrator is unavailable).