6. Why once a year?
Auditors seem to recommend 30-day, 60-day, or 90-day expiry for business systems (most Oxford SSO accounts can be used to access at least one business system such as the student records system, OxCORT, or GSS). We feel that this is towards the short end of common practice and is likely to introduce negative effects such as significant amounts of staff time used up in changing/resetting passwords, weaker passwords (eg. pattern-based, short, or simple), and increased writing down of passwords.
In our view, choosing an expiry period that roughly matches business cycles (in our case annual) quantitatively offers a sensible mid-point where improved assurance of security is realised without overburdening users with password management.