1 Policy Statement
It is imperative that users practice due diligence in controlling access to their systems by protecting their user accounts with passwords that are not easily guessed or deduced. Passwords are an important aspect of computer security. They are the front line of protection for user accounts. A poorly chosen password may result in the compromise of the entire corporate network of XXX. As such, all employees (including contractors and vendors with access to systems of XXX) are responsible for taking the appropriate steps, as outlined below, to select and secure their passwords
The purpose of this policy is to ensure that security practices are introduced and maintained by all employees with respect to password-protected information infrastructure.
3.1 IT Assets
The policy is applicable to all IT systems and services.
The documentation shall consist of Password Policy and related guidelines.
3.3 Document Control
The Password Policy document and all other referenced documents shall be controlled. Version control shall be to preserve the latest release and the previous version of any document. However, the previous version of the documents shall be retained only for a period of two years for legal and knowledge preservation purposes.
Records being generated as part of the Password Policy shall be retained for a period of two years. Records shall be in hard copy or electronic media. The records shall be owned by the respective system administrators and shall be audited once a year.
3.5 Distributions and Maintenance
The Password Policy document shall be made available to all the employees covered in the scope. All the changes and new releases of this document shall be made available to the persons concerned. The maintenance responsibility of the document will be with the CISO and system administrators.
The Password Policy document shall be considered as “confidential” and shall be made available to the concerned persons with proper access control. Subsequent changes and versions of this document shall be controlled.
The Password Policy shall be implemented by the CISO / designated personnel.
- Provides management oversight of the process for administering passwords for XXX systems
- Publishes and maintains policy guidelines for the creation, safeguarding, and control of the passwords
Information Security Officer (ISO)
- Grants access and reviews access every year to determine the continued need for access; and, if the need continues, re-approves through submission of System Access Request Form
- Prepares policy guidelines for the creation, safeguarding, and control of passwords
- Approves access to supervisor passwords and passwords for similar privileged accounts used on XXX’s network
- Communicates to the users the system access and password requirements outlined in this policy
- Informs XXX’s Security Officer when access is to be removed
- Immediately informs XXX’s Security Officer if it is suspected that password has been compromised
- Issues and manage passwords for systems and applications under their control in accordance with XXX’s policy described below
- Issues passwords for privileged accounts to the primary system administrator and no more than one designated alternate system administrator; these passwords shall be changed at least every 30 days or when necessary due to employment termination, actual or suspected password compromise
- Understand their responsibilities for safeguarding passwords
- Use XXX data in accordance with job function and company policy
- Understand the consequences of their failure to adhere to statutes and policy governing information resources
- Immediately notify the supervisor if it is suspected that password has been compromised
a. Password policy shall ensure that all user accounts are protected by strong passwords and that the strength of the passwords meets the security requirements of the system.
b. The concept of aging shall be used for passwords. Passwords on their expiry shall cease to function.
c. Users shall be educated about password protection and the password policy shall be implemented to ensure that users follow best practices for password protection.
d. IT systems shall be configured to prevent password reuse.
e. For critical information systems, account lockout strategy shall be defined. This shall be based on a risk analysis of the system as well as the costs to be incurred in case such a strategy is implemented.
6.2 Access Authorization Requirements
- Access to XXX resources shall be controlled and shall be based on an approved System Access Request Form for each of the systems.
- Individuals shall be granted access only to those information systems necessary for the performance of their official duties; users must receive the supervisor’s and the IT Manager’s approval prior to being granted access to XXX’s information resources. This requirement includes contracted employees and all other non-XXX personnel who have been granted access.
- Passwords shall be used on all XXX automated information systems to uniquely identify individual users.
- Passwords shall not be shared with, used by, or disclosed to others; generic or group passwords shall not be used.
- To preclude password guessing, an intruder lock-out feature shall suspend accounts after three invalid attempts to log on; manual action by a security system administrator is required to reactivate the ID.
6.3 Password Parameters
All user and system passwords, even temporary passwords set for new user accounts, should meet the following characteristics:
- Be at least six characters in length
- Consist of a mix of alpha, and at least one numeric, and special characters
- Not be dictionary words
- Not be portions of associated account names (e.g., user ID, log-in name)
- Not be character strings (e.g., ABC or 123)
- Not be simple keyboard patterns
In addition, users are required to select a new password immediately after their initial login. Passwords must be changed at least every 15 days. Previously used passwords may not be re-used.
6.4 Password and Account Security
- Password accounts not used for 90 days will be disabled and reviewed for possible deletion. Accounts disabled for 60 days will be deleted. Accounts for XXX contractors shall terminate on the expiration date of their contract.
- Lockout policy must be implemented for unsuccessful login attempts. As a good practice, a maximum of 3 login attempts should be allowed. The auto-lock policy for locked accounts must be released after 24 hours only.
- Screen-saver password must be enabled after 10 minutes of inactivity of the user. Users must not be allowed to change the inactivity time.
- Passwords for all users including administrator accounts 15 days must be changed.
- Administrative account passwords must be changed promptly upon departure of personnel (mandatory or voluntary) or suspected compromise of the password. User accounts will be disabled promptly upon departure of personnel (mandatory or voluntary). Users should immediately change their password if they suspect it has been compromised.
- Vendor or service accounts will be removed from computer systems prior to deployment and new passwords are to be implemented on all systems immediately upon installation at XXX facilities.
- Passwords may not be embedded in automated programs, utilities, or applications, such as autoexec.bat files, batch job files, terminal hotkeys.
- Passwords may be not visible on a screen, hardcopy printouts, or any other output device
Unauthorized personnel is not allowed to see or obtain sensitive data. Any employee found to have violated this policy may be subjected to disciplinary action in line with the HR Policy.
If you need assistance or have any doubt and need to ask any questions contact me at firstname.lastname@example.org. You can also contribute to this discussion and I shall be happy to publish them. Your comments and suggestion are also welcome.