Password Management Policy
Details
| Date | Version | Status | Information Classification | Document Template ID | Document No |
|---|---|---|---|---|---|
| 10-06-2019 | 1.4 | Approved | Internal | AMS DOC | AMS-SP- 18 |
Revision History
| Date | Version | Description | Author | Reviewed by | Approved by | Approved date |
|---|---|---|---|---|---|---|
| 07-05-2012 | 1.0 | Initial Version | Beena Bhat | Praveen | Ganesh Bhat | 07-05-2012 |
| 25-05-2015 | 1.1 | Reviewed as part of SMS transition | ||||
| 31-07-2017 | 1.1 | Annual Review No Changes Done | ||||
| 10-08-2017 | 1.2 | Replaced shall with will | ||||
| 25-03-2019 | 1.3 | Annual Review 2019 | Praveen | Ramanujan | ||
| 06-06-2019 | 1.4 | To address - BSI Audit finding on password expiry - Reworked on policy and whole document | Praveen/Shaila | Praveen | Suresh Kumar B V | 10-06-2019 |
Acronym Used
| Acronym | Expanded Form |
|---|---|
| IT | Information Technology |
| CISO | Chief Information Security Officer |
Purpose
The purpose of process is to set out the criteria for the provision of passwords and conditions relating to their use. This policy is a supplementary policy to the ASL Information Security Policy. This document forms part of ASL ISO 27001 Information Security Management System. ASL has a responsibility to ensure that all data stored on its computer systems:
is appropriate to the needs of ASL;
is securely held;
is available in a complete and accurate form when needed;
complies with the requirements of the Data Protection Act and other rules and regulations;
Passwords are an effective security countermeasure if they are kept secret. Passwords are a means of validating a user\'s identity to access a computer resource, to ensure the security of that resource and to maintain the confidentiality, integrity and availability of information held on that resource. ASL requires users to select passwords which are secure and difficult to guess, whilst easy to remember, and to keep passwords confidential.
Scope
This policy applies to any and all resources who have any sort of computer account requiring a password on the organizational network as well as but not restricted to a domain account and e-mail account.
Password Policy
"All user accounts used to logon to ASL information systems shall be protected with strong passwords. Furthermore, passwords must be changed regularly to avoid unauthorized access to information and information systems"
Password Requirements
Those setting password requirements should keep in mind that creating the password rules too complicated may in fact decrease security if users choose the rules are impossible or too hard to meet. If passwords are changed too often, users may tend to write them down or make their password an alternative of an old password which an attacker with the old password could guess.
The following requirements to for strong password will be set by the IT department:
Minimum Length - 8 characters recommended
Minimum complexity - No dictionary words included. Passwords must use three of four of the following four kind of characters:
Lowercase
Uppercase
Numbers
Special characters such as !@#\$ %\^&*(){} []
Passwords are case sensitive and the user name or login ID is not case sensitive.
History of Password - Need a number of unique passwords prior to an old password may be reused. This number should be no less than 5.
Maximum password age - 45 days
Minimum password age - 0 day
Not be transmitted in the clear or plaintext outside the secure location.
Not be displayed when entered.
Ensure passwords are only reset for authorized user
Store passwords using reversible encryption - This should not be done without special authorization by the IT department since it would reduce the security of the user\'s password.
Account lockout threshold -5 failed login attempts
Reset account lockout after - 15 minutes. The time it takes between bad login attempts before the count of bad login attempts is cleared.. This means if there are three bad attempts in 15 minutes, the account would be locked.
Account lockout period - 15 minutes or the administrator reset the account lockout so they are conscious of potential break in attempts on the network.
Password protected screen savers should be enabled and should protect the computer within 5 minutes of user inactivity. Computers should not be unattended with the user logged on and no password protected screen saver active. Users should be in the habit of not leaving their computers unlocked. They can press the CTRL-ALT-DEL keys and select "Lock Computer".
Rules that apply to passwords apply to passphrases which are used for public/private key authentication
Password Deletion
All passwords that are no longer needed must be deleted or disabled immediately. This includes, but is not limited to, the following:
When a user retires, quits, is reassigned, released, dismissed, etc.
Default passwords shall be changed immediately on all equipment.
Contractor accounts, when no longer needed to perform their duties.
A second individual from that department will check to ensure that the password has been deleted and user account was deleted or suspended
Password Protection Standards
Do not use your User ID as your password. Do not share [agency name] passwords with anyone.
All passwords are to be treated as sensitive, ASL Confidential information.
Here is a list of "do not's" :
Don't reveal a password over the phone to anyone
Don't reveal a password in an mail message
Don't reveal a password to anyone, even to your boss
Don' talk about a password in front of others
Don't hint at the format of a password (e.g., "my family name")
Don't reveal a password on questionnaires or security forms
Don't share a password with family members
Don't reveal a password to a co-worker while on vacation
Don't use the "Remember Password" feature of applications
Don't write passwords down and store them anywhere in your office.
Don't store passwords in a file on ANY computer system unencrypted.
Don't include a password in a non-encrypted stored document.
Don't use your corporate or network password on an account over the internet which does not have a secure login where the web browser address starts with https:// rather than http://
Don't use common acronyms as part of your password.
Don't use common words or reverse spelling of words in part of your password.
Don't use names of people or places as part of your password.
Don't use parts of numbers easily remembered such as phone numbers, aadhar numbers, or street addresses.
Be careful about letting someone see you type your password.
If someone demands a password, refer them to this document or have them call CISO.
If an account or password is suspected to have been compromised, report the incident CISO/IT and change all passwords.
Password cracking or guessing may be performed on a periodic or random basis by the IT. If a password is guessed or cracked during one of these scans, the user will be required to change it.
Other Considerations
Administrator passwords should be protected very carefully. Accounts of administrator should have the least access to complete their function. Accounts of administrator should not be shared and vaulted .ie In case of particularly sensitive accounts like system administrator, database administrator, confidential data, and remote access, password will be changed more frequently at least once in a month. Passwords of sensitive resources will be recorded on a sealed sheet of paper and handed over to CEO immediately after the change.
Default password will be changed immediately during first log on. In case of systems/account/hardware, which is supplied without passwords, password protection will be activated on putting the system/account/hardware into operation.
All accounts will have the password. However account for common application like publicly available application may operate without password. Such application owner will ensure that IS Policy is being followed and no unauthorized access is permitted through these accounts.
Remote Access Users
Access to the ASL networks via remote access will be controlled by using either a Virtual Private Network (in which a password and user id are required) or a form of advanced authentication (i.e., Biometrics, Tokens, Public Key Infrastructure (PKI), Certificates, etc.).
Users created on Active Directory for employees working from outside ASLHO premises, will have their password policy set to never expire as they never connect to ASL network. This is to ensure there user accounts to be active at all times for raising complaints and service calls in IMS Sapphire tool.
Enforcement
Since password security is critical to the security of the organization and everyone, employees that do not adhere to this policy may be subject to disciplinary action up to and including dismissal.