Overview and Purpose

[Variable: Covered Organization] must balance employees' needs to access systems and information with the need to control access for the purposes protecting information confidentiality, integrity, and availability. Account passwords are a mainstay of information security controls. This policy establishes management controls for granting, changing, and terminating access to automated information systems, controls that are essential to the security of [Covered Organization] information systems.

Coverage

All full and part-employees, contractors, and other personnel who use [variable: Covered Organization or system(s)] Information Resources.

Roles and Responsibilities

Director

• Oversees password administration for [variable: Covered organization or system(s)]
• Publishes and maintains policy guidelines for the creation, safeguarding, and control of the passwords

Information Security Officer (ISO)

• Reviews and validates access and rights records at least once per [variable: Time period] to confirm continuing need for access
• Prepares policy guidelines for the creation, safeguarding, and control of passwords
• Approves access rights and passwords for privileged accounts for [variable: Covered organization or system(s)]
• Issues passwords for privileged accounts to the primary system administrator and no more than one designated alternate system administrator per covered organizational system

Supervisor

• Communicates system access and password requirements to the user community
• Informs the Information Security Officer (ISO) if any access or system rights should be changed or removed
• Immediately informs the Information Security Officer (ISO) if a password is known or suspected to be compromised

GRCpedia:Systems Administrator|Systems Administrators

• Issue and manage passwords and account rights for systems and applications under their control

System Users

• Protect password confidentiality
• Immediately notify supervisor if a password is known or suspected to be compromised

Policy

Password Rights Administration

• Access to [variable: Covered organization or system(s)] Information Resources must be controlled
• Access to [variable: Covered organization or system(s)] Information Resources must be based on an approved System Access Request Form for each discrete system
• Access rights are granted based on the principle of "least privilege": Access is granted only to systems and application necessary for the performance of official duties.
• Supervisor and ISO must approve employee access rights to [variable: Covered organization or system(s)] Information Resources.
• The ISO must approve Supervisor and Systems Administrator access rights to [variable: Covered organization or system(s)] Information Resources
• Privileged-access passwords (such as those belonging to Systems Administrators) must be changed at least once every [variable: Time period] or when necessary due to employment termination, actual or suspected password compromise
• Information Security Officers and Systems Administrators shall not allow generic or group access credentials, including passwords.
• Contractor accounts and access privileges must be terminated on the contract expiration date. Contractor Supervisors are required to inform System Administrators of new and changed contract effective dates that are likely to affect account access permissions.
• Vendor or service accounts included in acquired software or used for software development must be deleted prior to software deployment.
• Any default passwords must be changed on all systems prior to connection to any network, even in pre-deployment testing.
• Administrative account passwords must be changed promptly upon departure of personnel or suspected compromise.
• User accounts must be disabled promptly upon departure of personnel. If a users knows or suspects that the confidentiality of their password has been compromised, they must immediately change the password.

Password requirement

• Passwords (login) are required on all [variable: Covered organization] information systems
• Each individual users are assigned unique login credentials comprising, at minimum, at unique user name and password
• Passwords must conform to the following criteria:
  • At least eight characters in length
  • Consist of a mix of alpha, numeric, and special characters
  • Exclude dictionary words
  • Exclude portions of associated account names (e.g., user ID, log-in name)
  • Exclude common sequential character strings (e.g., “abc” or “1234”)
  • Exclude simple keyboard patterns (e.g., “asdf”)

Automated Controls

• To reduce the risk that an unauthorized party can gain system access by guessing a user's password, the [variable: Covered Organization or system(s)] shall limit invalid login attempts to three. After three unsuccessful login attempts, the [variable: Covered Organization or system(s)] must automatically “lock out” the attempting user for not less than [variable: time period]. [Note: For critical systems, the policy administrator may wish to specify that “locked-out” users must contact a System Administrator in order to reactivate a “locked” account.]
• Accounts that have not been accessed for [variable: time period] will be disabled and reviewed for deletion. Accounts disabled for [variable: time period] will be automatically deleted.

Password Protection

• Users must change passwords immediately after the initial login to any [variable: Covered Organization or system(s)] Information Resource
• Users must not disclose or otherwise allow third-party use of their unique account credentials (User IDs and Passwords)
• Passwords must be changed at least once every [variable: time period]
• Passwords may not be reused for at least [variable: Number] consecutive login-change cycles
• Passwords must not be embedded in automated programs, utilities, or applications, such as: autoexec.bat files, batch job files, or terminal hot keys
• Passwords must be not rendered in readable form through publicly visible media by any application, printer, Web server, or other mechanism
• Passwords must not be stored in readable form in any application, file, or database

Enforcement

Gross negligence or willful disclosure leading to illicit exposure of [variable: Covered Organization] information may result in prosecution for misdemeanor or felony resulting in fines, imprisonment, civil liability, and/or dismissal. [variable: Cite relevant laws, policies, or statutes to support enforcement.]

Supporting Documentation

This policy is supported by the following rules, standards, and procedures:

• [variable: internal documents (with links, if available)]
• [variable: external documents (with links, if available)]

Policy Support Contact

• [variable: title (not personal name) of role responsible for overseeing this procedure]
• [variable: Contact information of office responsible for overseeing this procedure]

References

Policy Source Document(s)

• Federal Agency Security Practices, US Government, National Institute of Standards and Technology (NIST)