|
------- INDEX AND GLOSSARY. DO NOT CHANGE OR DELETE! ----------
Open IT Policy Index
-
Acceptable Use, Administrative or Special Access (Policy)
-
Acceptable Use, Email (Policy)
-
Acceptable Use, Internet (Policy)
-
Acceptable Use, Virtual Private Network (VPN) (Policy)
-
Access Controls, Account (Policy)
-
Account Management (Policy)
-
Change Management (Policy)
-
Computer Virus Prevention (Policy)
-
Contingency Planning (Policy)
-
Data Backup and Storage (Policy)
-
Data Marking, Handling, Processing, Storage, and Disposal (Policy)
-
Deferral of System Security Certification or Accreditation, Annual (Form)
-
General Information Security Management (Procedure)
-
Green Computing (Policy)
-
Incident Response (Policy)
-
Intrusion Detection (Policy)
-
Logging and Audit Trails (Policy)
-
Mobile Computing and Network Access (Policy)
-
Network Access (Policy)
-
Network Access Controls (Standard)
-
Network Configuration (Policy)
-
Network Data Privacy (Policy)
-
Password Management (Policy)
-
Personnel Security (Policy)
-
Physical Security (Policy)
-
Policy Application Checklist (Administrative Utility)
-
Secure Media and Data Handling (Procedure)
-
Secure Software Development Lifecycle (Standard)
-
Social Computing and Networking (Policy)
-
Software and Hardware Security Controls (Policy)
-
Spam and Unsolicited Commercial Email Prohibition (Policy)
-
System Security Certification/Accreditation, Annual (Form)
-
System Security Certification/Accreditation, Annual (Policy)
-
Telecommuting Agreement, Employee (Form)
-------------------------------------------------------------------------------------------------
Overview and Purpose
[variable: Covered Organization] balances the need for employees to access systems and information with the need to
control access for the purposes protecting information confidentiality, integrity, and availability. Account passwords are a mainstay of information security controls. This policy establishes management controls for granting, changing, and terminating access to automated information systems, controls that are essential to the security of [variable: Covered Organization] information systems.
Coverage
All employees who use [variable: Covered Organization]
Information Resources must unique user account information, including passwords for access to various information systems. These procedures apply to accounts on all organizational systems: both in operation and in development.
Roles and Responsibilities
Director
-
Provides management oversight of the process for administering passwords for [variable: Covered Organization] systems
-
Publishes and maintains policy guidelines for the creation, safeguarding, and
control of the passwords
Information Security Officer (ISO)
-
Grants access and reviews access every year to determine continued need for access; and, if the need continues, re-approves through submission of System Access Request Form(s)
-
Prepares policy guidelines for the creation, safeguarding, and
control of passwords
-
Approves access of supervisor passwords and passwords for similar privileged accounts used on [variable: Covered Organization]'s network
Supervisor
-
Communicates to the users the system access and password requirements outlined in this policy
-
Informs [variable: Covered Organization]'s Security Officer when access is to be removed
-
Immediately informs [variable: Covered Organization]'s Security Officer if it is suspected that password has been compromised
[variable: Covered Organization] Security Officer – location or system specific
-
Issues and manage passwords for systems and applications under their
control in accordance with [variable: Covered Organization]'s policy described below
-
Issues passwords for privileged accounts to the primary
system administrator and no more than one designated alternate
system administrator; these passwords shall be changed at least every 30 days or when necessary due to employment termination, actual or suspected password compromise
Users
-
Understand their responsibilities for safeguarding passwords
-
Use [variable: Covered Organization] data in accordance with job function and company policy
-
Understand the consequences of their failure to adhere to statutes and policy governing
information resources
-
Immediately notify supervisor if it is suspected that password has been compromised
Policy
Access Authorization Requirements
-
Access to [variable: Covered Organization or System] shall be controlled and shall be based on an approved System Access Request Form for each of the systems.
-
Individuals shall be granted access only to those information systems necessary for the performance of their official duties; users must receive supervisor's and the ISSO's approval prior to being granted access to [variable: Covered Organization]'s
information resources. This requirement includes contracted employees and all other non- [variable: Covered Organization] personnel who have been granted access.
-
Passwords shall be used on all [variable: Covered Organization] automated information systems to uniquely identify individual users.
-
Passwords shall not be shared with, used by, or disclosed to others; generic or group passwords shall not be used.
-
To preclude password guessing, an intruder lock-out feature shall suspend accounts after three invalid attempts to log on; manual action by a security
system administrator is required to reactivate the ID.
Password Parameters
All user and system passwords, even temporary passwords set for new user accounts, should meet the following characteristics:
-
Be at least six characters in length
-
Consist of a mix of alpha, and at least one numeric, and special characters
-
Not be dictionary words
-
Not be portions of associated account names (e.g., user ID, log-in name)
-
Not be character strings (e.g., abc or 123)
-
Not be simple keyboard patterns
In addition, users are required to select a new password immediately after their initial logon. * Passwords must be changed at least every [variable: time frame] * Previously used passwords may not be re-used.
Password and Account Security
-
Password accounts not used for [variable: time frame] will be disabled and reviewed for possible deletion. Accounts disabled for 60 days will be deleted. Accounts for [variable: Covered Organization] contractors shall terminate on the expiration date of their contract.
-
Lockout policy must be implemented for unsuccessful login attempts. As a good practice a maximum of [variable: login attempts] login attempts should be allowed. The auto-lock policy for locked accounts must be released after [variable: time frame].
-
Screen-saver password must be enabled after [variable: time frame] of inactivity of the user. Users must not be allowed to change the inactivity time.
-
Passwords for all users including administrators accounts [variable: no. of days] must be changed.
-
Administrative account passwords must be changed promptly upon departure of personnel (mandatory or voluntary) or suspected compromise of the password. User accounts will be disabled promptly upon departure of personnel (mandatory or voluntary). Users should immediately change their password if they suspect it has been compromised.
-
Vendor or service accounts will be removed from computer systems prior to deployment and new passwords are to be implemented on all systems immediately upon installation at [variable: Covered Organization] facilities.
-
Passwords may not be embedded in automated programs, utilities, or applications, such as: autoexec.bat files, batch job files, terminal hot keys.
-
Passwords may be not visible on a screen, hardcopy printouts, or any other output device
Enforcement
Unauthorized personnel are not allowed to see or obtain sensitive data. Gross negligence or willful disclosure of [variable: covered Organization or System] information can result in prosecution for misdemeanor or felony, resulting in fines, imprisonment, civil liability, and/or dismissal.
Supporting Documentation
This policy is supported by the following rules, standards, and procedures:
-
[variable: internal documents (with links, if available)]
-
[variable: external documents (with links, if available)]
Policy Support Contact
-
[variable: title (not personal name) of role responsible for overseeing this procedure]
-
[variable: Contact information of office responsible for overseeing this procedure]
References
Policy Model(s)
Federal Agency Security Practices, National Institute of Standards and Technology (NIST)
|
Open IT Policy Project 
