IT Security Policy v1.

0
Classification: Internal

2.0 Password Management Policy - GP 451

2.1 Purpose:
2.1.1 Enforce adequate password controls in systems and at the user level.
2.1.2 Protect information and information assets related to the user.
2.1.3 Ensure that only authorized users can access certain information, applications, services and
systems.
2.1.4 Protect the Confidentiality, Integrity and Availability of information, systems, services, and
applications within the HCT network.

2.2 Scope:
The scope of this policy includes all personnel who have or are responsible for an account (or
any form of access that supports or requires a password) on any system that resides at any
HCT facility, has access to the HCT network, or stores any non-public HCT information.

2.3 Policy:

2.3.1 Password Allocation:

2.3.1.1 Every user is given a login ID and a password to access the systems, applications, email, and
network resources. The access will be withdrawn when the employee leaves the HCT or if a
user’s contract comes to an end or upon request from Human Resource department.

2.3.2 Creating Strong Passwords:

2.3.2.1 The minimum length of a password is 8 characters.
2.3.2.2 User account passwords must not be based on personal information that can be easily guessed
or accessed (such as: Based on user name, name of wife, name of husband, date of birth,
mobile number, etc.).
2.3.2.3 User account passwords must not be a word in any language, dictionary, slang, dialect, jargon,
etc.(such as: password, julie, 123456789, qwerty, etc.).
2.3.2.4 The Password must contain at least one upper case letter (A-Z), one lower case letter (a-z), one
numeric character (0-9), or One Special character ( !#^&* ). Password must contain three
character sets mentioned in this list. ( Example : Bluech1p or Blue#chip).

Page 9 of 60
Central Services ‫الخدمات المركزية‬
PO Box 25026, Abu Dhabi, United Arab Emirates, Tel: +971 2 681 4600, Fax: +971 2 681 5833
Website: www.hct.ac.ae
 IT Security Policy v1.0
Classification: Internal

2.3.3 Password Expiration:

2.3.3.1 Passwords will expire after a minimum period of 180 days for normal user accounts and 45
days for privileged user accounts. User accounts with access to ERP system and with system
administration capabilities are categorized as privileged users.
2.3.3.2 The new password must be different from your current password and previous two passwords
for normal user accounts and previous eleven passwords for privileged user accounts.

2.3.4 First time Use of Initial Passwords:

2.3.4.1 A user is assigned an initial password by the HR Office. The user must change this password
immediately after the first login.

2.3.5 Password Reset:

2.3.5.1 User account password resets will be performed when requested by the user, after verification
of identity by HR for staff and student services for student.
2.3.5.2 Where a user has forgotten the password, IT or Student Services department is authorized to
reset the password after having the confirmation of the user’s authenticity from HR for staff
or from student services department for students. HCT has also facilitated a self-service portal
to reset and change password.

2.3.6 Screen Saver Password:

2.3.6.1 Every user will use the screen saver with a password, which will be activated within 5 minutes
of inactivity.

2.3.7 Password Protection:

2.3.7.1 Do not reveal or share your password over phone or email or in person to anyone.
2.3.7.2 Do not hint at the format of the password.
2.3.7.3 Do not reveal your password in questionnaires or Internet.
2.3.7.4 Do not use the “Remember Password” feature of applications (e.g. Outlook, Web-mail, etc.).
2.3.7.5 If you feel that your password is suspected to be compromised, change it immediately.
2.3.7.6 Always lock your computer before leaving your workstation, laptop even for few minutes.
2.3.7.7 Do not respond to any suspicious or untrusted email or Hyper Link with your HCT username
and password.

Page 10 of 60
Central Services ‫الخدمات المركزية‬
PO Box 25026, Abu Dhabi, United Arab Emirates, Tel: +971 2 681 4600, Fax: +971 2 681 5833
Website: www.hct.ac.ae
 IT Security Policy v1.0
Classification: Internal

2.3.7.8 User account will be locked out after 10 failed-login attempts for normal users. Privileged user
accounts password will be locked out for 1 day after 5 failed login attempts, which can be
unlocked only by administrator on the same day.

Page 11 of 60
Central Services ‫الخدمات المركزية‬
PO Box 25026, Abu Dhabi, United Arab Emirates, Tel: +971 2 681 4600, Fax: +971 2 681 5833
Website: www.hct.ac.ae