Password Protection Policy
Password Protection Policy
Password Protection Policy
1.2. Purpose
The purpose of this policy is to establish a standard for creation of strong passwords, the
protection of those passwords, and the frequency of change.
1.3. Scope
The scope of this policy includes all personnel who have or are responsible for an
account (or any form of access that supports or requires a password) on any system that
resides at any Bank facility, has access to the Bank network, or stores any non-public
Bank information.
1.4. Policy
1.4.1. One time passwords
The system administrator shall give a temporary password or initial password
when creating a new user account.
Users shall change their passwords after first successful login attempt.
Where possible, systems shall be configured to force a user to change their initial
passwords when they log on for the first time.
1.4.10.Password Creation
All user-level and system-level passwords must conform to the Password
Construction Guidelines.
Users must not use the same password for Bank accounts as for other non-Bank
access (for example, personal ISP account, option trading, benefits, and so on).
Where possible, users must not use the same password for various Bank access
needs.
All user-level passwords (for example, email, web, desktop computer, and so on)
must be changed at least every month.
Passwords must not be inserted into email messages, Alliance cases or other
forms of electronic communication.
Do not hint at the format of a password (for example, "my family name").
Do not write passwords down and store them anywhere in your office. Do not
store passwords in a file on a computer system or mobile devices (phone, tablet)
without encryption.
Do not use the "Remember Password" feature of applications (for example, web
browsers).
Any user suspecting that his/her password may have been compromised must re-
port the incident to SOC and change all passwords.
Applications must not store passwords in clear text or in any easily reversible
form.
Applications must not transmit passwords in clear text over the network.
Applications must provide for some sort of role management, such that one user
can take over the functions of another without having to know the other's
password.
Compliance Measurement
The Information Security Manager will verify compliance to this policy through various
methods, including but not limited to, periodic walkthrough, video monitoring, business
tool reports, internal and external audits, and feedback to the policy owner.
Exceptions
Any exception to the policy must be approved by the Information Security Manager in
advance.
Non-Compliance
An employee found to have violated this policy may be subject to disciplinary action, up
to and including termination of employment.
2.2. Purpose
The purpose of this guidelines is to provide best practices for the created of
strong passwords.
2.3. Scope
This guideline applies to employees, contractors, consultants, temporary and
other workers at bank, including all personnel affiliated with third parties. This
guideline applies to all passwords including but not limited to user-level
accounts, system-level ac- counts, web accounts, e-mail accounts, screen saver
protection, voicemail, and local router logins.
2.5. Passphrases
Passphrases generally are used for public/private key authentication. A
public/private key system defines a mathematical relationship between the
public key that is known by all, and the private key, that is known only to the
user. Without the passphrase to unlock the private key, the user cannot gain
access.
A passphrase is similar to a password in use; however, it is relatively long and
constructed of multiple words, which provides greater security against dictionary
attacks. Strong passphrases should follow the general password construction
guidelines to include upper and lowercase letters, numbers, and special characters
(for example, TheTrafficOnThe101Was*&!$ThisMorning!).