Password Protection Policy

Download as docx, pdf, or txt
Download as docx, pdf, or txt
You are on page 1of 7

1.

Password Protection Policy


1.1. Overview
Passwords are an important aspect of computer security. A poorly chosen password may
result in unauthorized access and/or exploitation of Bank's resources. All users,
including contractors and vendors with access to Bank systems, are responsible for
taking the appropriate steps, as outlined below, to select and secure their passwords.

1.2. Purpose
The purpose of this policy is to establish a standard for creation of strong passwords, the
protection of those passwords, and the frequency of change.

1.3. Scope
The scope of this policy includes all personnel who have or are responsible for an
account (or any form of access that supports or requires a password) on any system that
resides at any Bank facility, has access to the Bank network, or stores any non-public
Bank information.

1.4. Policy
1.4.1. One time passwords
 The system administrator shall give a temporary password or initial password
when creating a new user account.
 Users shall change their passwords after first successful login attempt.
 Where possible, systems shall be configured to force a user to change their initial
passwords when they log on for the first time.

1.4.2. Password Length and Composition


 Passwords used shall be at least 8 characters in length. The combination of
characters used shall be a mix of alphabets, numbers and special characters.
Users shall not choose easily guessable passwords, like names or part of names,
dictionary words, phone numbers, dates or common words.

1.4.3. Password History


 Password history shall be set to 5. This shall prevent the re-use of the last 5
passwords.
1.4.4. Password Age
 Password age shall be set to 30 days. A reminder shall be given to the user 3
days prior to the expiry of the passwords. Failure to change the passwords before
expiry shall result in the account getting locked /disabled.

1.4.5. Account Lockout


 Where possible, systems shall be configured to lock the user's account if there
have been more than 3 invalid login attempts.
 For the reactivation of locked user accounts, the user's immediate senior shall
authorize it by call to the IT department.

1.4.6. Administrator Passwords


 All system administrator passwords shall be kept in a password protected
envelop" and under the custody of the Information Security Manager.

1.4.7. Default Passwords


 The operating system and application vendors provide default user-ids and
passwords.
 The system administrator shall disable all such default user-ids and change the
default password that is set by the manufacturer of the product.

1.4.8. Passwords of Network Devices


 Passwords of network devices such as firewalls shall be changed every 90 days.
 Network devices such as routers shall be managed by the third party.
 The password for these devices shall be with the Network Administrators. These
passwords shall also be placed in a sealed envelope and handed over to the
Information Security Manager.
 Whenever the sealed envelope is opened and a new envelope issued, an entry
shall be made in the Sealed Envelope Log register.

1.4.9. Automated Log-on


 Passwords shall not be included in automated logon processes, batch processes
or hard coded in applications unless there is a business need for the same. For
such inclusions, authorization of the Information Security Officer shall be taken.

1.4.10.Password Creation
 All user-level and system-level passwords must conform to the Password
Construction Guidelines.
 Users must not use the same password for Bank accounts as for other non-Bank
access (for example, personal ISP account, option trading, benefits, and so on).

 Where possible, users must not use the same password for various Bank access
needs.

1.4.11. Password Change


 All system-level passwords (for example, root, enable, NT admin, application
administration accounts, and so on) must be changed on at least a half yearly
basis.

 All user-level passwords (for example, email, web, desktop computer, and so on)
must be changed at least every month.

 Password cracking or guessing may be performed on a periodic or random basis.


If a password is guessed or cracked during one of these scans, the user will be
required to change it to be in compliance with the Password Construction
Guidelines.

1.4.12. Password Protection


 Passwords must not be shared with anyone. All passwords are to be treated as
sensitive, Confidential Bank information.

 Passwords must not be inserted into email messages, Alliance cases or other
forms of electronic communication.

 Passwords must not be revealed over the phone to anyone.

 Do not reveal a password on questionnaires or security forms.

 Do not hint at the format of a password (for example, "my family name").

 Do not share Bank passwords with anyone, including administrative assistants,


secretaries, managers, co-workers while on vacation, and family members.

 Do not write passwords down and store them anywhere in your office. Do not
store passwords in a file on a computer system or mobile devices (phone, tablet)
without encryption.
 Do not use the "Remember Password" feature of applications (for example, web
browsers).

 Any user suspecting that his/her password may have been compromised must re-
port the incident to SOC and change all passwords.

1.4.13. Application Development


Application developers must ensure that their programs contain the following security
precautions:

 Applications must support authentication of individual users, not groups.

 Applications must not store passwords in clear text or in any easily reversible
form.

 Applications must not transmit passwords in clear text over the network.

 Applications must provide for some sort of role management, such that one user
can take over the functions of another without having to know the other's
password.

1.4.14. Use of Passwords and Passphrases


 Passphrases are generally used for public/private key authentication. A
public/private key system defines a mathematical relationship between the public
key that is known by all, and the private key, that is known only to the user.
Without the passphrase to "unlock" the private key, the user cannot gain access.

 Passphrases are not the same as passwords. A passphrase is a longer version of a


password and is, therefore, more secure. A passphrase is typically composed of
multiple words. Because of this, a passphrase is more secure against "dictionary
attacks."

 A good passphrase is relatively long and contains a combination of upper and


lowercase letters and numeric and punctuation characters. An example of a good
passphrase:
"The*?#>*@TrafficOnThe101Was*&#!#ThisMorning"

 All of the rules above that apply to passwords apply to passphrases.


1.5. Policy Compliance

Compliance Measurement
The Information Security Manager will verify compliance to this policy through various
methods, including but not limited to, periodic walkthrough, video monitoring, business
tool reports, internal and external audits, and feedback to the policy owner.

Exceptions
Any exception to the policy must be approved by the Information Security Manager in
advance.

Non-Compliance
An employee found to have violated this policy may be subject to disciplinary action, up
to and including termination of employment.

1.6. Revision History


Versio Date of Author Approved By Description of Changes
n Revision
2. Password Construction Guidelines
2.1. Overview
Passwords are a critical component of information security. Passwords serve to
protect user accounts; however, a poorly constructed password may result in
the compromise of individual systems, data, or the Cisco network. This
guideline provides best practices for creating secure passwords.

2.2. Purpose
The purpose of this guidelines is to provide best practices for the created of
strong passwords.

2.3. Scope
This guideline applies to employees, contractors, consultants, temporary and
other workers at bank, including all personnel affiliated with third parties. This
guideline applies to all passwords including but not limited to user-level
accounts, system-level ac- counts, web accounts, e-mail accounts, screen saver
protection, voicemail, and local router logins.

2.4. Statement of Guidelines


All passwords should meet or exceed the following guidelines
Strong passwords have the following characteristics:

2.4.1. Contain at least 8 alphanumeric characters.


2.4.2. Contain both upper and lower case letters.
2.4.3. Contain at least one number (for example, 0-9).
2.4.4. Contain at least one special character (for example,!$%^&*()_+|~-=\`{}
[]:";'<>?,/).

Poor, or weak, passwords have the following characteristics:


 Contain less than eight characters.
 Can be found in a dictionary, including foreign language, or exist in a
language slang, dialect, or jargon.
 Contain personal information such as birthdates, addresses, phone numbers,
or names of family members, pets, friends, and fantasy characters.
 Contain work-related information such as building names, system
commands, sites, companies, hardware, or software.
 Contain number patterns such as aaabbb, qwerty, zyxwvuts, or123321.
 Contain common words spelled backward, or preceded or followed by a
number (for example, terces, secret1 or 1secret).
 Are some version of “Welcome123” “Password123”“Changeme123”
You should never write down a password. Instead, try to create passwords that
you can remember easily. One way to do this is create a password based on a
song title, affirmation, or other phrase. For example, the phrase, "This May Be
One Way to Remember" could become the password TmB1w2R! or another
variation.

(NOTE: Do not use either of these examples as passwords!)

2.5. Passphrases
Passphrases generally are used for public/private key authentication. A
public/private key system defines a mathematical relationship between the
public key that is known by all, and the private key, that is known only to the
user. Without the passphrase to unlock the private key, the user cannot gain
access.
A passphrase is similar to a password in use; however, it is relatively long and
constructed of multiple words, which provides greater security against dictionary
attacks. Strong passphrases should follow the general password construction
guidelines to include upper and lowercase letters, numbers, and special characters
(for example, TheTrafficOnThe101Was*&!$ThisMorning!).

You might also like