1 Policy Overview
The basics of computer security policy rely on strong passwords. Cases of poor password choices are highly likely to lead to unauthorized entry as well as exploitation of an organization and its resources (Granger). All users at all levels are thus responsible for the well-being of the organization’s security and thus must engage in secure online access of their accounts following the guidelines stipulated below (University of California ).
2 Purpose of the Policy
The primary aim of the policy included here is establishing guidelines and regulations for the purpose of secure password creation, as well as the establishment of the best technique to protect the created passwords (SANS).
3 Policy Content
3.1 Password Creation
3.1.1 Every password used by users at all levels must be created according to the guidelines for password creation.
3.1.2 All users must ensure not to use a similar password in their non-company accounts and their company accounts.
3.1.3 Users must use different passwords in case they have more than one company account.
3.1.4 In the event of using Simple Network Management Protocol, the standard basics of private, public, and must not be used to define the community strings. The passwords used for SNMP purposes must at all times vary from the interactive login passwords.
3.2 Password Change
3.2.1 Users at all levels must ensure to change their login passwords every four months. The longest they can use the passwords is six months.
3.2.2 System-level administrators must change their passwords every three months.
3.2.3 From time to time, a technical team will be hired to perform a routine password cracking test. If the team cracks a password in the course of their routine test, the user of that password must immediately change it with a new one that complies with the password creation guidelines.
3.3 Password Protection
3.3.1 Users who suspect a password compromise must change all their passwords and report the case to the relevant authority.
3.3.2 Users should never allow the browser to remember their passwords.
3.3.3 Passwords should not be stored anywhere in the office in written form. Where passwords are stored in mobile devices or computer files, users should ensure to save them in encrypted formats.
3.3.4 Users must never write their passwords on security forms or questionnaires.
3.3.5 Users must not reveal or share their passwords with anybody including their assistants, managers, secretaries, co-workers or family members.
3.3.6 Users must never include password hints at the login interface.
3.3.7 Users must never insert passwords into e-mail messages or various other electronic communication forms.
3.3.8 Users at all levels should treat their passwords with utmost confidentiality.
3.4 Application Development
3.4.1 Every application developed for use by the organization users must support individual authentication protocol.
3.4.2 The developed applications must have provision for role management so that a user may be able to assume the functions of another user without the necessity of having to know the other user’s password.
3.4.3 The applications must never use clear-text formats to store passwords.
3.4.4 The developed applications must never transmit clear text format passwords over the internet.
4 Policy Compliance
The company will use a special taskforce to ensure that every user complies with the provisions of the password protection policy. The taskforce will apply techniques such as video monitoring, external and internal audits, and regular but impromptu walk-through. Users found to violate the provisions of the policy will face disciplinary actions that include employment termination, among others.
Granger, Sarah. “The Simplest Security: A Guide To Better Password Practices.” 2011. symantec.com. 15 April 2015 <http://www.symantec.com/connect/articles/simplest-security-guide-better-password-practices>.
SANS. “Information Security Policy Templates.” 2015. sans.org. 15 April 2015 <https://www.sans.org/security-resources/policies>.
University of California . “UCSC Password Strength and Security Standards.” March 2015. ucsc.edu. 15 April 2015 <http://its.ucsc.edu/policies/password.html>.