Do you like this page? 

Password Protection Policy

Posted in Information Security Policies

0.0/5 rating (0 votes)

Download This Document

[Company Name]
Section: Policy Manual
Policy Title: Password Protection Policy
Policy Owner (section/department):
Policy Number:
Date Effective:

I. PURPOSE

Passwords are an essential aspect of our computer security program. Passwords are the front line of protection for user accounts. A poorly chosen password may result in the compromise of <Company Name> critical resources.

The purpose of this policy is to set a standard for creating, protecting, and changing passwords such that they are strong, secure, and protected.

II. SCOPE AND APPLICABILITY

The scope of this policy includes all authorized <Company Name> officers and employees who have or are responsible for an account or any form of access that supports or requires a password on any system or IT infrastructure, such as computers, servers, routers, firewalls, electronic communications and other electronic devices that requires access codes and/or passwords.

III. DEFINITION OF TERMS

ENCRYPTION. The process of converting plain text information using an algorithm to make it indecipherable to anyone. The result is referred to as encrypted information.

IV. COMMENCEMENT

This policy commences on the date of its approval.

V. POLICY

1. Passwords shall be treated as highly confidential information.
2. Setting of default or initial passwords shall be unique per user and a mandatory prompt in all systems and applications shall require the user to change the default or initial password.
3. Passwords shall be changed regularly without fail
    • On system level, every 30 days
    • On user level, every 45 days
4. Passwords shall be sent thru email messages ONLY if the following are satisfied - -
    • E-mail shall be encrypted
    • The “Prevent copying to Clipboard” shall be enabled
    • Document printing shall also be prevented
5. Account policy shall be configured in a way that ten (10) consecutive passwords previously used cannot be re-used.
6. Users with multiple accounts shall set unique passwords for each account.
7. Account users shall be notified five (5) days prior to password expiration.
8. Three (3) unsuccessful password attempts shall trigger account lock out.
9. Passwords that have been compromised shall be reported to the System Account Administrator and shall immediately be changed accordingly.
10. All passwords shall conform to the guidelines on the DOs and DONTs as outlined below.

DOs:
1. A combination of alpha-numeric (lower and uppercase alphabetic characters, including numbers) and special characters (#, %, &, *, !, @, $, ^, (, ), +, =, ?, /, ", ', <, >, , |, [, ], {, }, ;, :, _, -) shall be used
2. Shall have a minimum of eight (8) characters.
3. Password expiration every 45 days.
4. Use patterns which are easy to remember but hard to crack, such as combinations of birthdays, anniversaries, initials of important persons in your life, etc.

DONTs:
1. Use of personal information
    • Your name or that of your family members
    • Plate numbers, telephone numbers, birthdays, anniversaries, etc
2. Use of the following as passwords
    • Login user name or ID
    • Series of same numbers or letters (e.g. AAAAAAAA, 11111111)
3. Use of dictionary words

VI. ENFORCEMENT

Any offense/violation, or attempted offense/violation to this policy shall be dealt with in accordance to the company's Code of Conduct and shall be subjected to disciplinary actions, which includes, but not limited to, revocation of account privileges, suspension, dismissal, prosecution and restitution for damages according to the severity of the offense.

INVOLVEMENT IN THE INFRACTION SHALL INCLUDE, BUT IS NOT LIMITED TO, PARTICIPATION, ENCOURAGING, AIDING OR FAILING TO REPORT KNOWN OFFENSES.

VII. REPEALING CLAUSE

All existing policies, and other issuances or parts thereof, which are inconsistent with this Policy, are hereby repealed, amended or modified accordingly.

In view of the changes on technology, the nature of threats and vulnerabilities, this Policy shall be reviewed annually, or as the need arises, and revised accordingly.

Any and all changes, revisions, and modifications shall take into effect only upon approval of the authorized signatory.
Any exceptions to this policy shall likewise be explicitly reviewed by the IT Department and approved by top management.

VIII. APPROVAL

<Name of Approving Authority>
<DATE>
Download This Document:
Password Protection Policy.doc
Password Protection Policy.pdf

Share This

Comments (0)

Leave a comment

Please login to leave a comment. Optional login below.