đź“„
Content Library
  • Uncanny Software
  • Blog Posts
    • Using 1Password to share local secrets
    • How I Maintain OSS Projects
    • A Style Guide For HTML & CSS
    • The Reddit blackout is a lesson in risk management
  • Developer Documentation
    • Balena Push
    • Card Dealer
    • A Guide to Story Point Estimation
    • Guidelines for Translating Your Project using i18next
  • InfoSec Policies
    • Access Control Policy
    • Information Classification Policy
    • Password Management Policy
    • Physical Security Policy
    • Business Continuity Policy
    • Information Security Policy
    • Data Classification Standard
    • System Change Management Policy
    • Vendor Management Policy
    • Removable Media
    • Mobile Device Policy
    • Vulnerability Scanning Policy
    • Media Disposal Policy
    • System Hardening Policy
    • Encryption Policy
    • Intellectual Property Policy
  • Management
    • finops
    • information-technology
    • Operations
    • People Management
    • Program Scaling
Powered by GitBook
On this page
  • Purpose
  • Scope
  • Policy
  • Distribution
  • Resets
  • Compromised Passwords
  • Composition
  • Length
  • Changes
  • Display
  • Password Manager
  • Violations
  • Definitions
  • References
  • Related Documents
  • Revision History
  1. InfoSec Policies

Password Management Policy

Purpose

This policy defines the requirements for establishing the password configuration settings and managing fixed passwords used on any Uncanny Software computer and communications system.

Scope

This policy applies to all information security analysts and system administrators responsible for the maintenance of password management systems and user accounts on Uncanny Software electronic information resources.

Policy

Distribution

Default Passwords - Passwords issued by a SecurityAdministrator or vendor must be changed by the authorized user.

Password Sharing - Passwords must never be shared or revealed to anyone other than the authorized user.

Sending Passwords By Email -Passwords are to never be sent via email. If a password is to be sent externally it is to be done utilizing a secure and encrypted service. Example: Our secure Box site or similar site like 0bin.net.

Resets

Password Resets – Identification - The requesting user must be positively identified before a password reset may be performed. Upon request, passwords reset link are sent to the email of the authorized user.

Password Resets - Unique Value - Password issued as a result of a requested reset must be a unique value, i.e. a string of characters that is not the same for all password resets.

Compromised Passwords

Password Changes After Privileged User ID Compromise - If a privileged user ID has been compromised by an intruder or another type of unauthorized user, all passwords on that system must be immediately changed.

Passwords Set To Expired After Intrusion - After either a suspected or demonstrated intrusion to a Uncanny Software computer system, the involved System Administrator must immediately notify the system's user community that an intrusion is believed to have taken place. The status of all passwords on that system must immediately be changed to expired, so that these passwords will be changed at the time that the involved users next log-in.

Composition

Password Characters - All user-chosen passwords must contain at least one alphabetic and one non-alphabetic character.

Password Case - All user-chosen passwords must contain at least one lowercase and one uppercase alphabetic character.

Null Passwords Always Prohibited - At no time, may any Systems Administrator or Security Administrator enable any user ID that permits password length to be zero (a null or blank password).```

Length

Minimum Password Length - All passwords must have at least 8 characters.

Network-Connected Computer Passwords - All Uncanny Software network-connected computers must employ fixed passwords made up of at least 8 characters and all computers that are not network-connected must employ fixed passwords made up of at least 8 characters.

Employee Engagement Web Client Passwords – All users,not using Single Sign-On (SSO), must use a password of 8 characters minimum in length, containing at least one lowercase alphabetic character and one number.

Voicemail Passwords - The minimum length for fixed passwords must be set to 6 for voicemail accounts.

Changes

Required Password Changes - All Uncanny Software workstations must be automatically required to change their passwords at least once every 180 days.

Customers Account Failed Password Attempts - Uncanny Software must limit the number of failed attempts by online customers connecting to the Uncanny Software application to a maximum of five attempts. After the maximum attempts, the accounts will be temporarily disabled.

Display

Password Display And Printing - The display and printing of passwords, when end users enter them, must be masked, suppressed, or otherwise obscured so that unauthorized parties will not be able to observe or subsequently recover them.

Password Manager

Password Manager - For any system or even 3rd party website a password manager should be utilized. Uncanny Software has a corporate account with 1Password. This allows departments to keep highly secure passwords in a container, but does not run the risk of a loss of a critical employee causing a system to become inaccessible.

Violations

Any violation of this policy may result in disciplinary action, up to and including termination of employment. Uncanny Software reserves the right to notify the appropriate law enforcement authorities of any unlawful activity and to cooperate in any investigation of such activity. Uncanny Software does not consider conduct in violation of this policy to be within an employee’s or partner’s course and scope of employment, or the direct consequence of the discharge of the employee’s or partner’s duties. Accordingly,to the extent permitted by law, Uncanny Software reserves the right not to defend or pay any damages awarded against employees or partners that result from violation of this policy.

Any employee or partner who is requested to under take an activity which he or she believes is in violation of this policy, must provide a written or verbal complaint to his or her manager, any other manager or the Human Resources Department as soon as possible.

Definitions

Partner – Any non-employee of Uncanny Software who is contractually bound to provide some form of service to Uncanny Software.

Password– An arbitrary string of characters chosen by a user that is used to authenticate the user when he attempts to log on, in order to prevent unauthorized access to his account.

System Administrator – An employee or partner who is responsible for managing a Uncanny Software multi-user computing environment. The responsibilities of the system administrator typically include installing and configuring system hardware and software, establishing and managing user accounts, upgrading software and backup and recovery tasks.

User - Any Uncanny Software employee or contractor who has been authorized to access any Uncanny Software electronic information resource.

Client- Any Uncanny Software paid-customer who has been authorized to access any Uncanny Software electronic information resource.

References

ISO/IEC 27002:2013 - 9.4.3 Password Management System

Related Documents

No documents listed

Revision History

Last updated 1 year ago

Document history via Github