Password and Authentication Policy

 

Policy No:  1.17                                                                                                                      Printable Version

 

PURPOSE

 

This policy describes the authentication requirements for accessing The Fake Chicken Company internal computers and networks irrespective of the location of the user (ie. remote, home, external or internal) or the type of access available (Thin-client, thick-client, hybrid).    Every individual worker or company connecting to The Fake Chicken Company internal computers and networks must abide by the rules described here.  It also provides the guidelines for the management and general use of remote user accounts.  

 

SCOPE

 

This policy affects all personnel who have, or are responsible for a user ID which allows access to any computer system or network owned or managed by The Fake Chicken Company.

 

POLICIES 

1.      USER RESPONSIBILITIES

1.1    Password Composition

 

1.1.1  All passwords allowing general user network access must have at least eight (8) characters.  System Administration passwords should contain ten (10) characters and system passwords should be at least twelve (12) characters. 

 

 

Help with Understanding this Policy

 

...and more

 

1.2    Non Disclosure of Passwords

 

1.2.1  User IDs and passwords must not be shared.  Group user IDs and passwords are prohibited as a rule, but in special circumstances may be approved the IT Manager who will keep a written record.  The members of the group should be required to sign a statement to keep personal passwords confidential and to keep group passwords solely within the members of the group.  This signed statement should be included in the terms and conditions of employment.  

 

 

Help with Understanding this Policy

Help with Understanding this Policy

Help with Understanding this Policy        

Procedure Handling Minor Incidents

 

...and more

 

1.3    Password Changes

 

1.3.1  A forced password change will be initiated if there has been a compromise or a suspected compromise in respect of the computer systems or networks of The Fake Chicken Company. Should a single user suspect they have disclosed a password, then this password should be changed immediately.   

 

 

Help with Understanding this Policy

Procedure Handling Minor Incidents

 

...and more

 

1.4    System Protection

 

1.4.1  When a user leaves a PC, workstation or other device for longer than one hour, they must log off rather than depend on screen saver passwords and time outs unless the prior approval of the IT Manager has been obtained.

 

 

 

...and more

 

1.5    Password Management and Access Control

 

1.5.1  Passwords are not to be assigned at the file, folder or document  level. 

 

            Explanation

         This policy is intended to prevent systems administrators and users from establishing access control privileges with complicated schemes that cause administrative problems.  Passwords on files are often shared... 

 

 

Help with Understanding this Policy

Information Management Policy

 

...and more

 

 Top

2.     INFORMATION SYSTEMS STAFF RESPONSIBILITIES

2.1    Remote User Access

 

2.1.1  Remote, home or external users will be authenticated onto the remote access system with one time, two factor password generation technology which is independent of domain authentication.  All exceptions will require authorisation from the IT Manager.

 

 

Remote Access Policy

Network Management Policy

Access Control Policy 

...and more

2.2    Non-Disclosure

 

2.2.1  The display and printing of passwords onscreen onscreen must be hidden so that unauthorised parties or onlookers will not be able to observe or subsequently recover them.

 

 

 

...and more

2.3    Password changes

  

2.3.1  All vendor supplied default passwords and device names must be changed before any computer or network device or communications system goes live.

 

 

Remote Access Policy

Software Management Policy

 

...and more

2.4    System Protection

 

2.4.1  To prevent password guessing attacks, the number of consecutive attempts to enter an incorrect password must be strictly limited.  After five unsuccessful attempts to enter a password, the user ID must be disabled... 

 

            Explanation

         One of the most frequently used and successful attack methods for gaining system access is simple password guessing.  Besides simple context-sensitive guessing (knowing a bit about the user and the circumstances), potential intruders can use password cracking programs to exhaustively go through words in the dictionary...

 

 

Remote Access Policy

 

...and more

 

2.5    Application Development and Passwords

 

2.5.1  To allow passwords to be changed in accordance with policy passwords must never be hard-coded into software developed by or modified by The Fake Chicken Company staff or their agents.

 

 

Software Management Policy

 

...and more

2.6    Password Management and Access Control

 

2.6.1  Audit logs must record the login details for every login attempt including the result.

            This will assist system administrators in identifying unauthorised system use. 

 

 

Acceptable Use Policy

 

...and more

2.7    Authentication

 

2.7.1  All users must be positively identified prior to being granted access rights to any computer system, network or communications system owned or managed by The Fake Chicken Company.

 

 

 

...and more

 

Top

© 2004 All Rights Reserved Kaon Security Ltd