Professional Documents
Culture Documents
2009
Password Procedures Version 0.01
Password Procedures
PROC_008
2009
DRAFT
Version 0.01
CONFIDENTIAL
Confidential: <Company Name Here>, Inc. 1
2009
Password Procedures Version 0.01
Confidential: <Company Name Here>, Inc. 2
2009
Password Procedures Version 0.01
Table of Contents
1. Introduction...................................................................................................................4
1.1. Purpose..................................................................................................................4
1.2. Scope......................................................................................................................4
1.3. Reference Documents............................................................................................4
1.4. Record Summary...................................................................................................4
2. Procedure......................................................................................................................5
2.1. Identification of all users.......................................................................................5
2.2. Secondary authentication.......................................................................................5
2.3. 2Factor Authenticated Access..............................................................................5
2.4. Encrypt all passwords during transmission and storage, on all system
components......................................................................................................................5
2.5. Authentication and password management...........................................................5
2.5.1. Modification of user IDs.................................................................................5
2.5.2. Verify user identity before performing password resets.................................6
2.5.3. Firsttime password usage..............................................................................6
2.5.4. Immediately revoke accesses of terminated users..........................................6
2.5.5. Inactive user accounts.....................................................................................6
2.5.6. Vendors remote maintenance.........................................................................6
2.5.7. Distribute password procedures......................................................................6
2.5.8. Shared, or generic accounts/passwords..........................................................6
2.5.9. Change user passwords...................................................................................6
2.5.10. Password length............................................................................................7
2.5.11. Password construction..................................................................................7
2.5.12. New password criteria..................................................................................7
2.5.13. Access attempts............................................................................................7
2.5.14. Lockout duration...........................................................................................7
2.5.15. Session idle time...........................................................................................7
2.5.16. Authenticate database access........................................................................7
2.5.17. DifficultToGuess Passwords Required......................................................7
2.5.18. Display and Printing of Passwords...............................................................8
2.5.19. Password Change Interval nonSynchronization Across Platforms.............8
2.5.20. Login protocol..............................................................................................8
2.6. Password Management System Internals Design..................................................8
2.6.1. Users Forgetting Fixed Passwords..................................................................8
2.6.2. Storage Of Passwords In Readable Form.......................................................8
Confidential: <Company Name Here>, Inc. 3
2009
Password Procedures Version 0.01
2.6.3. Incorporation Of Passwords Into Software.....................................................9
2.6.4. Prevention Of Password Retrieval..................................................................9
2.6.5. Reliance on Operating System User Authentication Process.........................9
2.6.6. Unique Passwords For Each Internal Network Device..................................9
2.7. Password Related User Responsibilities................................................................9
2.7.1. Requirement for Different Passwords on Different Systems.........................9
2.7.2. Suspected Disclosure Forces Password Changes...........................................9
2.7.3. Writing Passwords Down And Leaving Where Others Could Discover......10
2.7.4. Passwords Must Never Be Written Down Near Related Access Devices....10
2.7.5. Users Responsible For All Activities Involving Personal UserIDs............10
2.8. Password Related Administrator Responsibilities...............................................10
2.8.1. Forced Change Of All Passwords.................................................................10
2.8.2. InPerson Proof of Identity to Obtain a Password........................................10
2.8.3. When And How Passwords May Be Disclosed By Security Administrators
11
3. Document Change Control.........................................................................................12
Confidential: <Company Name Here>, Inc. 4
2009
Password Procedures Version 0.01
1. Introduction
1.1. Purpose
The purpose of this document is to provide a detailed description unique ID
and password usage and controls procedure for <Company Name Here>, Inc.
(“Company”).
1.2. Scope
This document applies to Company head office and data center.
Confidential: <Company Name Here>, Inc. 5
2009
Password Procedures Version 0.01
2. Procedure
2.1. Identification of all users
All Staff at Company are required to have account names with passwords on
all computers they are authorized to access.
Passwords and account names are issued by IT to new employees, when the
computer systems are set up. See Hiring Practices and Training (PROC-
012A).
New employees can change their passwords but cannot change their
usernames.
Passwords will be generated manually and follow the construction guidelines
outlined below.
Confidential: <Company Name Here>, Inc. 6
2009
Password Procedures Version 0.01
Confidential: <Company Name Here>, Inc. 7
2009
Password Procedures Version 0.01
Confidential: <Company Name Here>, Inc. 8
2009
Password Procedures Version 0.01
Confidential: <Company Name Here>, Inc. 9
2009
Password Procedures Version 0.01
Confidential: <Company Name Here>, Inc. 10
2009
Password Procedures Version 0.01
Confidential: <Company Name Here>, Inc. 11
2009
Password Procedures Version 0.01
Confidential: <Company Name Here>, Inc. 12
2009
Password Procedures Version 0.01
Confidential: <Company Name Here>, Inc. 13