2009
Password Procedures Version 0.01

<Company Name Here>,

Inc.

Password Procedures
PROC_008

2009
DRAFT
Version 0.01
CONFIDENTIAL

Confidential: <Company Name Here>, Inc. 1
    
2009
Password Procedures Version 0.01

[11.14.18 – Document Version: PROC-008]

Confidential: <Company Name Here>, Inc. 2
    
2009
Password Procedures Version 0.01

Table of Contents
1. Introduction...................................................................................................................4
1.1. Purpose..................................................................................................................4
1.2. Scope......................................................................................................................4
1.3. Reference Documents............................................................................................4
1.4. Record Summary...................................................................................................4
2. Procedure......................................................................................................................5
2.1. Identification of all users.......................................................................................5
2.2. Secondary authentication.......................................................................................5
2.3. 2­Factor Authenticated Access..............................................................................5
2.4. Encrypt all passwords during transmission and storage, on all system 
components......................................................................................................................5
2.5. Authentication and password management...........................................................5
2.5.1. Modification of user IDs.................................................................................5
2.5.2. Verify user identity before performing password resets.................................6
2.5.3. First­time password usage..............................................................................6
2.5.4. Immediately revoke accesses of terminated users..........................................6
2.5.5. Inactive user accounts.....................................................................................6
2.5.6. Vendors remote maintenance.........................................................................6
2.5.7. Distribute password procedures......................................................................6
2.5.8. Shared, or generic accounts/passwords..........................................................6
2.5.9. Change user passwords...................................................................................6
2.5.10. Password length............................................................................................7
2.5.11. Password construction..................................................................................7
2.5.12. New password criteria..................................................................................7
2.5.13. Access attempts............................................................................................7
2.5.14. Lockout duration...........................................................................................7
2.5.15. Session idle time...........................................................................................7
2.5.16. Authenticate database access........................................................................7
2.5.17. Difficult­To­Guess Passwords Required......................................................7
2.5.18. Display and Printing of Passwords...............................................................8
2.5.19. Password Change Interval non­Synchronization Across Platforms.............8
2.5.20. Login protocol..............................................................................................8
2.6. Password Management System Internals Design..................................................8
2.6.1. Users Forgetting Fixed Passwords..................................................................8
2.6.2. Storage Of Passwords In Readable Form.......................................................8

Confidential: <Company Name Here>, Inc. 3
    
2009
Password Procedures Version 0.01

2.6.3. Incorporation Of Passwords Into Software.....................................................9
2.6.4. Prevention Of Password Retrieval..................................................................9
2.6.5. Reliance on Operating System User Authentication Process.........................9
2.6.6. Unique Passwords For Each Internal Network Device..................................9
2.7. Password Related User Responsibilities................................................................9
2.7.1. Requirement for Different Passwords on Different Systems.........................9
2.7.2. Suspected Disclosure Forces Password Changes...........................................9
2.7.3. Writing Passwords Down And Leaving Where Others Could Discover......10
2.7.4. Passwords Must Never Be Written Down Near Related Access Devices....10
2.7.5. Users Responsible For All Activities Involving Personal User­IDs............10
2.8. Password Related Administrator Responsibilities...............................................10
2.8.1. Forced Change Of All Passwords.................................................................10
2.8.2. In­Person Proof of Identity to Obtain a Password........................................10
2.8.3. When And How Passwords May Be Disclosed By Security Administrators
11
3. Document Change Control.........................................................................................12

Confidential: <Company Name Here>, Inc. 4
    
2009
Password Procedures Version 0.01

1. Introduction
1.1. Purpose
The purpose of this document is to provide a detailed description unique ID
and password usage and controls procedure for <Company Name Here>, Inc.
(“Company”).

1.2. Scope
This document applies to Company head office and data center.

1.3. Reference Documents

System Monitoring (PROC-010)
System Testing PROC-011)
Hiring Practices and Training (PROC-012A)

1.4. Record Summary

LDAP database
Windows server password management rule set

Confidential: <Company Name Here>, Inc. 5
    
2009
Password Procedures Version 0.01

2. Procedure
2.1. Identification of all users
All Staff at Company are required to have account names with passwords on
all computers they are authorized to access.
Passwords and account names are issued by IT to new employees, when the
computer systems are set up. See Hiring Practices and Training (PROC-
012A).
New employees can change their passwords but cannot change their
usernames.
Passwords will be generated manually and follow the construction guidelines
outlined below.

2.2. Secondary authentication

All staff accessing systems with cardholder data are required to authenticate
to the access mechanism (SSH) as well as authenticating to the server.

2.3. 2-Factor Authenticated Access

All Company staff that access systems remotely do so using an IPSEC/VPN.
Users are required to authenticate themselves using a TACACS token key
that generates a unique time-based password. Current token keys are
licensed from RSA.

2.4. Encrypt all passwords during transmission and storage,

on all system components.
All password-based systems are accessed via encrypted channels such as
HTTPS, SSH etc. No password is passed over a network unencrypted.

2.5. Authentication and password management

This section applies to all system components.

2.5.1. Modification of user IDs

Only IT has access to server for administrative purposes and can only add
or remove credential from this system on the explicit instructions of HR or
Head of IT (See Hiring Practices and Training PROC-012A).

Confidential: <Company Name Here>, Inc. 6
    
2009
Password Procedures Version 0.01

2.5.2. Verify user identity before performing password resets

For Company staff password resets are performed by IT once, the user
has clearly identified themselves to the IT people. This identification
involves physical presentation by the user to the IT staff. IT record all
password resets.

2.5.3. First-time password usage

All new Company staff is issued passwords that are generated by IT and
unique. Once the user has logged into the system they are forced to
change their password.
Forced changes follow the password construction rules outlined in this
document.

2.5.4. Immediately revoke accesses of terminated users

All access by terminated users is revoked; see Hiring Practices and
Training (PROC-012A) for details.

2.5.5. Inactive user accounts

Inactive user accounts are backed up and removed immediately, see
Hiring Practices and Training (PROC-012A) for details.

2.5.6. Vendors remote maintenance

Remote vendor maintenance is not authorized at any time. Company is
responsible for all maintenance to systems. The only exception is the
routers and firewalls at the data center that are administered and
monitored by Network, Systems Engineering and Administration (“NSA”).
Their access to these systems is 24x7.

2.5.7. Distribute password procedures

All staff receive the password policies and acknowledge that they have
read them along with the other policies and procedures. See Hiring
Practices and Training (PROC-012A) for details.

2.5.8. Shared, or generic accounts/passwords

No shared accounts are permitted

2.5.9. Change user passwords

Users are required to change passwords every 90 days.

Confidential: <Company Name Here>, Inc. 7
    
2009
Password Procedures Version 0.01

2.5.10. Password length

The minimum password length is seven.

2.5.11. Password construction

All passwords must contain both numeric and alpha characters. All user-
chosen passwords must contain at least one lower case and one upper
case alphabetic character. This will help make passwords difficult-to-guess
by unauthorized parties such as hackers and industrial spies.

2.5.12. New password criteria

Users are required to submit different passwords each time the password
is changed, up to four last passwords are checked. The minimum life of a
new password must be set to 1 day to prevent password flushing, a
process where users rapidly rotate through new passwords to change
back to their original password.

2.5.13. Access attempts

Access attempts are limited to no more than six before the account is
locked.

2.5.14. Lockout duration

Lockout duration is thirty minutes. The administrator can override this and
reset the account.

2.5.15. Session idle time

Sessions that have been idle for more than fifteen minutes require
authentication.

2.5.16. Authenticate database access

All access to the cardholder database machine irrespective of source is
authenticated before access is granted.

2.5.17. Difficult-To-Guess Passwords Required

All user-chosen passwords for computers and networks must be difficult to
guess. Words in a dictionary, derivatives of user-IDs, and common
character sequences such as "123456" must not be employed. Likewise,
personal details such as spouse's name, automobile license plate, social
security number, and birthday must not be used unless accompanied by
additional unrelated characters. User-chosen passwords must also not be

Confidential: <Company Name Here>, Inc. 8
    
2009
Password Procedures Version 0.01

any part of speech. For example, proper names, geographical locations,

common acronyms, and slang must not be employed.
Passwords that are phrases of words greater than 15 characters can be
made up of common words concatenated.

2.5.18. Display and Printing of Passwords

The display and printing of passwords must be masked, suppressed, or
otherwise obscured so that unauthorized parties will not be able to
observe or subsequently recover them.

2.5.19. Password Change Interval non-Synchronization

Across Platforms
The fixed password change interval is random for all system and at no
time does every system require a password change simultaneously.

2.5.20. Login protocol

When logging into a Company, computer or data communications system,
if any part of the login sequence is incorrect, the user must not be given
specific feedback indicating the source of the problem. Instead, the user
must simply be informed that the entire login process was incorrect.
At login time, every user must be given information reflecting the last
login's time and date. This will allow unauthorized system usage to be
easily detected.

2.6. Password Management System Internals Design

This section applies to all Company staff

2.6.1. Users Forgetting Fixed Passwords

All users who forgot or misplaced their passwords must be issued a new
password from the operation department.

2.6.2. Storage Of Passwords In Readable Form

Passwords MUST NOT be stored in readable form in batch files,
automatic login scripts, software macros, terminal function keys, in
computers without access control, or in other locations where
unauthorized persons might discover or use them. Passwords must
always be encrypted when held in storage (in what ever form that storage
may take) or when transmitted over networks.

Confidential: <Company Name Here>, Inc. 9
    
2009
Password Procedures Version 0.01

2.6.3. Incorporation Of Passwords Into Software

To allow passwords to be changed when needed, passwords must never
be hard-coded (incorporated) into software developed by or modified by
Company.

2.6.4. Prevention Of Password Retrieval

Computer and communication systems must be designed, tested, and
controlled so as to prevent both the retrieval of, and unauthorized use of
stored passwords. Test will be carried out on the system attempting to
access unencrypted passwords or gain access using known passwords
(see System Testing PROC-011)

2.6.5. Reliance on Operating System User Authentication

Process
Company, application systems developers must consistently rely on the
password access controls provided by an operating system or an access
control package that enhances the operating system. Developers must not
construct separate mechanisms to collect passwords or user-IDs.
Similarly, developers must not construct or install other mechanisms to
identify or authenticate the identity of users.

2.6.6. Unique Passwords For Each Internal Network Device

All Company, internal network devices (routers, firewalls, access control
servers, etc.) and network devices associated with the Company, must
have unique passwords or other access control mechanisms. A
compromise in the security of one device will therefore not automatically
lead to a compromise in other devices.

2.7. Password Related User Responsibilities

This section applies to all Company staff and as an advisory to all CLIENTs.

2.7.1. Requirement for Different Passwords on Different

Systems
To prevent the compromise of multiple systems, computer users must
employ different passwords on each of the systems to which they have
been granted access.

2.7.2. Suspected Disclosure Forces Password Changes

All passwords must be promptly changed if they are suspected of being
disclosed, or known to have been disclosed to unauthorized parties. Users

Confidential: <Company Name Here>, Inc. 10
    
2009
Password Procedures Version 0.01

are required to raise an Incident Report (See Corrective Action and

Incident management procedure PROC_012C) and immediately inform
the Head of IT.

2.7.3. Writing Passwords Down And Leaving Where Others

Could Discover
Passwords must not be written down and left in a place where
unauthorized persons might discover them

2.7.4. Passwords Must Never Be Written Down Near Related

Access Devices
Users must never write down or otherwise record a readable password
and store it near the access device to which it pertains.

2.7.5. Users Responsible For All Activities Involving Personal

User-IDs
Users are responsible for all activity performed with their personal user-
IDs. User-IDs may not be utilized by anyone but the individuals to whom
they have been issued. Users must not allow others to perform any activity
with their user-IDs. Similarly, users are forbidden from performing any
activity with IDs belonging to other users (excepting anonymous user-IDs
like "guest").

2.8. Password Related Administrator Responsibilities

Company production systems will be regulated by IT and these systems
contain the most valuable data. IT will take a snapshot of the system on a
weekly basis (see also System Monitoring PROC-010). And this along with
the logs will provide the base line to judge if a system has been
compromised.

2.8.1. Forced Change Of All Passwords

Whenever a system has been or is suspected of having been
compromised by an unauthorized party, IT must immediately change every
password on the involved system.

2.8.2. In-Person Proof of Identity to Obtain a Password

Passwords MUST NEVER be disclosed via voice telephone lines. To
obtain a new or changed password, a user must show up in person and
present suitable identification.

Confidential: <Company Name Here>, Inc. 11
    
2009
Password Procedures Version 0.01

2.8.3. When And How Passwords May Be Disclosed By Security

Administrators
Security administrators MUST NEVER disclose passwords. If the involved
user has forgotten or misplaced a password, that users password must be
reset and the new password transmitted to the user using a secure
mechanism.

Confidential: <Company Name Here>, Inc. 12
    
2009
Password Procedures Version 0.01

3. Document Change Control

Issue Number Issue Date Changed By Details

0.01 2009 IT Mgt Initial Draft

Confidential: <Company Name Here>, Inc. 13