Policy
Policy Name
Password Management Policy

Overview
Password is a secret phrase or text used to authenticate and prove identity to gain access to a resource, such as system, application or data. User passwords are intended to not be shared and should be carefully controlled to prevent unauthorized access to sensitive information.

Statement
Passwords used for access to information resources must adhere to the following requirements:
  • A minimum of 10 characters
  • A minimum of one numeric character and one special character (e.g. @, $, #). Unique to previous 12 passwords
  • Must be changed on first logon
  • Must not be programmed into scripts or configuration files
  • User passwords must be changed every 90 days (System ID passwords every 12 months)
  • Maximum number of failed login attempts should be 5 within a 24 hour period before account is disabled (until reset by an approved service or administrator)

Justification

The following benefits will be achieved:

  • Ensure sound password security practices followed
  • Ensure passwords used to help protect sensitive information and systems

Scope
All employees, contractors, agents and third-parties

Consequeces for Noncompliance
Noncompliance to this policy can result in disciplinary action up to and including termination of employment or contract.

Topics
Password Usage
Password Management System