Password Management Policy
1. Objective
To ensure Integra has a strong password management policy and establishes standard for safeguarding the privacy, confidentiality, and security of electronically stored information, computer and networks through the usage of strong password.
2. Scope
This is applicable to all employees at Integra.
3. Reference
Standard: ISO 27001:2022 Information Security Management System
Controls: A 5.17
4. Definition
Protection of unauthorized access modification or destruction
5. General Principles
- Identify devices which require passwords
- Periodic review of users’ access rights at regular intervals.
- Passwords are an important aspect of computer security. Some of the common uses include: userlevel accounts, web accounts, email accounts etc.
5.1 Password Requirement
- All users shall be allocated with unique username and password by IT support department.
- All users requiring password assistance need to get in touch with IT support Team to unlock or reset.
5.2 Password Security Standards
- Expiration: The initial password allocated by IT support Team shall expire immediately after first login. Subsequent. Passwords are set to expire every 21 days. Passwords shall be terminated when there is belief that password has been compromised or on termination (exit) of an employee.
- Password History: Users cannot re-use their last 12 passwords.
- Password Communication: Password shall be communicated by IT support Team personally to all users.
Note: Passwords must not be communicated via unencrypted email or other unsecured electronic communication.
- Supervisors may obtain access to reporter system only upon obtaining prior approval from CISO.
- User ID Creation Rules: The user name is generally first name followed by first letter of the last name. [If the user name already exists in the system, defined format cannot be strictly adhered to.]
- Password Creation Rules: Must be a minimum of eight (8) characters and contain 3 out of 4 of the following characteristics:
- Upper case letters (A-Z)
- Lower case letters (a-z)
- Digits (0-9)
- Special characters
- Must not be a dictionary word
- Significantly different from previous passwords.
- Password must not contain part all or part of user ID.
- Where possible, create different passwords for various systems. Example: separate password for Network and Application Systems.
- Password Change: Users can change their OWN passwords on the system using Change Password facility.
- Account Lockout: Three consecutive invalid attempts to properly enter a user ID and password will result in an automatic account lockout. Account will be locked for one hour. After one hour, account will be released automatically. If needs to unlock user has to call IT support Team and tell the identification so that IT support Team will unlock manually account owner’s identity shall be verified.
- Minimum age of password shall be 20 days upon activation.
- If an account or password has been compromised, change all passwords and report the same to IT support team.
- 2FA/MFA should be setup by the user. Only virtual or hardware 2FA is allowed. SMS and Call 2FA should not be used.
5.3 CISO Responsibilities
- Approve supervisors’ requisition (if any) for access to their reporter system(s).
- Approval for any exceptions to Password Management Policy.
- Responsible for System-level privileges.
- Responsible for review of Password Control procedures.
- Review incidents reported and define necessary preventive and corrective measures.