User Responsibilities
Password Use
The purpose of this policy is to establish a standard for creation of strong passwords, the protection of those passwords, and the frequency of change.
Passwords are an important aspect of computer security. They are the front line of protection for user accounts. A poorly chosen password may result in the compromise of CX Index’s entire network. As such, all CX Index employees (including contractors and vendors with access to CX Index systems) are responsible for taking the appropriate steps, as outlined below, to select and secure their passwords.
The scope of this policy includes all personnel who have or are responsible for an account (or any form of access that supports or requires a password) on any system that resides at any CX Index facility, has access to the CX Index network, or stores any non-public CX Index information.
User Password Rules
All users will keep their passwords confidential and store them securely (i.e. not on the computer and not on paper unless they can be properly protected).
Users will be made aware of good security practices and the requirement to use good security practices with their passwords.
All passwords are to be treated as confidential CX Index information. They should not be shared with anyone, including administrators or assistants.
Password requirements:
- If an account or password is suspected to have been compromised, report the incident to Senior Management and change all passwords.
- Regular passwords shall be changed at least every 3 months (90 days).
- Privileged passwords shall be changed every 90 days.
- Passwords cannot be re-used for a minimum of 12 months or 10 passwords.
- Temporary passwords will be changed at first log-on.
- Systems shall be configured to lock user accounts in the event of 5 consecutive unsuccessful login attempts. System Administrators may reset locked accounts; otherwise the minimum account lockout duration shall be 24 hours.
Passwords will not be stored on a computer or used in a macro for sign-on.
Do not use the "Save Password" feature of applications.
Passwords may not be inserted into e-mail messages or other forms of electronic communication.
Passwords should not be written down or stored unencrypted on ANY computer (including tablets and Smartphones)
System Password Rules
System accounts (i.e., non-interactive accounts for applications or systems) must use passwords that meet or exceed the password composition requirements.
System-level passwords must be changed at least once every 90 days. This includes shared secret keys for encryption of connections.
Where SNMP is used, the community strings must be defined as something other than the standard defaults of "public," "private" and "system" and must be different from the passwords used to log in interactively. A keyed hash must be used where available (i.e., SNMPv3).
Password Composition
All user-level and system-level passwords must conform to the requirement described below.
-Passwords will be at least 7 non-sequential characters long.
-Passwords will be composed of alpha-numeric characters.
-Passwords will contain at least 3 of the 4 characteristics below:
- alphabet character
- upper case letter
- number
- non alpha-numeric character
Unattended User Equipment
Users shall protect CX Index’s information resources from unauthorised access by protecting unattended equipment:
- Users will terminate active sessions when finished (or unattended) or secure by appropriate locking functions.
- Users will log off of multi-user systems when finished.
- Users will log off or lock terminals when unattended.
- PCs or terminals shall be locked (i.e. by a key or password) when not in use.
- A password-protected screen saver will be automatically invoked after 15 minutes of inactivity.