Password Management Policy

Purpose:

The purpose of this policy is to define the standards for creating strong passwords, ensuring the protection of these passwords, and establishing guidelines for regular password changes.

Scope:

The scope of this policy includes all personnel who have or are responsible for an account (or any form of access that supports or requires a password) on any business applications (including G-Suite) system that resides at any facility, and has access to our network, or stores any non-public internal information.

Password Creation and Complexity Requirements:

To ensure the security of our systems and data, passwords must adhere to the following requirements:

Password Length and Complexity:
- Passwords should be at least 12 characters long.
- Passwords should include at least one uppercase letter, one lowercase letter, one number, and one special character (e.g., @, #, $, %, &, *, etc.).
- Passwords must not contain easily guessable information such as the user's name, username, or company name.
- Passwords should avoid common phrases or dictionary words.
Password Storage:
- Passwords should never be stored in easily accessible locations, such as written on paper or saved in plain text files. They must be securely stored using protected methods, like password managers or encrypted storage.
- Password management tools can be used for securely storing and managing passwords.
Password Sharing:
- Passwords must not be shared with anyone, including coworkers, and should never be written down or left in easily accessible places.
- When passwords must be shared for legitimate business purposes, they should be shared using secure means such as encrypted messaging or password managers.

Password Expiration and Rotation:

To reduce the risk of unauthorized access, passwords must be changed periodically as outlined below:

System-Level Passwords:
- System-level passwords (e.g., root, administrator accounts, application administration) must be changed at least once every 180 days.
- For high-risk systems (e.g., server environments, critical infrastructure), it is recommended to change passwords every 90 days or sooner based on security requirements.
User-Level Passwords:
- User-level passwords (e.g., email, internal apps, desktop computers) must be changed at least every 90 days.
- Automated reminders for password changes should be set up to ensure compliance with the expiration policy.
Password Reuse:
- Reusing old passwords is strictly prohibited. Users must create unique passwords each time they are required to change their password.
Password History:
- The system must enforce a password history policy to prevent users from reusing their previous passwords for a set number of changes (e.g., last 5 passwords).

Password Protection and Security:

Two-Factor Authentication (2FA):
- Wherever possible, two-factor authentication (2FA) should be enabled for all accounts that support it, particularly for accessing business-critical applications and systems (e.g., G-Suite, banking software, etc.).
- 2FA methods may include a second factor like a code sent to a mobile device or an authenticator app.
System Resources and SNMP Passwords:
- System resources (e.g., SNMP, network devices) must use non-default community strings or usernames, and they must differ from interactive login passwords.
- These strings must not include easily guessable words such as “private” or “public.”
Secure Password Transmission:
- Passwords should never be sent over the internet without protection. Always ensure the website uses HTTPS instead of HTTP before entering your credentials, as HTTPS provides a secure connection.

Password Recovery and Reset:

Password Reset:
- In the event of a forgotten password, a secure password recovery process must be in place, requiring users to verify their identity (e.g., through email, SMS, or security questions).
- Password reset links should expire within a set time limit (e.g., 15 minutes) to prevent abuse.
Administrator Access:
- Administrators who have access to reset passwords for user accounts must follow strict guidelines for verifying the identity of the individual requesting the reset.
- Administrators should not reset passwords without proper verification procedures.

Training and Awareness:

User Education:
- Employees must undergo periodic training on the importance of password security, the creation of strong passwords, and the proper use of password management tools.
- The training should include how to recognize phishing attempts and other forms of social engineering that could compromise password security.

Policy Review and Updates:

This policy will be reviewed at least annually and updated as needed to ensure it remains effective and aligned with best practices. Changes to the policy will be communicated to all employees, and any necessary training will be provided.

By following this Password Management Policy, we ensure the protection of sensitive data and reduce the likelihood of unauthorized access to our systems and applications.