Systems Plus College Foundation Information Security Policy I.
II.
III.
POLICY A.
It is the policy policy of Systems Systems Plus College College Foundation Foundation that that information, information, as defined hereinafter, in all its forms--ritten, spo!en, recorded electronically or printed--ill "e protected from accidental or intentional unauthori#ed modification, destruction or disclosure throughout its life cycle. $his protection includes an appropriate le%el of security o%er the e&uipment and softare used to process, store, and transmit that information.
'.
All policies and procedures must "e documented and made a%aila"le to indi%iduals responsi"le for their implementation and compliance. All acti%ities identified "y the policies and procedures must also "e documented. All the documentation, hich may "e in electronic form, must "e retained for at least ( )si*+ years after initial creation, or, pertaining to policies and procedures, after changes are made. All documentation must "e periodically re%ieed for appropriateness and currency, a period of time to "e determined "y each entity ithin Systems Plus College Foundation.
C.
At each entity andor department le%el, additional policies, standards and procedures ill "e de%eloped detailing the implementation of this policy and set of standards, and addressing any additional information systems functionality in such entity andor department. All departmental policies must "e consistent ith this policy. All systems implemented after the effecti%e date of these policies are e*pected to comply ith the pro%isions of this policy here possi"le. *isting systems are e*pected to "e "rought into compliance here possi"le and as soon as practical.
SCOP A.
$he scope scope of information information security includes the the protection protection of the confidentiality confidentiality,, integrity and a%aila"ility of information.
'.
$he frameor! for managing information security in this policy applies to all Systems Plus College Foundation entities and or!ers, and other In%ol%ed Persons and all In%ol%ed Systems throughout Systems Plus College Foundation as defined "elo in INFORMATION SECURITY EFINITIONS!
C.
$his policy and all standards apply to all and other classes of protected information in any form as defined "elo in INFORMATION C"ASSIFICATION!
IS/ 0A1A201$ A.
A thorough thorough analysis of of all Systems Systems Plus College College Foundation Foundation information information netor!s netor!s and systems "e conducted on a periodic "asis to $he document theill threats and %ulnera"ilities %ulnera"ilit iesill to stored and transmitted information. analysis e*amine
the types of threats 3 internal or e*ternal, natural or manmade, electronic and non-electronic-non-electronic -- that affect the a"ility to manage the information resource. $he analysis ill also document the e*isting %ulnera"ilities ithin each entity hich potentially e*pose the information resource to the threats. Finally, the analysis ill also include an e%aluation of the information assets and the technology associated ith its collection, storage, dissemination and protection. From the com"ination of threats, %ulnera"ilities, and asset %alues, an estimate of the ris!s to the confidentiality, integrity and a%aila"ility of the information ill "e determined. $he fre&uency of the ris! analysis ill "e determined at the entity le%el. '.
I4.
'ased on the periodic assessment, measures ill "e implemented that reduce the impact of the threats "y reducing the amount and scope of the %ulnera"ilities.
I1FO0A$IO1 SC5I$Y 6FI1I$IO1S A#aila$ility% 6ata or information is accessi"le and usa"le upon demand "y an A#aila$ility% 6ata authori#ed person. Confidentiality% 6ata or information is not made a%aila"le or disclosed to unauthori#ed persons or processes. Integrity% 6ata or information has not "een altered or destroyed in an unauthori#ed Integrity% 6ata manner. In#ol#ed Persons% %ery Persons% %ery or!er at Systems Plus College Foundation -- no matter hat their status. $his includes physicians, residents, students, employees, contractors, consultants, temporaries, %olunteers, interns, etc. In#ol#ed Systems% All Systems% All computer e&uipment and netor! systems that are operated ithin the Systems Plus College Foundation en%ironment. $his includes all platforms )operating systems+, all computer si#es )personal digital assistants, des!tops, mainframes, etc.+, and all applications and data )hether de%eloped in-house or licensed from third parties+ contained on those systems. Ris&% $he pro"a"ility of a loss of confidentiality, integrity, or a%aila"ility of information resources.
4.
I1FO0A$IO1 SC5I$Y SPO1SI'ILI$IS A.
Information Security Officer% $he Information Security Officer )ISO+ for each entity is responsi"le for or!ing ith user management, oners, custodians, and users to de%elop and implement prudent security policies, procedures, and controls, su"7ect to the appro%al of Systems Plus College Foundation. Specific responsi"ilities include8 9.
nsuring security policies, procedures, and standards are in place and adhered to "y entity.
:.
Pro%iding "asic security support for all systems and users.
'.
;.
Ad%ising oners in the identification and classification classificati on of computer resources. See Section 4I Information Classification.
<.
Ad%ising systems de%elopment and application oners in the implementation of security controls for information on systems, from the point of system design, through testing and production implementation.
=.
ducating custodian and user management ith comprehensi%e information a"out security controls affecting system users and application systems.
(.
Pro%iding on-going employee security education.
>.
Performing security audits.
Information O'ner% $he oner of a collection of information is usually the manager responsi"le for the creation of that information or the primary user of that information. $his role often corresponds ith the management of an organi#ational unit. In this conte*t, onership does not signify proprietary interest, and onership may "e shared. $he oner of information has the responsi"ility responsi" ility for8 9.
/noing the information for hich shehe is responsi"le.
:.
6etermining a data retention period for the information.
;.
nsuring appropriate procedures are in effect to protect the integrity, confidentiality, and a%aila"ility of the information used or created ithin the unit.
<.
Authori#ing access and assigning custodianship.
=.
Specifying controls and communicating the control re&uirements to the custodian and users of the information.
(.
Initiating correcti%e actions hen pro"lems are identified.
>.
Promoting employee education and aareness "y utili#ing programs appro%ed.
?.
Folloing e*isting appro%al processes ithin the respecti%e organi#ational unit for the selection, "udgeting, purchase, and implementation of any computer systemsoftare to manage information.
C.
Custodian% $he custodian of information is generally responsi"le for the processing and storage of the information. $he custodian is responsi"le for the administration administrat ion of controls as specified "y the oner. esponsi"ilities esponsi"iliti es may include8 9.
eleasing information as authori#ed "y the Information Oner andor the Information Pri%acy Security Officer for use and disclosure using procedures that protect the pri%acy of the information.
! !
.
=.
%aluating the cost effecti%eness of controls.
(.
0aintaining information security policies, procedures and standards as appropriate.
>.
Promoting employee education and aareness "y utili#ing programs appro%ed.
?.
eporting promptly to concern head in case the loss or misuse of
@.
Systems Plus College Foundation information. Identifying and responding to security incidents and initiating appropriate actions '(en )ro$lems are identified!
User Management% Systems Plus College Foundation management ho super%ise users as defined "elo. 5ser management is responsi"le for o%erseeing their employees use of information, including8 9.
e%ieing and appro%ing all re&uests for their employees access authori#ations.
:.
Initiating security change re&uests to !eep employees security record current ith their positions and 7o" functions.
;.
Promptly informing appropriate parties of employee terminations and transfers, in accordance ith local entity termination procedures.
<.
e%o!ing physical access to terminated employees, i.e., confiscating !eys, changing com"ination loc!s, etc.
=.
Pro%iding employees ith the opportunity for training needed to properly use the computer systems.
(.
eport promptly to concern head in case the loss or misuse of Systems Plus College Foundation information.
>.
Initiating correcti%e actions hen pro"lems are identified.
?.
Folloing e*isting appro%al processes ithin their respecti%e organi#ation for the selection, "udgeting, purchase, and implementation of any computer systemsoftare to manage information.
User% $he user is any person ho has "een authori#ed to read, enter, or update information. A user of information is e*pected to8 9.
Access information only in support of their authori#ed 7o" responsi"ilities. responsi"iliti es.
:.
Comply ith Information Security Policies and Standards and ith all controls esta"lished "y the oner and custodian.
;.
/eep personal authentication de%ices )e.g. passords, etc.+ confidential.
<.
eport promptly to concern head in case the loss or misuse of Systems Plus College Foundation information.
=.
Initiate correcti%e actions hen pro"lems are identified.
4I.
I1FO0A$IO1 CLASSIFICA$IO1 Classification is used to promote proper controls for safeguarding the confidentiality of information. egardless of classification the integrity and accuracy of all classifications of information must "e protected. $he classification assigned and the related controls applied are dependent on the sensiti%ity of the information. Information must "e classified according to the most sensiti%e detail it includes. Information recorded in se%eral formats )e.g., source document, electronic record, report+ must ha%e the same classification regardless of format. $he folloing le%els are to "e used hen classifying information8
A. A.
Confidential Information 9.
Confidential Information is %ery important and highly sensiti%e material. $his information is pri%ate or otherise sensiti%e in nature and must "e restricted to those ith a legitimate "usiness need for access. *amples of Confidential Information may include8 personnel information, !ey financial information, proprietary information of commercial research sponsors, system access passords and information file encryption !eys.
:.
'. '.
5nauthori#ed disclosure of this information to people ithout a "usiness need for access may %iolate las and regulations, or may cause significant pro"lems for Systems Plus College Foundation, its customers, or its "usiness partners. 6ecisions a"out the pro%ision of access to this information must alays "e cleared through the information oner.
Internal Information 9.
Internal Information is intended for unrestricted use ithin Systems Plus College Foundation, and in some cases ithin affiliated organi#ations such as Systems Plus College Foundation "usiness partners. $his type of information is already idely-distri"uted ithin Systems Plus College Foundation, or it could "e so distri"uted ithin the organi#ation ithout ad%ance permission from the information oner. *amples of Internal Information may include8 personnel directories, internal policies and procedures, most internal electronic mail messages.
:.
6. 6.
5nauthori#ed disclosure of this information to outsiders may not "e appropriate due to legal or contractual pro%isions.
Pu$lic Information 9.
Pu"lic Information has "een specifically specificall y appro%ed for pu"lic release "y a designated authority ithin each entity of Systems Plus College Foundation. *amples of Pu"lic Information may include mar!eting "rochures and material posted to Systems Plus College Foundation entity internet e" pages.
:.
$his information may "e disclosed outside of Systems Plus College Foundation.
4II.
COMPUTER AN INFORMATION CONTRO"
All in%ol%ed in%ol%ed systems and and information information are assets assets of Systems Systems Plus Plus College Foundation Foundation and are are e*pected to "e protected from misuse, unauthori#ed manipulation, and destruction. $hese protection measures may "e physical andor softare "ased. A.
O'ners(i) of Soft'are% All Soft'are% All computer computer softare softare de%eloped de%eloped "y Systems Systems Plus College Foundation employees or contract personnel on "ehalf of Systems Plus College Foundation or licensed for Systems Plus College Foundation use is the property of Systems Plus College Foundation and must not "e copied for use at home or any other location, unless otherise specified "y the license agreement.
'.
Installed Soft'are% All Soft'are% All softare softare pac!ages pac!ages that reside reside on computers computers and and netor!s ithin Systems Plus College Foundation must comply ith applica"le licensing agreements and restrictions and must comply ith Systems Plus College Foundation ac&uisition of softare policies.
C.
*irus Protection% 4irus chec!ing systems appro%ed "y the Information Security Officer and Information Ser%ices must "e deployed using a multi-layered approach )des!tops, ser%ers, gateays, etc.+ that ensures all electronic files are appropriately scanned for %iruses. 5sers are not authori#ed to turn off or disa"le %irus chec!ing systems.
6.
Access Controls% Physical and electronic access to Integrated Systems, Portals and other computing resources is controlled. $o ensure appropriate le%els of access "y internal or!ers, a %ariety of security measures ill "e instituted as recommended "y the Information Security Officer and appro%ed "y Systems Plus College Foundation. 0echanisms to control access to Confidential and Internal information include )"ut are not limited to+ the folloing methods8 9.
:.
Aut(ori+ation% Access ill Aut(ori+ation% Access ill "e granted granted on a Bneed Bneed to !no !no "asis "asis and must "e authori#ed "y the immediate super%isor and application oner. Any of the the folloing folloing methods are accepta"le accepta"le for pro%iding access access under under this policy8 Context-based access: Access
a.
control "ased on the conte*t of a transaction )as opposed to "eing "ased on attri"utes of the initiator or target+. $he Be*ternal factors might include time of day, location of the user, strength of user authentication, etc.
".
Role-based access: An
alternati%e to traditional access control models )e.g., discretionary or non-discretionary access control policies+ that permits the specification and enforcement of enterprise-specific security policies in a ay that maps more naturally to an organi#ationDs structure and "usiness acti%ities. ach user is assigned to one or more predefined roles, each of hich has "een assigned the %arious pri%ileges needed to perform that role.
c.
User-based access: A
security mechanism used to grant users of a system access "ased upon the identity of the user.
Identification,Aut(entication% 5ni&ue user identification )user id+ and authentication is re&uired for all systems that maintain or access Confidential Internal 5sers illuser "e held for all actionsandor performed on Information. the system ith their id. accounta"le
a.
;.
<.
At least one of the folloing authentication methods must "e implemented8 9.
strictly controlled passords )Attachment 9 3 Passord Control Standards+,
:.
"iometric identification, andor
;.
to!ens in con7unction ith a PI1.
".
$he user must secure hisher authentication control )e.g. passord, to!en+ such that it is !non only to that user and possi"ly a designated security manager.
c.
An automatic timeout re-authentication re-authenticat ion must "e re&uired after a certain period of no acti%ity )ma*imum 9= minutes+.
d.
$he user must log off or secure the system hen lea%ing it.
ata Integrity% Systems Plus College Foundation must "e a"le to pro%ide corro"oration that Confidential, and Internal Information has not "een altered or destroyed in an unauthori#ed manner. Listed "elo are some methods that support data integrity8 a.
Transmission Security% $echnical security mechanisms must "e put in place to guard against unauthori#ed access to data that is transmitted o%er a communications netor!, including ireless netor!s. $he folloing features must "e implemented8 a.
integrity controls and
".
encryption, here deemed appropriate
=.
Remote Access% Access Access% Access into Systems Plus Plus College College Foundation Foundation netor! netor! from outside ill "e granted using Systems Plus College Foundation appro%ed de%ices and pathays on an indi%idual user and application "asis. All other netor! access options are strictly prohi"ited. Further, Confidential andor Internal Information that is stored or accessed remotely must maintain the same le%el of protections as information stored and accessed ithin the Systems Plus College Foundation netor!.
(.
P(ysical Access% Access Access% Access to areas areas in hich hich information information processing processing is carried out must "e restricted to only appropriately authori#ed indi%iduals. $he folloing physical controls must "e in place8 a.
Computer Ser%er systems must "e installed in an accesscontrolled area. $he area in and around the computer facility must
afford protection against fire, ater damage, and other en%ironmental ha#ards such as poer outages and e*treme temperature situations. ".
File ser%ers containing Confidential andor Internal Information must "e installed in a secure area to pre%ent theft, destruction, or access "y unauthori#ed indi%iduals.
c.
Eor!stations or personal computers )PC+ must "e secured against use "y unauthori#ed indi%iduals. Local procedures and standards must "e de%eloped on secure and appropriate or!station use and physical safeguards hich must include procedures that ill8
d.
9.
Position or!stations to minimi#e unauthori#ed %ieing of protected health information.
:.
2rant or!station access only to those ho need it in order to perform their 7o" function.
;.
sta"lish or!station location criteria to eliminate or minimi#e the possi"ility of unauthori#ed access to protected health information.
<.
mploy physical safeguards as determined "y ris! analysis, such as locating or!stations in controlled access areas or installing co%ers or enclosures.
=.
5se automatic screen sa%ers ith passords to protect unattended machines.
Facility access controls must "e implemented to limit physical access to electronic information systems and the facilities in hich they are housed, hile ensuring that properly authori#ed access is alloed. Local policies and procedures must "e de%eloped to address the folloing facility access control re&uirements8 9. Conting Contingency ency Ope Operatio rations ns 3 6ocumented 6ocumented proced procedures ures that that allo facility access in support of restoration of lost data under the disaster reco%ery plan and emergency mode operations plan in the e%ent of an emergency. :. Facility Security Plan 3 6ocumented policies and procedures to safeguard the facility and the e&uipment therein from unauthori#ed physical access, tampering, and theft. ;.
Access Control and 4alidation 4alidation 3 6ocumented procedures to control and %alidate a personDs access to facilities "ased on their role or function, including %isitor control, and control of access to softare programs for testing and re%ision.
<.
0aintenance records 3 6ocumented policies and procedures to document repairs and modifications to the physical components the facility hich are related to security )for e*ample, of hardare, alls, doors, and loc!s+.
>.
. .
a.
ach entity is re&uired to esta"lish a mechanism to pro%ide emergency access to systems and applications in the e%ent that the assigned custodian or oner is una%aila"le during an emergency.
".
Procedures must "e documented to address8 9. :.
Authori#ation, Implementation, and
;.
e%ocation
E-ui)ment and Media Controls% $he disposal of information must ensure the continued protection of Confidential and Internal Information. ach entity must de%elop and implement policies and procedures that go%ern the receipt and remo%al of hardare and electronic media that contain Confidential and Internal Information into and out of a facility, and the mo%ement of these items ithin the facility. $he folloing specification specificati on must "e addressed8 9. 9.
F.
Emergency Access%
Information is)osal , Media Re.Use of% a.
ard copy )paper and microfilmfiche+ microfilm fiche+
". c.
0agnetic media )floppy dis!s, hard dri%es, #ip dis!s, etc.+ and C6 O0 6is!s
:. :.
Accounta$ility% ach entity must maintain a record of the mo%ements of hardare and electronic media and any person responsi"le therefore.
;. ;.
ata $ac&u) and Storage% Ehen needed, create a retrie%a"le, e*act copy of electronic Confidential and Internal Information "efore mo%ement of e&uipment.
Ot(er Media Controls% 9.
Confidential Information stored on e*ternal media )dis!ettes, cd-roms, porta"le storage, memory stic!s, etc.+ must "e protected from theft and unauthori#ed access. Such media must "e appropriately la"eled so as to identify it as Confidential Information. Further, e*ternal media containing Confidential Information must ne%er "e left unattended in unsecured areas.
:.
Confidential Information must ne%er "e stored on mo"ile computing de%ices )laptops, personal digital assistants )P6A+, smart phones, ta"let PCDs, etc.+ unless the de%ices ha%e the folloing minimum security re&uirements implemented8 a.
Poer-on passords
".
Auto logoff or screen sa%er ith passord
c.
ncryption of stored data or other accepta"le safeguards appro%ed "y Information Security Officer
Further, mo"ile computing de%ices must ne%er "e left unattended in unsecured areas.
;.
. .
If Confidential Information is stored on e*ternal medium or mo"ile computing de%ices and there is a "reach of confidentiality as a result, then the oner of the mediumde%ice ill "e held personally accounta"le and is su"7ect to the terms and conditions of Systems Plus College Foundation Information Security Policies and Confidentiality Statement signed as a condition of employment or affiliation ith Systems Plus College Foundation.
ata Transfer,Printing% 9. Electronic Mass ata Transfers% 6onloading and uploading Confidential, and Internal Information "eteen systems must "e strictly controlled. e&uests for mass donloads of, or indi%idual re&uests for, information for research purposes that include Systems Plus College Foundation must "e appro%ed. All other mass donloads of information must "e appro%ed "y the Application Oner and include only the minimum amount of information necessary to fulfill the re&uest. Applica"le 'usiness Associate Agreements must "e in place hen transferring Confidential, and Internal Information to e*ternal entities. :.
Ot(er Electronic ata Transfers and Printing% Confidential and Internal Information must "e stored in a manner to unauthori#ed indi%iduals. Confidential information mustinaccessi"le not "e donloaded, copied or printed indiscriminately or left unattended and open to compromise. Confidential, and Internal Information that is donloaded for educational purposes here possi"le should "e de-identified "efore use.
I. I.
Oral Communications% Systems Plus College Foundation staff should "e aare of their surroundings hen discussing Confidential Information. $his includes the use of cellular telephones in pu"lic areas. Systems Plus College Foundation staff should not discuss Confidential Information in pu"lic areas if the information can "e o%erheard. Caution should "e used hen conducting con%ersations in8 semi-pri%ate semi-pri%at e rooms, aiting aiting rooms, corridors, corridors , ele%ators, stairells, cafeterias, restaurants, or on pu"lic transportation.
G.
Audit Controls% ardare, softare, andor procedural mechanisms that record and e*aminemust acti%ity in information systems that containmust or use Information "e implemented. Further, procedures "eConfidential implemented to regularly re%ie records of information system acti%ity, such as audit logs, access reports, and security incident trac!ing reports. $hese re%ies must "e documented and maintained for si* )(+ years.
/. /.
E#aluation% Systems Plus College Foundation re&uires that periodic technical E#aluation% and non-technical e%aluations "e performed in response to en%ironmental or operational changes affecting the security of electronic Confidential, and Internal Information to ensure its continued protection.
L. L.
Contingency Plan% Controls must ensure that Systems Plus College Foundation can reco%er from any damage to computer e&uipment or files ithin a Foundation reasona"le period of time. ach entity is re&uired to de%elop and maintain a plan for responding to a system emergency or other occurrence )for e*ample, fire, %andalism, system failure and natural disaster+ that damages systems that contain Confidential, or Internal Information. $his ill include de%eloping policies and procedures to address the folloing8 /! ata ata 0ac& 0ac&u) u) Pl Plan an%% a. A data "ac!up "ac!up plan plan must "e documented documented and routinely routinely updated updated to create and maintain, for a specific period of time, retrie%a"le e*act copies of information. ". 'ac!up data data must must "e stored in an off-site off-site location location and and protected protected from physical damage. c. 'ac!up 'ac!up data data must "e affor afforded ded the the same le%el le%el of protec protection tion as the the original data. 1! isas isaster ter Reco# Reco#ery ery Plan% Plan% A disaster reco%ery plan must "e de%eloped and documented hich contains a process ena"ling the entity to restore any loss of data in the e%ent of fire, %andalism, natural disaster, or system failure. 2! documented Emerg Emergen ency cy Mode Mo de O)era O) eratio tion n process Plan% Plan% Aena"ling plan must "eentity de%eloped and to hich contains a the to continue operate in the e%ent of fire, %andalism, natural disaster, or system failure. 3! Testin Testing g and and Re#is Re#ision ion Procedur Procedures% es% Procedures should "e de%eloped and documented re&uiring periodic testing of ritten contingency plans to disco%er ea!nesses and the su"se&uent process of re%ising the documentation, if necessary. 4! A))lica A))lication tions s and ata ata Critica Criticality lity Analy Analysis% sis% $he criticality criticality of specific applications and data in support of other contingency plan components must "e assessed and documented.
Com)liance A. $he Information Information Security Policy Policy applies applies to all users users of Systems Systems Plus College College Foundation information including8 employees, medical staff, students, %olunteers, and outside affiliates. Failure to comply ith Information Security Policies and Standards "y employees, medical staff, %olunteers, and outside affiliates may result in disciplinary action up to and including dismissal in accordance ith applica"le Systems Plus College Foundation procedures, or, in the case of outside affiliates, termination of the affiliation. Failure to comply ith Information Security Policies and Standards "y students may constitute grounds for correcti%e action in accordance ith Systems Plus College Foundation procedures. Further, penalties associated ith state and federal las may apply. '. Possi"le disciplinarycorrecti%e action may "e instituted for, "ut is not limited to, the folloing8 9. 5nauthori#ed disclosure of a sign-on code )user id+ or passord. :. Attempting to o"tain a sign-on code or passord that "elongs to another person. ;. 5sing or attempting to use another persons sign-on code or passord. <. 5nauthori#ed use of an authori#ed passord to in%ade patient pri%acy "y e*amining records or information for hich there has "een no re&uest for re%ie. =. Installing or using unlicensed softare on Systems Plus College Foundation computers. (. $he intentional unauthori#ed destruction of Systems Plus College Foundation information. >. Attempting to get access to sign-on codes for purposes other than official "usiness, including completing fraudulent documentation to gain access.
... ATTAC5MENT / ... Pass'ord Control Standards
$he Systems Plus College Foundation Information Security Policy re&uires the use of strictly controlled passords for protected systems. )See Systems Plus College Foundation Information Security Policy for definition of these protected classes of information.+ Listed "elo are the minimum standards that must "e implemented in order to ensure the effecti%eness of passord controls. Standards for accessing )rotected systems , net'or& , )ortal% 5sers are responsi"le for complying ith the folloing passord standards8 9. Passords must ne%er "e shared ith another person, unless the person is a designated security manager. :. %ery passord must, here possi"le, "e changed regularly 3 )"eteen <= and @H days depending on the sensiti%ity of the information "eing accessed+ ;. Passords must, here possi"le, ha%e a minimum length of si* characters. <. Passords must ne%er "e sa%ed hen prompted "y any application ith the e*ception of central single sign-on )SSO+ systems.. $his feature should "e disa"led in all applica"le systems. =. Passords must not "e programmed into a PC or recorded anyhere anyhere that someone may find and use them. (. Ehen creating a passord, it is important not to use ords that can "e found in dictionaries or ords that are easily guessed due to their association ith the user )i.e. childrenDs names, petsD names, "irthdays, etc+. A com"ination of alpha and numeric characters are more difficult to guess. Ehere possi"le, system softare must enforce the folloing passord standards8 9. Passords routed o%er a netor! must "e encrypted. :. Passords must "e entered in a non-display field. ;. System softare must enforce the changing of passords and the minimum length. <. System softare must disa"le the user identification code hen more than three consecuti%e in%alid passords are gi%en ithin a 9= minute timeframe. Loc!out time must "e set at a minimum of ;H minutes. =. System softare must maintain a history of pre%ious passords and pre%ent their reuse.