Information Security Policy

Published on April 2017 | Categories: Documents | Downloads: 40 | Comments: 0 | Views: 232
of 13
Download PDF   Embed   Report

Comments

Content

 

Systems Plus College Foundation Information Security Policy I.

II.

III.

POLICY  A.

It is the policy policy of Systems Systems Plus College College Foundation Foundation that that information, information, as defined hereinafter, in all its forms--ritten, spo!en, recorded electronically or printed--ill "e protected from accidental or intentional unauthori#ed modification, destruction or disclosure throughout its life cycle. $his protection includes an appropriate le%el of security o%er the e&uipment and softare used to process, store, and transmit that information.

'.

All policies and procedures must "e documented and made a%aila"le to indi%iduals responsi"le for their implementation and compliance. All acti%ities identified "y the policies and procedures must also "e documented. All the documentation, hich may "e in electronic form, must "e retained for at least ( )si*+ years after initial creation, or, pertaining to policies and procedures, after changes are made. All documentation must "e periodically re%ieed for appropriateness and currency, a period of time to "e determined "y each entity ithin Systems Plus College Foundation.

C.

At each entity andor department le%el, additional policies, standards and procedures ill "e de%eloped detailing the implementation of this policy and set of standards, and addressing any additional information systems functionality in such entity andor department. All departmental policies must "e consistent ith this policy. All systems implemented after the effecti%e date of these policies are e*pected to comply ith the pro%isions of this policy here possi"le. *isting systems are e*pected to "e "rought into compliance here possi"le and as soon as practical.

SCOP  A.

$he scope scope of information information security includes the the protection protection of the confidentiality confidentiality,, integrity and a%aila"ility of information.

'.

$he frameor! for managing information security in this policy applies to all Systems Plus College Foundation entities and or!ers, and other In%ol%ed Persons and all In%ol%ed Systems throughout Systems Plus College Foundation as defined "elo in INFORMATION SECURITY EFINITIONS!

C.

$his policy and all standards apply to all and other classes of protected information in any form as defined "elo in INFORMATION C"ASSIFICATION!

IS/ 0A1A201$  A.

A thorough thorough analysis of of all Systems Systems Plus College College Foundation Foundation information information netor!s netor!s and systems "e conducted on a periodic "asis to $he document theill threats and %ulnera"ilities %ulnera"ilit iesill to stored and transmitted information. analysis e*amine

 

the types of threats 3 internal or e*ternal, natural or manmade, electronic and non-electronic-non-electronic -- that affect the a"ility to manage the information resource. $he analysis ill also document the e*isting %ulnera"ilities ithin each entity hich potentially e*pose the information resource to the threats. Finally, the analysis ill also include an e%aluation of the information assets and the technology associated ith its collection, storage, dissemination and protection. From the com"ination of threats, %ulnera"ilities, and asset %alues, an estimate of the ris!s to the confidentiality, integrity and a%aila"ility of the information ill "e determined. $he fre&uency of the ris! analysis ill "e determined at the entity le%el. '.

I4.

'ased on the periodic assessment, measures ill "e implemented that reduce the impact of the threats "y reducing the amount and scope of the %ulnera"ilities.

I1FO0A$IO1 SC5I$Y 6FI1I$IO1S A#aila$ility%  6ata or information is accessi"le and usa"le upon demand "y an A#aila$ility% 6ata authori#ed person. Confidentiality%  6ata or information is not made a%aila"le or disclosed to unauthori#ed persons or processes. Integrity%  6ata or information has not "een altered or destroyed in an unauthori#ed Integrity% 6ata manner. In#ol#ed Persons% %ery Persons% %ery or!er at Systems Plus College Foundation  -- no matter hat their status. $his includes physicians, residents, students, employees, contractors, consultants, temporaries, %olunteers, interns, etc. In#ol#ed Systems% All Systems% All computer e&uipment and netor! systems that are operated ithin the Systems Plus College Foundation en%ironment. $his includes all platforms )operating systems+, all computer si#es )personal digital assistants, des!tops, mainframes, etc.+, and all applications and data )hether de%eloped in-house or licensed from third parties+ contained on those systems. Ris&% $he pro"a"ility of a loss of confidentiality, integrity, or a%aila"ility of information resources.

4.

I1FO0A$IO1 SC5I$Y SPO1SI'ILI$IS  A.

Information Security Officer% $he Information Security Officer )ISO+ for each entity is responsi"le for or!ing ith user management, oners, custodians, and users to de%elop and implement prudent security policies, procedures, and controls, su"7ect to the appro%al of Systems Plus College Foundation. Specific responsi"ilities include8 9.

nsuring security policies, procedures, and standards are in place and adhered to "y entity.

:.

Pro%iding "asic security support for all systems and users.

 

'.

;.

Ad%ising oners in the identification and classification classificati on of computer resources. See Section 4I Information Classification.

<.

Ad%ising systems de%elopment and application oners in the implementation of security controls for information on systems, from the point of system design, through testing and production implementation.

=.

ducating custodian and user management ith comprehensi%e information a"out security controls affecting system users and application systems.

(.

Pro%iding on-going employee security education.

>.

Performing security audits.

Information O'ner% $he oner of a collection of information is usually the manager responsi"le for the creation of that information or the primary user of that information. $his role often corresponds ith the management of an organi#ational unit. In this conte*t, onership does not signify proprietary interest, and onership may "e shared. $he oner of information has the responsi"ility responsi" ility for8 9.

/noing the information for hich shehe is responsi"le.

:.

6etermining a data retention period for the information.

;.

nsuring appropriate procedures are in effect to protect the integrity, confidentiality, and a%aila"ility of the information used or created ithin the unit.

<.

Authori#ing access and assigning custodianship.

=.

Specifying controls and communicating the control re&uirements to the custodian and users of the information.

(.

Initiating correcti%e actions hen pro"lems are identified.

>.

Promoting employee education and aareness "y utili#ing programs appro%ed.

?.

Folloing e*isting appro%al processes ithin the respecti%e organi#ational unit for the selection, "udgeting, purchase, and implementation of any computer systemsoftare to manage information.

C.

Custodian% $he custodian of information is generally responsi"le for the processing and storage of the information. $he custodian is responsi"le for the administration administrat ion of controls as specified "y the oner. esponsi"ilities esponsi"iliti es may include8 9.

Pro%iding andor recommending physical safeguards.

:.

Pro%iding andor recommending procedural safeguards.

;.

Administering access to information.

<.

eleasing information as authori#ed "y the Information Oner andor the Information Pri%acy Security Officer for use and disclosure using procedures that protect the pri%acy of the information.

 

!  ! 

.

=.

%aluating the cost effecti%eness of controls.

(.

0aintaining information security policies, procedures and standards as appropriate.

>.

Promoting employee education and aareness "y utili#ing programs appro%ed.

?.

eporting promptly to concern head in case the loss or misuse of

@.

Systems Plus College Foundation information. Identifying and responding to security incidents and initiating appropriate actions '(en )ro$lems are identified!

User Management% Systems Plus College Foundation management ho super%ise users as defined "elo. 5ser management is responsi"le for o%erseeing their employees use of information, including8 9.

e%ieing and appro%ing all re&uests for their employees access authori#ations.

:.

Initiating security change re&uests to !eep employees security record current ith their positions and 7o" functions.

;.

Promptly informing appropriate parties of employee terminations and transfers, in accordance ith local entity termination procedures.

<.

e%o!ing physical access to terminated employees, i.e., confiscating !eys, changing com"ination loc!s, etc.

=.

Pro%iding employees ith the opportunity for training needed to properly use the computer systems.

(.

eport promptly to concern head in case the loss or misuse of Systems Plus College Foundation information.

>.

Initiating correcti%e actions hen pro"lems are identified.

?.

Folloing e*isting appro%al processes ithin their respecti%e organi#ation for the selection, "udgeting, purchase, and implementation of any computer systemsoftare to manage information.

User% $he user is any person ho has "een authori#ed to read, enter, or update information. A user of information is e*pected to8 9.

Access information only in support of their authori#ed 7o" responsi"ilities. responsi"iliti es.

:.

Comply ith Information Security Policies and Standards and ith all controls esta"lished "y the oner and custodian.

;.

/eep personal authentication de%ices )e.g. passords, etc.+ confidential.

<.

eport promptly to concern head in case the loss or misuse of Systems Plus College Foundation information.

=.

Initiate correcti%e actions hen pro"lems are identified.

 

4I.

I1FO0A$IO1 CLASSIFICA$IO1 Classification is used to promote proper controls for safeguarding the confidentiality of information. egardless of classification the integrity and accuracy of all classifications of  information must "e protected. $he classification assigned and the related controls applied are dependent on the sensiti%ity of the information. Information must "e classified according to the most sensiti%e detail it includes. Information recorded in se%eral formats )e.g., source document, electronic record, report+ must ha%e the same classification regardless of format. $he folloing le%els are to "e used hen classifying information8

 A.    A.

Confidential Information 9.

Confidential Information is %ery important and highly sensiti%e material. $his information is pri%ate or otherise sensiti%e in nature and must "e restricted to those ith a legitimate "usiness need for access. *amples of Confidential Information may include8 personnel information, !ey financial information, proprietary information of commercial research sponsors, system access passords and information file encryption !eys.

:.

'.  '. 

5nauthori#ed disclosure of this information to people ithout a "usiness need for access may %iolate las and regulations, or may cause significant pro"lems for Systems Plus College Foundation, its customers, or its "usiness partners. 6ecisions a"out the pro%ision of access to this information must alays "e cleared through the information oner.

Internal Information 9.

Internal Information is intended for unrestricted use ithin Systems Plus College Foundation, and in some cases ithin affiliated organi#ations such as Systems Plus College Foundation "usiness partners. $his type of  information is already idely-distri"uted ithin Systems Plus College Foundation, or it could "e so distri"uted ithin the organi#ation ithout ad%ance permission from the information oner. *amples of Internal Information may include8 personnel directories, internal policies and procedures, most internal electronic mail messages.

:.

6.  6. 

5nauthori#ed disclosure of this information to outsiders may not "e appropriate due to legal or contractual pro%isions.

Pu$lic Information 9.

Pu"lic Information has "een specifically specificall y appro%ed for pu"lic release "y a designated authority ithin each entity of Systems Plus College Foundation. *amples of Pu"lic Information may include mar!eting "rochures and material posted to Systems Plus College Foundation entity internet e" pages.

:.

$his information may "e disclosed outside of Systems Plus College Foundation.

 

4II.

COMPUTER AN INFORMATION CONTRO"

 All in%ol%ed in%ol%ed systems and and information information are assets assets of Systems Systems Plus Plus College Foundation Foundation and are are e*pected to "e protected from misuse, unauthori#ed manipulation, and destruction. $hese protection measures may "e physical andor softare "ased.  A.

O'ners(i) of Soft'are% All Soft'are% All computer computer softare softare de%eloped de%eloped "y Systems Systems Plus College Foundation employees or contract personnel on "ehalf of Systems Plus College Foundation or licensed for Systems Plus College Foundation use is the property of Systems Plus College Foundation and must not "e copied for use at home or any other location, unless otherise specified "y the license agreement.

'.

Installed Soft'are% All Soft'are% All softare softare pac!ages pac!ages that reside reside on computers computers and and netor!s ithin Systems Plus College Foundation must comply ith applica"le licensing agreements and restrictions and must comply ith Systems Plus College Foundation ac&uisition of softare policies.

C.

*irus Protection% 4irus chec!ing systems appro%ed "y the Information Security Officer and Information Ser%ices must "e deployed using a multi-layered approach )des!tops, ser%ers, gateays, etc.+ that ensures all electronic files are appropriately scanned for %iruses. 5sers are not authori#ed to turn off or disa"le %irus chec!ing systems.

6.

Access Controls% Physical and electronic access to Integrated Systems, Portals and other computing resources is controlled. $o ensure appropriate le%els of access "y internal or!ers, a %ariety of security measures ill "e instituted as recommended "y the Information Security Officer and appro%ed "y Systems Plus College Foundation. 0echanisms to control access to Confidential and Internal information include )"ut are not limited to+ the folloing methods8 9.

:.

Aut(ori+ation% Access ill Aut(ori+ation% Access ill "e granted granted on a Bneed Bneed to !no !no "asis "asis and must "e authori#ed "y the immediate super%isor and application oner.  Any of the the folloing folloing methods are accepta"le accepta"le for pro%iding access access under under this policy8 Context-based access: Access

a.

control "ased on the conte*t of a transaction )as opposed to "eing "ased on attri"utes of the initiator or target+. $he Be*ternal factors might include time of day, location of the user, strength of user authentication, etc.

".

Role-based access: An

alternati%e to traditional access control models )e.g., discretionary or non-discretionary access control policies+ that permits the specification and enforcement of enterprise-specific security policies in a ay that maps more naturally to an organi#ationDs structure and "usiness acti%ities. ach user is assigned to one or more predefined roles, each of hich has "een assigned the %arious pri%ileges needed to perform that role.

c.

User-based access: A

security mechanism used to grant users of a system access "ased upon the identity of the user.

Identification,Aut(entication% 5ni&ue user identification )user id+ and authentication is re&uired for all systems that maintain or access Confidential Internal 5sers illuser "e held for all actionsandor performed on Information. the system ith their id. accounta"le

 

a.

;.

<.

At least one of the folloing authentication methods must "e implemented8 9.

strictly controlled passords )Attachment 9 3 Passord Control Standards+,

:.

"iometric identification, andor 

;.

to!ens in con7unction ith a PI1.

".

$he user must secure hisher authentication control )e.g. passord, to!en+ such that it is !non only to that user and possi"ly a designated security manager.

c.

An automatic timeout re-authentication re-authenticat ion must "e re&uired after a certain period of no acti%ity )ma*imum 9= minutes+.

d.

$he user must log off or secure the system hen lea%ing it.

ata Integrity% Systems Plus College Foundation must "e a"le to pro%ide corro"oration that Confidential, and Internal Information has not "een altered or destroyed in an unauthori#ed manner. Listed "elo are some methods that support data integrity8 a.

transaction audit

". c.

dis! redundancy )AI6+ CC )rror Correcting 0emory+

d.

chec!sums )file integrity+

e.

encryption of data in storage

f.

digital signatures

Transmission Security% $echnical security mechanisms must "e put in place to guard against unauthori#ed access to data that is transmitted o%er a communications netor!, including ireless netor!s. $he folloing features must "e implemented8 a.

integrity controls and

".

encryption, here deemed appropriate

=.

Remote Access% Access Access% Access into Systems Plus Plus College College Foundation Foundation netor! netor! from outside ill "e granted using Systems Plus College Foundation appro%ed de%ices and pathays on an indi%idual user and application "asis. All other netor! access options are strictly prohi"ited. Further, Confidential andor Internal Information that is stored or accessed remotely must maintain the same le%el of protections as information stored and accessed ithin the Systems Plus College Foundation netor!.

(.

P(ysical Access% Access Access% Access to areas areas in hich hich information information processing processing is carried out must "e restricted to only appropriately authori#ed indi%iduals. $he folloing physical controls must "e in place8 a.

Computer Ser%er systems must "e installed in an accesscontrolled area. $he area in and around the computer facility must

 

afford protection against fire, ater damage, and other en%ironmental ha#ards such as poer outages and e*treme temperature situations. ".

File ser%ers containing Confidential andor Internal Information must "e installed in a secure area to pre%ent theft, destruction, or access "y unauthori#ed indi%iduals.

c.

Eor!stations or personal computers )PC+ must "e secured against use "y unauthori#ed indi%iduals. Local procedures and standards must "e de%eloped on secure and appropriate or!station use and physical safeguards hich must include procedures that ill8

d.

9.

Position or!stations to minimi#e unauthori#ed %ieing of protected health information.

:.

2rant or!station access only to those ho need it in order to perform their 7o" function.

;.

sta"lish or!station location criteria to eliminate or minimi#e the possi"ility of unauthori#ed access to protected health information.

<.

mploy physical safeguards as determined "y ris! analysis, such as locating or!stations in controlled access areas or installing co%ers or enclosures.

=.

5se automatic screen sa%ers ith passords to protect unattended machines.

Facility access controls must "e implemented to limit physical access to electronic information systems and the facilities in hich they are housed, hile ensuring that properly authori#ed access is alloed. Local policies and procedures must "e de%eloped to address the folloing facility access control re&uirements8 9. Conting Contingency ency Ope Operatio rations ns 3 6ocumented 6ocumented proced procedures ures that that allo facility access in support of restoration of lost data under the disaster reco%ery plan and emergency mode operations plan in the e%ent of an emergency. :. Facility Security Plan 3 6ocumented policies and procedures to safeguard the facility and the e&uipment therein from unauthori#ed physical access, tampering, and theft. ;.

Access Control and 4alidation 4alidation 3 6ocumented procedures to control and %alidate a personDs access to facilities "ased on their role or function, including %isitor control, and control of access to softare programs for testing and re%ision.

<.

0aintenance records 3 6ocumented policies and procedures to document repairs and modifications to the physical components the facility hich are related to security )for e*ample, of hardare, alls, doors, and loc!s+.

 

>.

.  . 

a.

ach entity is re&uired to esta"lish a mechanism to pro%ide emergency access to systems and applications in the e%ent that the assigned custodian or oner is una%aila"le during an emergency.

".

Procedures must "e documented to address8 9. :.

Authori#ation, Implementation, and

;.

e%ocation

E-ui)ment and Media Controls% $he disposal of information must ensure the continued protection of Confidential and Internal Information. ach entity must de%elop and implement policies and procedures that go%ern the receipt and remo%al of hardare and electronic media that contain Confidential and Internal Information into and out of a facility, and the mo%ement of these items ithin the facility. $he folloing specification specificati on must "e addressed8 9. 9.  

F.

Emergency Access%

Information is)osal , Media Re.Use of% a.

ard copy )paper and microfilmfiche+ microfilm fiche+

". c.

0agnetic media )floppy dis!s, hard dri%es, #ip dis!s, etc.+ and C6 O0 6is!s

:. :.  

Accounta$ility% ach entity must maintain a record of the mo%ements of  hardare and electronic media and any person responsi"le therefore.

;. ;.  

ata $ac&u) and Storage% Ehen needed, create a retrie%a"le, e*act copy of electronic Confidential and Internal Information "efore mo%ement of e&uipment.

Ot(er Media Controls% 9.

Confidential Information stored on e*ternal media )dis!ettes, cd-roms, porta"le storage, memory stic!s, etc.+ must "e protected from theft and unauthori#ed access. Such media must "e appropriately la"eled so as to identify it as Confidential Information. Further, e*ternal media containing Confidential Information must ne%er "e left unattended in unsecured areas.

:.

Confidential Information must ne%er "e stored on mo"ile computing de%ices )laptops, personal digital assistants )P6A+, smart phones, ta"let PCDs, etc.+ unless the de%ices ha%e the folloing minimum security re&uirements implemented8 a.

Poer-on passords

".

Auto logoff or screen sa%er ith passord

c.

ncryption of stored data or other accepta"le safeguards appro%ed "y Information Security Officer 

Further, mo"ile computing de%ices must ne%er "e left unattended in unsecured areas.

 

;.

.  . 

If Confidential Information is stored on e*ternal medium or mo"ile computing de%ices and there is a "reach of confidentiality as a result, then the oner of the mediumde%ice ill "e held personally accounta"le and is su"7ect to the terms and conditions of Systems Plus College Foundation Information Security Policies and Confidentiality Statement signed as a condition of employment or affiliation ith Systems Plus College Foundation.

ata Transfer,Printing% 9. Electronic Mass ata Transfers% 6onloading and uploading Confidential, and Internal Information "eteen systems must "e strictly controlled. e&uests for mass donloads of, or indi%idual re&uests for, information for research purposes that include Systems Plus College Foundation must "e appro%ed. All other mass donloads of information must "e appro%ed "y the Application Oner and include only the minimum amount of information necessary to fulfill the re&uest. Applica"le 'usiness Associate Agreements must "e in place hen transferring Confidential, and Internal Information to e*ternal entities.   :.

Ot(er Electronic ata Transfers and Printing% Confidential and Internal Information must "e stored in a manner to unauthori#ed indi%iduals. Confidential information mustinaccessi"le not "e donloaded, copied or printed indiscriminately or left unattended and open to compromise. Confidential, and Internal Information that is donloaded for educational purposes here possi"le should "e de-identified "efore use.

I.  I. 

Oral Communications% Systems Plus College Foundation staff should "e aare of their surroundings hen discussing Confidential Information. $his includes the use of cellular telephones in pu"lic areas. Systems Plus College Foundation staff should not discuss Confidential Information in pu"lic areas if the information can "e o%erheard. Caution should "e used hen conducting con%ersations in8 semi-pri%ate semi-pri%at e rooms, aiting aiting rooms, corridors, corridors , ele%ators, stairells, cafeterias, restaurants, or on pu"lic transportation.

G.

Audit Controls% ardare, softare, andor procedural mechanisms that record and e*aminemust acti%ity in information systems that containmust or use Information "e implemented. Further, procedures "eConfidential implemented to regularly re%ie records of information system acti%ity, such as audit logs, access reports, and security incident trac!ing reports. $hese re%ies must "e documented and maintained for si* )(+ years.

/.  /. 

E#aluation%  Systems Plus College Foundation re&uires that periodic technical E#aluation%  and non-technical e%aluations "e performed in response to en%ironmental or operational changes affecting the security of electronic Confidential, and Internal Information to ensure its continued protection.

 

L. L.  

Contingency Plan% Controls must ensure that Systems Plus College Foundation  can reco%er from any damage to computer e&uipment or files ithin a Foundation reasona"le period of time. ach entity is re&uired to de%elop and maintain a plan for responding to a system emergency or other occurrence )for e*ample, fire, %andalism, system failure and natural disaster+ that damages systems that contain Confidential, or Internal Information. $his ill include de%eloping policies and procedures to address the folloing8 /! ata ata 0ac& 0ac&u) u) Pl Plan an%% a. A data "ac!up "ac!up plan plan must "e documented documented and routinely routinely updated updated to create and maintain, for a specific period of time, retrie%a"le e*act copies of information. ". 'ac!up data data must must "e stored in an off-site off-site location location and and protected protected from physical damage. c. 'ac!up 'ac!up data data must "e affor afforded ded the the same le%el le%el of protec protection tion as the the original data. 1! isas isaster ter Reco# Reco#ery ery Plan% Plan%   A disaster reco%ery plan must "e de%eloped and documented hich contains a process ena"ling the entity to restore any loss of data in the e%ent of fire, %andalism, natural disaster, or system failure. 2! documented Emerg Emergen ency cy Mode Mo de O)era O) eratio tion n process Plan% Plan%   Aena"ling plan must "eentity de%eloped and to hich contains a the to continue operate in the e%ent of fire, %andalism, natural disaster, or system failure. 3! Testin Testing g and and Re#is Re#ision ion Procedur Procedures% es%   Procedures should "e de%eloped and documented re&uiring periodic testing of ritten contingency plans to disco%er ea!nesses and the su"se&uent process of re%ising the documentation, if necessary. 4! A))lica A))lication tions s and ata ata Critica Criticality lity Analy Analysis% sis%   $he criticality criticality of specific applications and data in support of other contingency plan components must "e assessed and documented.

 

Com)liance  A. $he Information Information Security Policy Policy applies applies to all users users of Systems Systems Plus College College Foundation  information including8 employees, medical staff, students, %olunteers, and outside affiliates. Failure to comply ith Information Security Policies and Standards "y employees, medical staff, %olunteers, and outside affiliates may result in disciplinary action up to and including dismissal in accordance ith applica"le Systems Plus College Foundation  procedures, or, in the case of outside affiliates, termination of the affiliation. Failure to comply ith Information Security Policies and Standards "y students may constitute grounds for correcti%e action in accordance ith Systems Plus College Foundation  procedures. Further, penalties associated ith state and federal las may apply. '. Possi"le disciplinarycorrecti%e action may "e instituted for, "ut is not limited to, the folloing8 9. 5nauthori#ed disclosure of a sign-on code )user id+ or passord. :. Attempting to o"tain a sign-on code or passord that "elongs to another person. ;. 5sing or attempting to use another persons sign-on code or passord. <. 5nauthori#ed use of an authori#ed passord to in%ade patient pri%acy "y e*amining records or information for hich there has "een no re&uest for re%ie. =. Installing or using unlicensed softare on Systems Plus College Foundation  computers. (. $he intentional unauthori#ed destruction of Systems Plus College Foundation information. >. Attempting to get access to sign-on codes for purposes other than official "usiness, including completing fraudulent documentation to gain access.

 

... ATTAC5MENT / ... Pass'ord Control Standards

$he Systems Plus College Foundation Information Security Policy re&uires the use of strictly controlled passords for protected systems. )See Systems Plus College Foundation  Information Security Policy for definition of these protected classes of information.+ Listed "elo are the minimum standards that must "e implemented in order to ensure the effecti%eness of passord controls. Standards for accessing )rotected systems , net'or& , )ortal% 5sers are responsi"le for complying ith the folloing passord standards8 9. Passords must ne%er "e shared ith another person, unless the person is a designated security manager. :. %ery passord must, here possi"le, "e changed regularly 3 )"eteen <= and @H days depending on the sensiti%ity of the information "eing accessed+ ;. Passords must, here possi"le, ha%e a minimum length of si* characters. <. Passords must ne%er "e sa%ed hen prompted "y any application ith the e*ception of central single sign-on )SSO+ systems.. $his feature should "e disa"led in all applica"le systems. =. Passords must not "e programmed into a PC or recorded anyhere anyhere that someone may find and use them. (. Ehen creating a passord, it is important not to use ords that can "e found in dictionaries or ords that are easily guessed due to their association ith the user )i.e. childrenDs names, petsD names, "irthdays, etc+. A com"ination of alpha and numeric characters are more difficult to guess. Ehere possi"le, system softare must enforce the folloing passord standards8 9. Passords routed o%er a netor! must "e encrypted. :. Passords must "e entered in a non-display field. ;. System softare must enforce the changing of passords and the minimum length. <. System softare must disa"le the user identification code hen more than three consecuti%e in%alid passords are gi%en ithin a 9= minute timeframe. Loc!out time must "e set at a minimum of ;H minutes. =. System softare must maintain a history of pre%ious passords and pre%ent their reuse.

Sponsor Documents

Or use your account on DocShare.tips

Hide

Forgot your password?

Or register your new account on DocShare.tips

Hide

Lost your password? Please enter your email address. You will receive a link to create a new password.

Back to log-in

Close