The City of New York



Similar documents
Chapter 84. Information Security Rules for Street Hail Livery Technology System Providers. Table of Contents

Password Expiration Passwords require a maximum expiration age of 60 days. Previously used passwords may not be reused.

ICT USER ACCOUNT MANAGEMENT POLICY

e-governance Password Management Guidelines Draft 0.1

Musina Local Municipality. Information and Communication Technology User Account Management Policy -Draft-

DHHS Information Technology (IT) Access Control Standard

2: Do not use vendor-supplied defaults for system passwords and other security parameters

Password regulations for Karolinska Institutet

Supplier Information Security Addendum for GE Restricted Data

Identification and Authentication on FCC Computer Systems

Achieving PCI COMPLIANCE with the 2020 Audit & Control Suite.

Implementation Guide

SAQ D Compliance. Scott St. Aubin Senior Security Consultant QSA, CISM, CISSP

Business ebanking - User Sign On & Set Up

FileCloud Security FAQ

PREPARED BY: AUDIT PROGRAM Author: Lance M. Turcato. APPROVED BY: Logical Security Operating Systems - Generic. Audit Date:

How To Protect Data From Attack On A Network From A Hacker (Cybersecurity)

PA-DSS Implementation Guide for. Sage MAS 90 and 200 ERP. Credit Card Processing

Web Plus Security Features and Recommendations

NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS

Introduction. PCI DSS Overview

CAPITAL UNIVERSITY PASSWORD POLICY

Instructions for the Integrated Travel Manager (ITM) Self Service Password Reset (May 2011)

PASSWORD MANAGEMENT POLICY OCIO TABLE OF CONTENTS

End User Configuration

Catapult PCI Compliance

SANS Institute First Five Quick Wins

Provider OnLine. Log-In Guide

PDMP User s Guide. Oregon Health Authority Prescription Drug Monitoring Program

8/17/2010. Over 90% of all compromised merchants are PCI level 4 (small) merchants or merchants with less than 1 million transactions per year

PeopleSoft IT General Controls

Getting Started Guide

THE PENNSYLVANIA STATE UNIVERSITY OFFICE OF HUMAN RESOURCES PASSWORD USAGE POLICY

PCI Compliance Can Make Your Organization Stronger and Fitter. Brent Harman Manager, Systems Consultant Team West NetPro Computing, Inc.

Access Control BUSINESS REQUIREMENTS FOR ACCESS CONTROL

Cash Management 5.0 User Guide

Manage Address Book. Administrator's Guide

Department of Supply & Services (CIMS) RSA Web Express User Guide v1.2

Information Technology Acceptable Use Policies and Procedures

State of South Carolina Policy Guidance and Training

MANAGED FILE TRANSFER: 10 STEPS TO PCI DSS COMPLIANCE

Estate Agents Authority

Research Information Security Guideline

74% 96 Action Items. Compliance

Question Name C 1.1 Do all users and administrators have a unique ID and password? Yes

Full Compliance Contents

Application Security Testing. Generic Test Strategy

Information Technology Branch Access Control Technical Standard

The Initial Registration Process. During the initial registration process, this guide assumes the user has been provided a login ID.

RFG Secure FTP. Web Interface

Business Manager Company Administrator s Guide Peoples Bank Customer Support

Office of Finance and Treasury

Password Standards Policy

BlackBerry Enterprise Service 10. Universal Device Service Version: Administration Guide

MANAGED FILE TRANSFER: 10 STEPS TO SOX COMPLIANCE

FortiOS Handbook - Hardening your FortiGate VERSION 5.2.3

Application Security Policy

The Self-Hack Audit Stephen James Payoff

Security Guide for the BD Remote Instrument Support Solution BD Biosciences workstations

Cathay Business Online Banking

Security Overview Enterprise-Class Secure Mobile File Sharing

ICT Password Protection Policy

PCI Training for Retail Jamboree Staff Volunteers. Securing Cardholder Data

6. AUDIT CHECKLIST FOR NETWORK ADMINISTRATION AND SECURITY AUDITING

Ensuring Enterprise Data Security with Secure Mobile File Sharing.

Portal User Guide. Customers. Version 1.1. May of 5

Two-Factor Authentication User FAQ s

Procedure Title: TennDent HIPAA Security Awareness and Training

Central Agency for Information Technology

IT ACCESS CONTROL POLICY

InfoCenter Suite and the FDA s 21 CFR part 11 Electronic Records; Electronic Signatures

SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

PaymentNet Federal Card Solutions Cardholder FAQs

MANAGED FILE TRANSFER: 10 STEPS TO HIPAA/HITECH COMPLIANCE

An Oracle White Paper December Leveraging Oracle Enterprise Single Sign-On Suite Plus to Achieve HIPAA Compliance

Secure Mail Registration and Viewing Procedures

a) Encryption is enabled on the access point. b) The conference room network is on a separate virtual local area network (VLAN)

Self-Assessment of eresearch Compliance with 21 CFR Part 11, Electronic Record; Electronic Signatures

How To Secure An Rsa Authentication Agent

P309 - Proofpoint Encryption - Decrypting Secure Messages Business systems

Credit Cards and Oracle: How to Comply with PCI DSS. Stephen Kost Integrigy Corporation Session #600

SonicWALL PCI 1.1 Implementation Guide

PCI DSS Requirements - Security Controls and Processes

Transcription:

The Policy All passwords and personal identification numbers (PINs) used to protect City of New York systems shall be appropriately configured, periodically changed, and issued for individual use. Scope This policy applies to all internal City of New York systems. Internal systems are those which reside directly on Citynet or on a City agency s internal network and are not Internet facing. DoITT approved VPN (virtual private network) and remote access are also considered internal. The password policy governing public accounts which are accessed via the internet is covered separately by the External Account (TBD). General Requirements 1) Passwords and PINs: Must never be shared or displayed on screen. Must be classified and handled as City of New York PRIVATE data. Must be changed when there is any indication of system or password compromise. 2) A password-protected screen lock must be activated within fifteen minutes of user inactivity. 3) Passwords used by a person on City of New York systems should be different from any passwords used by the same person on non-city of New York systems (for example, on accounts used on social networking, ecommerce and other personal online sites). In the event that a personal (non-city) account password is compromised, this reduces the risk to City systems. Encryption and Hashing 4) Passwords and PINs: Must be encrypted when transmitted electronically with a protocol which is compliant with the Citywide Encryption Standard. Must be encrypted or hashed when held in storage. When embedded in configuration files, source code or scripts, they must be either encrypted or secured with compensating controls which provide a comparable level of protection. Password/PIN Changes 5) A user wishing to change his/her password/pin must be positively identified by demonstrating knowledge of the current password/pin or by other comparable methods. Password/PIN Delivery 6) Passwords must be delivered securely to the recipient (authorized user) with an approved transmission method. Although passwords and PINS must never be shared, initial passwords may be delivered to the recipient s manager. In all cases, the recipient or manager must be positively identified before the password is delivered. PUBLIC- use pursuant to City of New York guidelines Page 1 of 5

Account Lockout 7) All accounts which provide access to SENSITIVE, PRIVATE or CONFIDENTIAL information must be automatically disabled after a maximum of five (5) sequential invalid login attempts within a fifteen (15) minute period. After being disabled, the account must remain locked out for a minimum of fifteen (15) minutes. Password/PIN Format, Length and Complexity 8) PINs may only be used where a numeric method for authentication is required, such as a telephone keypad. In all other cases, passwords or pass-phrases must be used for authentication. 9) Passwords and PINs must have a minimum length of eight (8) characters with the exception of voice mail systems, and Blackberry and PDA devices issued by the City which must use a password or PIN of at least 4 alphanumeric characters. 10) Passwords must be constructed using at least one alphabetic character and at least one character which is either numeric or a special character: Passwords must contain: At least one Alphabetic character and At least one Numeric character or Special character Examples Aa Bb Cc Zz (can be lower or upper case) 0 1 2 3 4 5 6 7 8 9 { } [ ],. < > ; :? / \ ` ~! @ # $ % ^ & * ( ) _ - + = 11) Passwords must not be derived from easily guessed, common words or phrases such as those found in dictionaries (English and non-english), nor should they be constructed from user IDs, proper names or other names, words, numbers or dates readily associated with the individual user (e.g., telephone extension, Social Security number, or zip code). Login Account Types 12) Three types of login accounts are defined in Citywide Information Security Policy: User Accounts Administrative Accounts Service Accounts Are for use by Individuals, often referred to as end-users. Are also for use by Individuals but carry an elevated degree of privileges (e.g., root). They are intended for use solely by authorized IT personnel for performing such tasks as managing systems and User Accounts, and for performing password resets. Are intended for use solely by automated processes for logging into systems to access resources or perform tasks. Password/PIN Expiration and Re-use PUBLIC- use pursuant to City of New York guidelines Page 2 of 5

13) Temporary or initial User Account passwords and PINs must be set to expire after initial use. Default passwords and PINs must be changed immediately upon the completion of the installation process and/or first login. If a user is not prompted to change a temporary or initial password or PIN, the account may have been inappropriately accessed and he/she should contact the Citywide Service Desk immediately. 14) Additional password/pin expiration requirements and related guidelines and restrictions are provided in the following table for the three account types defined in point number 11. User Accounts Administrative Accounts Service Accounts User Account passwords and/or PINS must expire at least every 90 days. Administrative Account passwords must expire at least every 90 days. Service Account passwords must expire at least every 90 days. Must be known only by a limited number of staff on a need-to-know basis. ) The names of staff who know the password for any Service Account must be documented and the list of names/service accounts must be kept current. Administrative Accounts should be restricted to logging in from specified IP addresses. Service Accounts must be restricted to logging in from specified IP addresses. When a staff member who knows an Administrative or Service Account password leaves the City or changes his/her job function, that password must be changed. Exceptions No exceptions Administrative and Service accounts need not expire provided they meet the following requirements: Administrative accounts must a) Use two-factor authentication AND b) Be either randomly generated or highly complex. Service accounts must: a) Have a minimum length of 15 characters AND b) Be either randomly generated or highly complex. Where feasible, the use of password management software and/or certificate-based authentication is recommended as additional control for non-expiring Administrative and Service Accounts. 15) Passwords and PINs must not be reused for four (4) iterations. 16) Agency security administrators shall have the ability to reset all passwords where proper authorization and audit trails are in place. Policy Enforcement PUBLIC- use pursuant to City of New York guidelines Page 3 of 5

17) Where possible, the system must automate the enforcement of these requirements. Where this is not possible, equivalent controls must be established through alternative methods or procedures. For example, as an alternative to enforcing password complexity, the administrator could periodically use tools to detect weak passwords and require users with weak passwords to change them. 18) Agencies may implement controls more stringent than those specified in this policy. PUBLIC- use pursuant to City of New York guidelines Page 4 of 5

Document Revision History Date Description May 5, 2010 June 16, 2011 Version 1.4 Page 1, paragraph 2: Passwords and pins were incorrectly classified as CONFIDENTIAL. Changed to PRIVATE Updated header with new NYC logo and added this revision history table to the document. Aug 3, 2011 November 29, 2012 Version 1.5 Major changes in document organization and formatting. New content added (bullets 11, 13 and 15). Version 1.6 Added the following text: Passwords used by a person on City of New York systems should be different from any passwords used by the same person on non-city of New York systems (for example, on accounts used on social networking, ecommerce and other personal online sites). In the event that a personal (non-city) account password is compromised, this reduces the risk to City systems. Sept. 9, 2014 Version 1.7 Policy review and minor formatting updates. PUBLIC- use pursuant to City of New York guidelines Page 5 of 5

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information