Password regulations for Karolinska Institutet



Similar documents
The City of New York

IT ACCESS CONTROL POLICY

Application Security Testing. Generic Test Strategy

Musina Local Municipality. Information and Communication Technology User Account Management Policy -Draft-

Informatics Policy. Information Governance. Network Account and Password Management Policy

Network Security Policy

ICT USER ACCOUNT MANAGEMENT POLICY

WHITE PAPER AUGUST Preventing Security Breaches by Eliminating the Need to Transmit and Store Passwords

How to Resolve Login Errors with Business Objects XI

How To Protect Decd Information From Harm

Hang Seng HSBCnet Security. May 2016

Password Expiration Passwords require a maximum expiration age of 60 days. Previously used passwords may not be reused.

SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

Achieving PCI COMPLIANCE with the 2020 Audit & Control Suite.

Remote Access Securing Your Employees Out of the Office

How To Secure An Emr-Link System Architecture

Password Management Help

Tools to Aid in 21 CFR Part 11 Compliance with EZChrom Elite Chromatography Data System. White Paper. By Frank Tontala

e-governance Password Management Guidelines Draft 0.1

Network Password Management Policy & Procedures

Authentication and Single Sign On

Virtual Code Authentication User s Guide. June 25, 2015

Password Standards Policy

Nixu SNS Security White Paper May 2007 Version 1.2

GENEVA COLLEGE INFORMATION TECHNOLOGY SERVICES. Password POLICY

FILEHOLD DOCUMENT MANAGEMENT SYSTEM 21 CFR PART 11 COMPLIANCE WHITE PAPER

Borough of Poole Staff (Adult Social Care) Encryption: Sending secure, encrypted e- mails & attachments

Secure Messaging Service

U.S. Bank Secure Mail

SHARPCLOUD SECURITY STATEMENT

Service Accounts A Secant Standards White Paper

Egress Switch Administration Panel. User Guide

Self-service password management user guide

Using Foundstone CookieDigger to Analyze Web Session Management

Bahamas Tax Information Exchange Portal Documentation

Administration: Users and Roles

Electronic Questionnaires for Investigations Processing (e-qip)

Implementation Guide

Xerox Encryption Recipient Guide. Cisco Registered Envelope Service

Information Security

Password Depot for Android

User Guide. Version R91. English

Provider Express Obtaining Login Access. Information for Network Providers

HIPAA: MANAGING ACCESS TO SYSTEMS STORING ephi WITH SECRET SERVER

Information Security Policy September 2009 Newman University IT Services. Information Security Policy

Phone: Fax: Box: 230

Computer and Network Security Policy

Self-Service Password Management for Students

CAPITAL UNIVERSITY PASSWORD POLICY

MSI Secure Mail Tutorial. Table of Contents

Information Security Basic Concepts

Pennsylvania Department of Public Welfare. Bureau of Information Systems OBSOLETE. Secure User Guide. Version 1.0.

CONDITIONS FOR ELECTRONIC DATA EXCHANGE VIA ČSOB MULTICASH 24 SERVICE

SchoolBooking SSO Integration Guide

FileCloud Security FAQ

Managing Your Network Password Using MyPassword

Data Access Request Service

Passwordstate Mobile Client Manual Click Studios (SA) Pty Ltd

Estate Agents Authority

Central Agency for Information Technology

A brief on Two-Factor Authentication

Introduction. PCI DSS Overview

Instructions for users of the EU Emissions Trading Scheme Union Registry System. Registration and ECAS Account

Information Technology Department. Miller School of Medicine New User Guide

External Authentication with Windows 2003 Server with Routing and Remote Access service Authenticating Users Using SecurAccess Server by SecurEnvoy

Fairfield University Using Xythos for File Sharing

Fus - Exchange ControlPanel Admin Guide Feb V1.0. Exchange ControlPanel Administration Guide

Identification and Authentication on FCC Computer Systems

Experian Username and Password Self Service Facility. User Guide

Application Intrusion Detection

Information Security Guide for Students

Fairsail. Implementer. Fairsail to Active Directory Synchronization. Version 1.0 FS-PS-FSAD-IG R001.00

CBI s Corporate Internet Banking Inquiry Services gives you the ability to view account details and transactions anytime, anywhere.

Implement best practices by using FileMaker Pro 7 as the backbone of your 21 CFR 11 compliant system.

Securing Remote Desktop for Windows XP

AD Self Password Reset Installation and configuration

c) Password Management The assignment/use of passwords is controlled in accordance with the defined Password Policy.

Choosing an SSO Solution Ten Smart Questions

PLEASE NOTE: The client data used in these manuals is purely fictional.

IT Security Procedure

Web Plus Security Features and Recommendations

IDENTITY MANAGEMENT. February The Government of the Hong Kong Special Administrative Region

Connected from everywhere. Cryptelo completely protects your data. Data transmitted to the server. Data sharing (both files and directory structure)

SECURING SELF-SERVICE PASSWORD RESET

Transcription:

Password regulations for Karolinska Institutet Dnr 1-213/2015 Version 2.0 Applicable from 2015-05-18

Password regulations for Karolinska Institutet - Summary Purpose The main purpose of these regulations is to keep Karolinska Institutet s password-protected information systems safe from unauthorised use and to define the lowest quality and security requirements for password management at Karolinska Institutet. Summary The following rules (in summary) for password management apply to all IT services and systems (applications) at Karolinska Institutet. Passwords are personal and may not be disclosed to anyone else Passwords must be at least ten characters long 1 Passwords must contain letters, numbers and special characters Passwords may not be tied to personal information, such as name, civic registration number, phone number or username Passwords are to be changed every six months 2 Passwords may not be reused outside KI For more detailed descriptions of Karolinska Institutet s password regulations, please read this entire document, which defines responsibilities, strategies, requirements and implementation rules for passwords at Karolinska Institutet. Publisher: Karolinska Institutet Universitetsförvaltningen Version: 2.0 Contact: it-support@ki.se 1 Other requirements apply to accounts that are not personal user accounts 2 See note 1

Karolinska Institutet s password regulations Purpose The main purpose of these regulations is to keep Karolinska Institutet s password-protected information systems safe from unauthorised use and to define the lowest quality and security requirements for password management at Karolinska Institutet. Responsibilities Compliance As a user of Karolinska Institutet s information systems you are responsible for ensuring that your passwords meet the quality and management criteria set out in these regulations your user accounts, passwords and codes are kept personal and used exclusively by you your passwords are kept secret you never disclose your passwords to anyone requesting them, whether it be by email, phone or otherwise. For systems integrated to Karolinska Institutet s central login and authentication service (Webbinloggning, LDAP and Active Directory) system support for compliance with these regulations is available. For systems with their own password management function, compliance with these regulations is the responsibility of the system owner. Strategies All information systems (applications) are to be integrated to Karolinska Institutet s central login and authentication service unless exceptional reasons dictate otherwise. Karolinska Institutet s central login and authentication service includes technical support for good password quality and safe password management. Every user has a user ID and password for logging in to Karolinska Institutet s IT services; for some IT services, the user might have one or more additional user IDs/passwords. There might also be system-specific passwords. All

passwords used at Karolinska Institutet must at least meet the demands for password quality that is defined in these regulations. Two-factor authentication (2FA) must be used to access IT services or systems (applications) classified as particularly sensitive or confidential. If 2FA is used, exceptions may be made to these regulations, although a risk analysis and documentation must be made per system, service or application that implements 2FA. Scope The password management regulations apply to all IT services and systems (applications) at Karolinska Institutet. Password regulations Personal user account Passwords must: be at least 10 characters long be sufficiently strong, i.e. composed of the following: o A Z (note: not the Scandinavian vowels Å, Ä, Ö, etc.) o a z (note: not the Scandinavian vowels å, ä, ö, etc.) o 0 9 o blank spaces o special characters: ~,!, @, #, $, %, ^, &, (, ), _, +, -, *, /, =, {, }, [, ],, \, :, ;, (single quote mark), (double quote mark), <, >,, (comma),. (full-stop), and? contain at least two alphabetical and either at least two special characters or a number not be the same as your past 24 passwords remain unchanged for at least one day not be composed of an easily guessed word or common passwords from so-called word lists be changed within: o 6 months for employees, affiliates and doctoral students o 12 months for students A reminder will be sent by email to the registered user of the account when it is time to change his or her password.

It is prohibited to reuse your KI username password for other than KI services (e.g. Facebook, public email addresses or private use) and to use your KI email address for private purposes. The above requirements apply to all identities in all IT services and systems (applications) at Karolinska Institutet. The following account types are subject to additional regulations. Administrator accounts All accounts with high access (administrator) rights are to be personal. Use of the general root/administrator account or the equivalent is only allowed in exceptional circumstances. Administrator accounts are subject to the following additional regulations: Passwords must be at least 15 characters long Passwords must be changed within 6 months Service accounts Service accounts are subject to the following additional regulations: Passwords must be at least 15 characters long Passwords must be changed every 12 months, and the change recorded in the system s management documentation. Functional accounts The primary use for a functional account is when multiple users need access to the same function, such as a shared e-mail address for a function such as registry@ki.se or it-support@ki.se. Access to the functional account should be delegated to the individual personal user accounts, so that full audit trails can be kept. There must not be any shared functional accounts/group accounts. If technical restrains makes it impossible to delegate access, functional accounts adhere to the same regulations as Service Accounts.

Password protection Storage and transfer of passwords To reduce the risk of unauthorised access to passwords, the following storage and transfer regulations must be observed: Passwords must always be stored and transferred in encrypted form. Passwords must never be presented in a readable format. Passwords may never be shared by email, phone, etc. IT staff with access to the computers and media on which passwords are stored must sign a special commitment of responsibility. An updated list of employees with these privileges must be kept by the organisation running the system. Protection against net-based brute force attacks (rate limiting) To reduce the risk of automated password guessing ( brute force attacks ), logins are to be protected by rate limiting, which prevents a hacker from attempting repeated password guesses in a short space of time. Karolinska Institutet s login service has the following settings: 30 incorrect guesses before the account is automatically locked. 30 minutes automatic account locking after the maximum number of incorrect guesses. The login counter is reset after a successful login or 60 minutes after the latest incorrect login attempt. Exceptions If a particular system that is not connected to KI s login service has technical reasons for not following the above regulations for password quality and protection, an exception must be approved by the system owner and recorded in the system s management documentation or the equivalent. Special considerations must also be paid for access to data stored on other systems. Control The central IT-department, ITA, reserves the right to regularly audit the compliance of the KI password regulations

Definitions Personal user account: is a user identity linked to a unique person and that this person uses to access his or her personal resources, such as email and the applications/systems needed for his or her work. Administrator account: is a user account linked to a unique person and that this person uses to administrate a system resource that is not his or her own personal resource. All administrator accounts are to be personal. Administrator accounts can be set up for systems or servers, for example. Service account: is an account in which a subsystem or service is the user and regulates which parts of another system the subsystem has access to. All service accounts are to be made unique to each system and restricted exclusively to the system for which they are intended. An example of a service account is when an application (e.g. web service) uses its own database on another server. Functional account: is an account used for a shared function, for example the registry@ki.se or it-support@ki.se functions. The functional account is used to share an e-mail address between one or more regular personal accounts. The functional account doesn t have its own user-id or password, instead access is granted to each personal user account that needs access to the functional account while still providing full audit trails. Password quality: Good password quality means that a password is long and complex enough to reduce the risk of being guessed by a hacker. Two factors determine how difficult a password is to guess: length and complexity. Password protection: Safe password management means not only that passwords are kept secret by their users, but also that the login service protects them from unauthorised access and use. Change of password: To reduce the risk of a hacker uncovering a password to Karolinska Institutet s IT and information system, each user must regularly change his or her password within a fixed time interval. Two factor/multifactor authentication (2FA/MFA): Login (authentication) using two or more distinct factors: something known (e.g. a password) and something possessed (e.g. a smart card or USB device).

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information