Network Password Management Policy & Procedures Document Ref ISO 27001 Section 11 Issue No Version 1.3 Document Control Information Issue Date April 2009, June 2010, September 2011 Status Approved By FINAL ICT Control Environment Group Next Review Date September 2012 Author Service Distribution Janette Pashley Business Change & Process Management ICTCE Group ICT Liaison Group ICT Service Iain Bowie & Pam Plant Internal Audit Service Andrew Metcalfe Human Resources Vyvian Lewis [Network Password Management Policy & Procedures) [Not Protectively Marked)
Network Password Management Policy & Procedures Page: 1 of 11 CONTENTS 1. Policy Statement 2. Purpose 3. Scope 4. Definition 5. Risks 6. Applying the Policy 6.1. Choosing a Password 6.2. Password Construction 6.3. Password Protection 6.4. How do I change my Network Password? 6.5. What do I do if I am Locked out of my PC or forgotten my password 7. Role and Responsibilities 8. Policy Compliance 9. Review 10. Associated References 11. Change History
Network Password Management Policy & Procedures Page: 2 of 11 Key Messages All users must use strong passwords. Passwords must be protected at all times and must be changed at least every 90 days. User access rights must be reviewed at regular intervals. It is a user s responsibility to prevent their user ID (LID) and password being used to gain unauthorised access to Council systems. Partner agencies or 3 rd party suppliers must not be given details of how to access the Council s network without permission from the Corporate Information Manager and Head of Business Change & Performance Management. 1. Policy Statement 1.1 In order to strengthen the security and confidentiality of information, the Council has established specific requirements for protecting information and information systems against unauthorised access. 2. Purpose 2.1 Information security is the protection of information against accidental or malicious disclosure, modification or destruction. Information is an important, valuable asset of Calderdale Council which must be managed with care. All information has a value to the Council. However, not all of this information has an equal value or requires the same level of protection. 2.2 Access controls are put in place to protect information by controlling who has the rights to use different information resources and by guarding against unauthorised use.
Network Password Management Policy & Procedures Page: 3 of 11 2.3 The management and security of passwords is an important element in protecting against the unauthorised access to Council Information systems. 2.4 The purpose of this policy is to establish a standard for the creation of strong passwords, the protection of those passwords, and the frequency of change. 3. Scope 3.1 Passwords are used to protect all information systems. Users must be aware that all system authentication credentials assigned to them are for their own use. Authentication credentials must not be shared or disclosed to any third party, other than authorised system support personnel. 3.2 This policy applies to all Councillors, Committees, Departments, Partners, Council employees, contractual third parties and agents of the Council who use Calderdale Council provided ICT facilities and equipment, or have access to, or custody of, Calderdale Council information. 3.3. All users must understand and adopt/use this policy and are responsible for ensuring the safety and security of the Council s systems, information and data that they use. 3.4 All users have a role to play and a contribution to make to the safe and secure use of technology and the information/data that it holds. 4. Definition 4.1 Access control rules and procedures are required to regulate who can access Calderdale Council information resources or systems and the associated access privileges. This policy applies at all times and should be adhered to whenever accessing the Council s information in any format, and on any device. 5. Risks 5.1 Calderdale MBC recognises that there are risks associated with users accessing Council systems in order to conduct official Council business. 5.2 Passwords are an important aspect of computer system security. They are the first line of protection for user accounts. A poorly chosen password may result in a potentially serious breach in network and systems security, resulting in:-
Network Password Management Policy & Procedures Page: 4 of 11 Loss or exposure of sensitive data. Compromising of the system and/or other network systems. 5.3 Non-compliance with this policy could have a significant effect on the efficient operation of the Council and may result in financial loss and an inability to provide necessary services to our customers. 6. Applying the Policy 6.1 Choosing Passwords 6.1.1 Passwords are the first line of defence for our ICT systems and together with the user ID (LID) help to establish that people are who they claim to be. 6.1.2 A poorly chosen or misused password is a security risk and may impact upon the confidentiality, integrity or availability of the Council s computers and systems. 6.2 Password Construction 6.2.1 Strong passwords MUST have a minimum of seven characters and consist of characters from three of the following groups:- Group Examples Uppercase characters A, B, C... Lowercase characters a, b, c... Numerals 0, 1, 2, 3, 4, 5, 6, 7, 8, 9 Symbols (all characters not defined as letters or numerals)! $ % ^ & * ( ) _ + - = { } [ ] : @ ~ ; # < >? \,. / 6.2.2 Passwords must never be written down or stored on the computer. Create passwords that can be easily remembered. One way to do this is to create a password based on a song title, affirmation, or other phrase. For example, the phrase might be:-, This May Be One Way To Remember ; and the password could be:-, TmB1w2R or TmB1W(R) or variation following the guidelines above. NOTE-: Do not use either of these examples as passwords!
Network Password Management Policy & Procedures Page: 5 of 11 6.2.3 Passwords will require to be changed every 90 days and the same password cannot be re-used within 20 password changes. 6.3 Password Protection 6.3.1 Passwords are effective only if they remain undisclosed to others people, are changed regularly and are sufficiently sophisticated to render them difficult to be cracked. 6.3.2 Guidance below constitutes good password management by each individual designed to protect themselves and the Council s data. An important objective when choosing a password is to make it as difficult as possible for a would-be intruder to make educated guesses about what you have chosen. In order to ensure you protect your passwords some guidelines are:- Never share your Council passwords with anyone, including administrative staff or secretaries. Do not use your Council passwords for non-council accounts. Don t use your user ID (Lid Number) to form part of your password. Don t use your first or last name or your spouse s/partner s/child s or pet s name to form part of your password. Don t use other information easily obtained about you for example licence plate numbers, telephone numbers, social security numbers, the brand of your vehicle, the name of the street you live on, etc. Don t reveal a password over the telephone, or in an email message. Don t talk, hint or reveal a password in front of others, questionnaires or security forms or to co-workers. Don t use the Remember Password feature of applications e.g. Web browsers, Outlook etc. Don t write passwords down and store them in your office or in a file on ANY computer system (including mobile equipment e.g. laptops, USB memory sticks, CDs). Do not send User ID s and Password notifications via email.
Network Password Management Policy & Procedures Page: 6 of 11 Where temporary staff are required to have access to systems upon the service authorisation they will be issued with their own ID and password. Once the temporary staff member has left the Council, ICT Service MUST be notified in order for access to be deleted. If you suspect or have reason to believe that your account or password has been compromised then change it immediately and report this to your Head of Service. 6.4 How do I Change my Network Password 6.4.1 You are required to change your password every 90 days and 14 days before your password is required to be changed a reminder will appear on log on. 6.4.2 Before the password expiry date, think about what password you intend to use see section 6.2 above Password Construction for guidance. 6.4.3 However if you suspect another user knows your password you must change it immediately. a) In order to change your password use Ctrl + Alt + Delete and the option Change Password the following template will appear: b) Enter you current password (Old Password) then enter your New Password, confirm it in the Confirm New Password box and select ok to connect to the network.
Network Password Management Policy & Procedures Page: 7 of 11 6.5 What do I do if I am locked out of my PC or forgotten my Password a) Should a user become locked out of their computer (because they have entered an incorrect password more than five consecutive times) or have forgotten their password. b) The unlocking of the account and or resetting of a users password can only be carried out after receipt of authorisation from their line manager. c) Your line manager will have to e-mail the ICT Service Desk icthelpdesk@calderdale.gov.uk detailing the name of the user, their LID and extension number of the user s account to be either unlocked (should the user remember their password) or reset. d) Failure to supply any of the above information could result in delays with the user regaining access. e) Where a password reset is required the user will be informed by the ICT Service Helpdesk, by telephone, of their new password. NOTE: The user should change their password to one of their choice upon password reset. 7 Roles and Responsibilities 7.1 Procedures have been established in 6.1 to 6.5 above to provide guidance to all user access to council systems. a) The Chief Executive has ultimate responsibility for compliance of this policy. b) The ICTCE Group is responsible for detailing and reviewing the procedures in respect of password management controls. c) Heads of Service and Service Managers are responsible for ensuring that their staff clearly understand and adhere to this policy and receive training to help maintain security and confidentiality of information. Be
Network Password Management Policy & Procedures Page: 8 of 11 the first line of contact if a suspected account or password has been compromised. d) All employees, contractors and third party users are required to adhere to the policies principles and procedures. e) The Democratic & Partnership Services, Corporate Information Manager is responsible for:- Reporting loss of sensitive personal data to the Information Commissioner. Providing a point of contact for the reporting of the loss of Council information/data. f) Head of Business Change & Performance Management - ICT Services is responsible for:- Monitoring the ICT infrastructure Dealing with user access controls gained from Head of Service or Service Managers notifications. Reporting relevant security breaches to GovCertUK and the Local Authority WARP (Warning, Advice and Reporting Policy). g) The Head of Human Resources is responsible for:- Providing advice to Council management in respect of disciplinary matters where it is suspected that the Councils Policies have been breached. Detailing and reviewing the procedure in respect of ICTCE Code of Practice. h) The Assistant Head of Finance (Internal Audit, LMS, Insurance and Risk Management) is responsible for:- Carrying out a preliminary investigation into the reported incidents involving misuse, fraud & corruption of Council ICT equipment and information/data. Subject to reaching a satisfactory conclusion authorisation of any forensic investigation process. Providing a point of contact for the reporting of potential misuse, fraud and corruption.
Network Password Management Policy & Procedures Page: 9 of 11 8 Policy Compliance 8.1 It will be a breach of this policy for any user to misuse their [ or other users ] authentication credentials. If any such misuse results in a user knowingly elevating their system privileges, above those that they have been authorised to use, this will be considered an act of gross misconduct. 8.2 If you do not understand the implications of this policy or how it may apply to you, seek advice from the Head of business Change and Performance Management - ICT Service 9. Review The ICT Control Environment is the owner of this document and is responsible for ensuring that this document is reviewed on a yearly basis. A current version of this document and related documents will be available to all members of staff on the corporate intranet and is published. This document has been approved by the ICT Control Environment on 20 th September 2011 and is issued on a version controlled basis. 10. Associated References The following Calderdale documents are directly relevant to this policy: Policy on Internet & E-mail Usage ICT Code of Practice for Employees ICTCE Standard on the Download of Software Remote and Mobile Working Device Policy Physical & Environmental Security Policy ICT Information Security Incident Reporting Procedure. Reporting the loss of laptops, Blackberry s and personal data. ICT Information Security Incident Management Procedures Information Governance Incident Reporting - Breach of Non-Technical Data Anti Fraud & Corruption Standards & Rules. Whistle Blowing Policy Data Protection Policy Information Protective Marking Policy Guide to Using the Government Protective Marking Scheme
Network Password Management Policy & Procedures Page: 10 of 11 11. Change History Rev Rev Date Rev By Issue Date Description Version 1.0 J. Pashley 17 th March 2009 Amendments made by Internal Audit before submission 1.2 June 2010 J Pashley June 2010 Slight amendments added to achieve layout consistency 1.3 July 2011 J Pashley September 2011 Minor word changes to section 6.3.2