e-governance Password Management Guidelines Draft 0.1

Similar documents
Network Security Guidelines. e-governance

Account Management Standards

The City of New York

Information Technology Branch Access Control Technical Standard

Achieving PCI COMPLIANCE with the 2020 Audit & Control Suite.

Supplier Information Security Addendum for GE Restricted Data

Central Agency for Information Technology

Service Desk R11.2 Upgrade Procedure - Resetting USD passwords and unlocking accounts in etrust Web Admin

Password Expiration Passwords require a maximum expiration age of 60 days. Previously used passwords may not be reused.

CAPITAL UNIVERSITY PASSWORD POLICY

CYBER SECURITY POLICY For Managers of Drinking Water Systems

DHHS Information Technology (IT) Access Control Standard

Estate Agents Authority

Remote Access Procedure. e-governance

ICT Password Protection Policy

About Microsoft Windows Server 2003

PREPARED BY: AUDIT PROGRAM Author: Lance M. Turcato. APPROVED BY: Logical Security Operating Systems - Generic. Audit Date:

Musina Local Municipality. Information and Communication Technology User Account Management Policy -Draft-

ICT USER ACCOUNT MANAGEMENT POLICY

ICT OPERATING SYSTEM SECURITY CONTROLS POLICY

An Oracle White Paper December Leveraging Oracle Enterprise Single Sign-On Suite Plus to Achieve HIPAA Compliance

REGULATIONS FOR THE SECURITY OF INTERNET BANKING

Additional Security Considerations and Controls for Virtual Private Networks

Walton Centre. Document History Date Version Author Changes 01/10/ A Cobain L Wyatt 31/03/ L Wyatt Update to procedure

CITY OF BOULDER *** POLICIES AND PROCEDURES

Authorized. User Agreement

Identification and Authentication on FCC Computer Systems

Contact: Henry Torres, (870)

IDENTITY & ACCESS. Privileged Identity Management. controlling access without compromising convenience

Web Plus Security Features and Recommendations

PCI DSS Requirements - Security Controls and Processes

CA Technologies Solutions for Criminal Justice Information Security Compliance

Intel Enhanced Data Security Assessment Form

TECHNICAL AND ORGANIZATIONAL DATA SECURITY MEASURES

NetIQ Advanced Authentication Framework - Client. User's Guide. Version 5.1.0

Cal State Fullerton Account and Password Guidelines

CHOOSING THE RIGHT PORTABLE SECURITY DEVICE. A guideline to help your organization chose the Best Secure USB device

CHIS, Inc. Privacy General Guidelines

Password Self-Service for Novell edirectory. Brent McCormick Novell Corporate Technology Strategist

University of California, Riverside Computing and Communications. IS3 Local Campus Overview Departmental Planning Template

POSTAL REGULATORY COMMISSION

Pension Benefit Guaranty Corporation. Office of Inspector General. Evaluation Report. Penetration Testing An Update

MIT s Information Security Program for Protecting Personal Information Requiring Notification. (Revision date: 2/26/10)

05.0 Application Development

2: Do not use vendor-supplied defaults for system passwords and other security parameters

HIPAA Security Alert

IT Security Procedure

1 Introduction 2. 2 Document Disclaimer 2

State of South Carolina Policy Guidance and Training

RSA Authentication Manager 7.1 Security Best Practices Guide. Version 2

IT ACCESS CONTROL POLICY

6. AUDIT CHECKLIST FOR NETWORK ADMINISTRATION AND SECURITY AUDITING

8/17/2010. Over 90% of all compromised merchants are PCI level 4 (small) merchants or merchants with less than 1 million transactions per year

Oracle WebCenter Content

Access Control BUSINESS REQUIREMENTS FOR ACCESS CONTROL

Frequently Asked Questions (FAQs) SIPRNet Hardware Token

DriveLock and Windows 7

Securing Corporate Data and Making Life Easier for the IT Admin Benefits of Pre Boot Network Authentication Technology

Patch Management Procedure. e-governance

GFI White Paper PCI-DSS compliance and GFI Software products

SANS Institute First Five Quick Wins

COMMONWEALTH OF PENNSYLVANIA DEPARTMENT S OF PUBLIC WELFARE, INSURANCE AND AGING

GE Measurement & Control. Cyber Security for NEI 08-09

FINAL DoIT v.8 APPLICATION SECURITY PROCEDURE

Privileged. Account Management. Accounts Discovery, Password Protection & Management. Overview. Privileged. Accounts Discovery

NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS

Standard: Event Monitoring

Network and Security Controls

THE PENNSYLVANIA STATE UNIVERSITY OFFICE OF HUMAN RESOURCES PASSWORD USAGE POLICY

E Security Assurance Framework:

Retention & Destruction

Defense Security Service Office of the Designated Approving Authority Standardization of Baseline Technical Security Configurations

MBAM Self-Help Portals

Kentico CMS security facts

TASK TDSP Web Portal Project Cyber Security Standards Best Practices

SECURE YOUR WINDOWS ENTERPRISE WITH STRONG PASSWORD MANAGEMENT

SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

ProgressBook CentralAdmin User Guide

FAQs for Password Self Service

SUPPLIER SECURITY STANDARD

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

Access Control Policy

Windows Log Monitoring Best Practices for Security and Compliance

Transcription:

e-governance Password Management Guidelines Draft 0.1 DEPARTMENT OF ELECTRONICS AND INFORMATION TECHNOLOGY Ministry of Communication and Information Technology, Government of India.

Document Control S. No. Type of Information Document Data 1. Document Title egov Password Management Guidelines 2. Document Code GL_eGov_AM 3. Date of Release 4. Next Review Date 5. Document Owner DietY 6. Document Author(s) 7. Document Reviewer 8. Document Reference PR_eGov_UAMP Document Approval S. No. Document Approver Approver Designation Approver E-mail ID Document Change History Version No. Revision Date Nature of Change Date of Approval Document Classification: Internal Page 2 of 10

Table of Contents 1. INTRODUCTION... 4 2. PURPOSE... 4 3. SCOPE... 5 4. PASSWORD MANAGEMENT & CONSTRUCTION... 5 4.1. ACTIVE DIRECTORY ENVIRONMENT... 5 4.2. UNIX SYSTEMS... 5 4.3. PASSWORD ALLOCATION PROCESS... 5 4.4. PASSWORD RESET PROCESS... 6 4.5. PASSWORD MANAGEMENT GUIDELINES... 6 4.6. E-SAFE RECOMMENDATION... 8 4.7. ROLES AND RESPONSIBILITY... 10 Document Classification: Internal Page 3 of 10

1. INTRODUCTION Any compromise to the confidentiality, integrity or availability of e-gov networks, systems or information could impair the ability of e-gov Service delivery. Adverse public exposure brought on by a compromise would damage e-gov s credibility across the country. Ensuring that e-gov departments and public data are kept secure is a vital element in e-gov s approach to security. This document establishes the e-gov Password Management Guidelines to implement password controls i.e. e-gov Password Policy (refer in e-gov Security Policy (esp) ). The document is the outline of requirements for creating and protecting passwords within the e-gov service delivery environment across states, ministries or departments. Asset owners i.e. Department or application owners must perform a risk assessment of assets (application or data) held in the specific system to arrive at the criticality of asset/s.( Refer the e-governance Security Standards Framework (esafe) section GD300 Risk Assesment: Guidelines for Information Security Risk Assessment and Management in an e-governance project). Accordingly the advanced security features can be implemented as control improvements ( refer e-safe ( GD 210): Guidelines for implementing chosen security controls). The last section of this document deals with control recommendations and improvements as per e-safe ( e-governance Security Assurance Framework) 2. PURPOSE The principal objective of this document is to provide general guidelines for the protection of passwords used by people who have privileged and non-privileged access to multiple servers, systems and applications. Care and maintenance of these passwords is imperative to ensure computer accounts are not improperly accessed and e-gov information is not compromised, and subsequently to mitigate the associated risks. Compliance with these guidelines will help ensure the departments to comply with of e- Gov Password policy requirements. Document Classification: Internal Page 4 of 10

3. SCOPE This guideline does not supersede the requirements of the e-gov Password Policy and/or state specific password polices but is designed to augment the policy. The policy is applicable to all assets and information systems deployed in e-gov Service delivery framework. These guidelines will suffice to comply with minimum baseline requirements of esp recommended by esafe standard and best practices. 4. PASSWORD MANAGEMENT & CONSTRUCTION All account passwords should follow the e-gov or applicable Password Policy. Where possible, privileged user accounts should be tied into a centrally managed system such as Active Directory or Novell edirectory and avoid using local system accounts. This provides a mechanism to enforce password policy and account management along with auditing of password change guidelines. 4.1. ACTIVE DIRECTORY ENVIRONMENT When utilizing Active Directory (AD), rights should be managed by roles. These roles should be defined at the highest level (global, enterprise, regional, and local) possible to allow for the simplest management. Password complexity should be enabled in the domain controllers to ensure e-gov password policy is complied with. 4.2. UNIX SYSTEMS Often UNIX hosts are not part of a larger directory structure such as AD but are more likely to be stand-alone devices. These UNIX hosts that are not incorporated into a mature directory structure must meet the same requirements as it pertains to user and password management within the AD infrastructure. 4.3. PASSWORD ALLOCATION PROCESS Document Classification: Internal Page 5 of 10

In order to ensure that passwords are communicated only to the relevant user, they should be communicated back to the originator of the request or the person to whom this is assigned Passwords should be communicated securely to the users like use of encrypted emails could be done for communicating the passwords to the users All initial passwords should be Forced to Modify on the first usage 4.4. PASSWORD RESET PROCESS Users/ administrators during the course of time may forget their passwords, in which case the same has to be reset. If the password reset is not done in a proper and secure manner, it is possible for unauthorized users to ask for passwords of authorized users to be reset and gain access to systems. Password reset requests should come from appropriate channels to system administrators/ application administrators If the user has forgotten his email ID password or is not able to login to his email account he/ she should personally raise a password change request as per the formally managed process in place viz. Service Desk. Responsible team should verify the user identity and then forward the password change request to system administrators The designated personnel should confirm the request with the person who has requested the reset. On his satisfaction, the new password should be allocated and confirmed back to the end user only. In the event of suspected compromise of password or disclosure, user shall require to raise a security incident. He/ She should also inform designated team viz. Service Desk immediately. Subsequently the password should be changed and communicated to user. Before changing the password, the the Service Desk should authenticate the user. A log of password resets, wherever possible should be maintained for auditing purposes. 4.5. PASSWORD MANAGEMENT GUIDELINES Following e-gov Password policy controls should be enforced so that all the system accounts are bound to have password of minimum desired quality. Document Classification: Internal Page 6 of 10

All users getting access to e-gov systems are authenticated using active directory feature provided by Windows NT/2003/2008. The system should grant access to the domain, provided the user Id and passwords are correct. If any application or data base that are not integrated with active directory services (ADS), it should have provisions of creating unique user Ids and passwords to authenticate users prior accessing the systems Passwords should be encrypted when stored in files or databases. Access to this field of the database should be restricted to only system security administrators Passwords should not be transmitted in clear text form over any kind of network Authentication, authorization and accounting for all critical network devices should be done through centrally controlled server and access for same should be provided to specific security administrators Password complexity requirements should be enforced using domain policies. The complexity requirements should include minimum of following points: Minimum password age should be set for one day Minimum password length should of eight characters Record of last 5 passwords should be maintained in order to prevent its reuse Password should contain a mix of alphabetic and non-alphabetic characters (number, punctuation or special characters) or a mix of at least two types of non-alphabetic characters Policy should be set such that password for all users having normal access as well as privilege users to systems expires in 45 days Policy should be enforced to lock the user account after 5 successive invalid login attempts Account lockout duration and reset account lockout duration should be set for 30 minutes for desktops If administrative privileged account is locked out, then the user should not be able to login until the account is unlocked by the system administrator Document Classification: Internal Page 7 of 10

By default, all applications and systems should be configured to not display passwords on the screen while being keyed in Policy should be set to audit user account login/logout, to ensure each user can be held accountable for his/her act Logs for all the activities should be maintained for 90 days. Logs of unsuccessful attempts and suspected successful attempts should be reviewed by designated administrators periodically Default accounts should be disabled and/ or default passwords should be changed immediately by adhering to the base line hardening procedures for the systems and applications Provide proper user awareness trainings to all the users (including the third party vendor employees, contract employees) to ensure password procedures and policies are followed by all the users Force users to change the temporary password given during the account creation at the first log-on 4.6. E-SAFE RECOMMENDATION Besides the aforementioned exhaustive list of controls laid down in e-gov Password Policy, following guidelines should be followed at in application code ( APPLICATION CLASS) and infrastructure ( INFRASTRUCTURE CLASS) as recommended by e-safe as per the criticality of the environment. (Refer Guidelines for Implementation of Security Control ( GD 210): Guidelines for implementing chosen security controls) I. Following list of control improvements are recommended for applications in e- SAFE application class. Application should not allow creation or use of weak passwords by users Maintain a record/history of specified no of previously used passwords to prevent re-use. Define the requirement of the control mechanisms in RFP and/or SRS. Document Classification: Internal Page 8 of 10

Conduct formal testing of the implemented control mechanisms. II. Following list of controls are best practices to be followed in e-gov environment recommended in e-safe Infrastructure class. In some of the devices, by default the authentication scheme is not present or default system accounts are without password. Such default system accounts without password shall be disabled. The organization should discourage use of group account and sharing of account credentials and enforce the use of individual user IDs and passwords to maintain accountability. The default passwords of the devices (e.g. network routers, switches, Access point etc.) should be changed during installation and this practice should be integrated with the organizational procedure for installation of the computing and communication devices. The keeper of master passwords should be a trusted employee like Project Manager belonging to e-governance Information Security Working Group ( ISWG), available during emergencies. Any copies of the master passwords must be stored in a very secure location (a sealed envelope or a properly access controlled repository with limited access). The passwords of privileged users (such as network technicians, electrical or electronics technicians and management, and network designers/operators) should be most secured and be changed frequently. Authority to change master passwords should be limited to trusted employees. A password audit record, especially for master passwords, should be maintained separately from the control system. Store password files separately from application system data. III. Following list of control improvements are recommended for applications in e- SAFE application class. The organization should adopt a managed process to verify the identity of the requestor for resetting or reissue of the account password. The system should store the password not in clear text and should eliminate use of weak hash (NTLM hash instead of LANMAN hash or salted MD5) The organization should discourage use of group account and sharing of account credentials and enforce the use of individual user IDs and passwords to maintain accountability. Document Classification: Internal Page 9 of 10

For highly sensitive system, the root or administrator password shall be broken into two parts and each part will be available with two different persons to minimize the security risk by person. In environments with a high risk of interception or intrusion (such as remote operator interfaces in a facility that lacks local physical security access controls), organizations should consider supplementing password authentication with other forms of authentication such as challenge/response or multi-factor authentication using biometric like thumb impression, physical tokens(rsa token), smart card or USB token having digital certificate. 4.7. ROLES AND RESPONSIBILITY Role Responsibility Service desk/helpdesk Ensure proper user identification is done System Administrator/ Application Administrator CISO Generation of passwords Ensuring that users are forced to change the passwords after logging first time Resetting the passwords and communicating the same to the user Ensure appropriate policies are configured to meet the requirements of password management guidelines Ensure proper user awareness trainings are done to educated users on use of password and its management Document Classification: Internal Page 10 of 10

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information