Password Policy


Contact us

 

Introduction 2. Password Policy 2.1 General 2.2 Additional Guidelines for Users 2.3 Password Protection 2.4 Multi-Factor Authentication (MFA)

Introduction

Passwords are still considered as the primary method to ensure there is no unauthorized access to Fiber Group Shpk networks and systems. The threat posed by unauthorized access can be very serious and can have costly implications to the organization and its stakeholders. Therefore, it is important to ensure there is a well-considered password policy documented, in use and known to all staff, vendors and third parties who have access to the organization’s IT systems and data.

The effectiveness of a password is largely determined by the design and implementation of the authentication system; in particular how frequently password attempts can be made by an unauthorized user and the security methods used to protect users’ passwords at the point of entry, during transmission, and while in storage.

Authentication requires one of the following:

  • Something you know, such as a password or passphrase
  • Something you have, such as a token device/app or smart card
  • Something you are, such as biometric (e.g. finger print readers)

However, in some cases two or more of the above authentication methods will be used.

This policy is applicable to all accounts with administrative capabilities and all accounts used to view or access IT systems and/or the organization’s data. This includes accounts used by vendors and other third party suppliers (for example, for support or maintenance).

It is the responsibility of all employees, stakeholders, vendors and third party suppliers to comply with this policy. Failure to do so may result in disciplinary action.

The IT department is responsible for enforcing the password policy where technically possible. Frequent reviews of all IT systems are undertaken to ensure the effectiveness of password authentication.

The Information Security Officer will verify compliance of this policy through various methods which will include, but are not limited to:

  • Periodic walks through the organization’s offices
  • Technology monitoring
  • Business tool reports
  • Internal and external audits

Any exceptions to this policy must be approved by the Information Security Officer in advance.

2. Password Policy

2.1 General

All passwords will have the following characteristics:

  • Require a minimum length of at least seven characters
  • Contain at least two of the following:
    • Upper- and lower-case characters
    • At least one number
    • At least one special character e.g. ! £ $ %

The following requirements also apply to the management of passwords:

  • Passwords will be changed after 90 days
  • No reuse of passwords from the last four used
  • After 5 unsuccessful login attempts are made the user account will be locked out
  • Account lockout will be for a duration of 30 minutes. Furthermore any account lockout will be recorded for future investigation.
  • If a session has been idle for a period of 15 minutes the user will be required to re-authenticate
  • Newly-issued passwords will be subject to change immediately after first use
  • System default accounts/passwords will be disabled/changed immediately as part of initial setup and configuration
  • A ‘challenge/response’ process will be used by the IT department upon password reset requests to ensure the identity of the staff member
  • All passwords will be disabled/changed in test and development systems when promoted into the live environment

2.2 Additional Guidelines for Users

The following additional guidelines are given to assist all employees, stakeholders and third parties to ensure their account passwords are protected at all times:

  • Do not reveal your password to anyone at any time on any medium (telephone, email, instant message etc.)
  • Shared and generic user authentication must not be used
  • Do not write passwords down
  • When creating a password, do not use dictionary words, names of family members or information about yourself that could be easily found out e.g. date of birth
  • If you suspect your password has been compromised, change it immediately
  • Where IT systems offer ‘password hints’ do not make the hint easy enough for anyone to guess your password e.g. password hint = my surname
  • Where possible use passphrases instead of passwords. A passphrase is a longer version of a password and is, therefore, more secure. It is typically composed of multiple words therefore reducing the risk to ‘dictionary attacks’
  • Be mindful when entering your password that no one is watching you over your shoulder
  • Is required to have different passwords in case of multiple accounts owned by a single person
  • If you suspect the IT system you are about to enter your password into is compromised or looks suspicious, do not enter the password and report the issue to your line manager. Please refer to the organization’s Incident Management Process for more information

2.3 Password Protection

It is vital for the protection of organization systems and data that controls are in place to ensure a password remains secure. Passwords can be intercepted during transmission or be stolen while in storage on a disk.

During transmission:

  • Passwords must not be transmitted over the network in clear text or in any easily reversible form
  • Applications must not transmit passwords in clear text over the network

While in storage:

  • All passwords stored must be encrypted with the appropriate cryptography technologies. Refer to the Cryptographic Policy for more information
  • All systems must make use of role-based access to data in storage

2.4 Multi-Factor Authentication (MFA)

Multi-Factor Authentication (often referred to a 2-factor authentication) is required for the following areas:

  • Accessing IT systems where sensitive data is available to view or modify (e.g. cardholder data)
  • When working remotely
  • When vendors or third party suppliers require access to the organization’s IT Systems

MFA requires the user to have at least two of the following three authentication methods to gain access to the appropriate IT System:

  • Something you know, such as a password or passphrase
  • Something you have, such as a token device/app or smart card
  • Something you are, such as biometric (e.g. finger print readers)

Where smart card or token device/app methods are used as part of multi-factor authentication, additional considerations are required.

These are:

  • These methods must be assigned to individual accounts and not shared with multiple accounts
  • Physical and/or logical controls must be in place to ensure only intended users access the appropriate system