Every Company requires a Corporate Password policy. A Password policy is an important aspect of informational systems security. A properly created password may significantly increase the security of the systems and vice versa; unproperly chosen weak password may compromise corporate sensitive assets.
The main goal of this policy is:
- To define a clear Corporate Password Policy standard for creating, protecting and updating strong passwords for all Internal and External supported systems;
- To definite a list of all 3rd party services that should be synchronized with the Resolver Corporate Password Policy; and
- To define critical services that should be protected with Two-Factor-Authentication (2FA).
Critical 3rd party services
All 3rd party services considered as Critical should be protected with 2FA Authentication.
Critical services are those which store Customer related information, Resolver confidential information, important Resolver intellectual property (product source code, patent documentation, product designs, company strategy plans, etc.) and/or other confidential information.
- All system-level default administration accounts (e.g.: root, network administrator, local administrator, application administrator) should be disabled (not in use). Instead, alternative accounts with pseudo administrative privileges should be created.
- Passwords must never be shared, written down or inserted into email messages or other forms of electronic communication or instant messaging systems.
*For all purposes, except regular (interactive) users accounts, passwords should be created as long as the specific software allows.*
(Users) Password Policy guidelines:
- “Enforce password history” should be set to “24”
- “Maximum password age” should be set to “90”
- “Minimum password age” should be set to “1”
- “Minimum password length” should be set to “12”
- “Password must meet complexity requirements” should be set to “Enabled”
- “Store Password using reversible encryption” should be set to “Disable”
- “Account lockout duration” should be set to “30 minute(s)”
- “Account lockout threshold “should be set to “5”
- “Reset account lockout counter after” should be set to “30”
- Screen Lock timeout set to 10 minutes
- Access to Basic Input Output System (BIOS) should be protected by a password.
Hard Drive Protection:
- Enable BitLocker or other full disk encryption protection solution.
Trusted Platform Modul (TPM) password
- Enable TPM password.
Network Infrastructure Device Passwords
This policy applies to all Network Managed Switches, Routers, Firewall devices, Wi-Fi routers, Wi-Fi access points, Video / Phone Conferencing service devices.
- The default password for admin accounts for all network access devices should change.
- If any version of the SNMP protocol is used for remote administration, default SNMP
community strings such as “public” and “private” should be removed before real community strings are put into place. If the SNMP protocol not utilized for this hardware administration/monitoring purpose, the SNMP should be disabled
- The default password for admin accounts for all printer Web access should change.
- Do not share your password with ANYONE (!).
- Don’t reveal your password over the phone to ANYONE (!).
- Do not reveal your password through the email/instant massages to ANYONE (!).
- Don’t reveal your password to your manager/boss.
- Do not hint at the format of a password (e.g., “my family name”).
- Don’t reveal a password on questionnaires or security forms.
- Do not share a password with family members.
- Don’t reveal a password to a co-worker while on vacation.
- Do not use the “Remember Password” feature of applications
- Don’t write passwords down and store them anywhere in your office.
- Do not store passwords in a file on ANY computer system unencrypted
- If someone demands a password, refer them to this document or have them contact Information Security: REDACTED
- If an account or password is suspected to have been compromised, report the incident immediately to REDACTED and change all passwords.
Password cracking or guessing may be performed on a periodic or random basis by the Information Security department. If a password is guessed or cracked during one of these scans, the user will be required to change it.
Let’s Join our Hacking Team
Hope this article helpful for you. Thank You
Indian Cyber Army | Make IT Secure
Enjoy…Stay Happy…Stay Secure…