Gloucestershire County Council - Gloucestershire County ...



[pic]

Gloucestershire County Council

Password Protection Policy

Purpose

1. Gloucestershire County Council’s (the Council) information is a valuable asset that must be managed with care; protecting information helps protect the interests of the Council, its customers, partners and employees. This policy sets out how access to information and information processing facilities should be controlled via passwords, and aims to ensure that users are using suitable passwords, and understand their responsibilities.

Policy Statement

2. The Council will:

• Have a standard for the creation of strong passwords

• Enforce the use of strong passwords

• Determine the frequency of password change across all systems throughout the Council

• Ensure that users are made aware of how to use information systems securely

Scope

3. This policy applies to all employees, partners, contractors, Members, agents of the Council and other third parties (referred to hereafter as ‘users’) who require any form of access to the Council’s electronic information systems.

This policy should be adhered to at all times when accessing information from any device. Questions regarding the content or application of this policy should be directed to the ICT Service Desk at ictservicedesk@steria.co.uk or the Information Management Service at informationsecurity@.uk .

Risk Management

4. Protecting personal and/or sensitive information from unauthorised access, modification, disclosure, or misuse is essential to mitigate the following risks:

• Harm to individual(s)

• Service disruption

• Potential legal action and/or fines against the Council or individual(s)

• Damage to the Council’s reputation

• Loss of credibility

• Theft, fraud or misuse of facilities

• Cyber attack and/or threat to the productivity and capability of the council to conduct its business.

5. Applying this policy

Responsibilities

Users:

• must ensure that their password is not divulged or shared with anyone else.

• must not create ‘poor’ passwords (see Appendix 1)

• must not write down and store passwords within the office i.e. in office diaries or paper files.

• must not insert passwords into email messages. (Systems- generated temporary passwords are regarded as an exception and can be emailed as these are classified as temporary passwords and must be changed as soon as possible)

ICT system usage:

• should support individual user identification – providing for identification of specific users and not generic group accounts.

• should not store passwords in clear text or in any easily reversible form

• should ensure passwords and accounts are linked to role based access enabling delegation of tasks to individuals

ICT system infrastructure:

• should not contain or utilise embedded (hard-coded) passwords

• should use access control procedures, which apply to both operational and test systems equally

• which requires local logon privileges for configuration and maintenance i.e. printers, network switches, routers, SAN appliances, etc. must have built-in default admin (or equivalent) account passwords changed in line with this policy

6. Password Creation

• All user-level and system level passwords must conform to the Council’s Password Construction guidelines (see Appendix 1)

• Users must not use existing personal account passwords for their various GCC accounts (e.g, personal internet (ISP) accounts, banks, etc.).

• Where possible, users must create different passwords for their various GCC accounts.

7. Password Change

• All system-level passwords must be changed on at least a quarterly basis.

• All user-level passwords must be changed at least every six months.

• Random password ‘cracking’ may be carried out on a periodic basis by ICT or its delegates. If a password is ‘cracked’ the user will be required to change it in line with the Password Construction guidelines.

8. Password Protection

• Personal passwords must not be shared with anyone. All passwords are to be treated as business-critical GCC information.

• Passwords must not be inserted into email messages or other forms of electronic communication.

• The only passwords permitted to be sent via e-mail are those that are temporary and generated for users who are receiving their login credentials for the first time or have requested them through an application password re-set procedure.

• Passwords must not be revealed over the phone.

• Passwords must not be revealed on questionnaires or security forms

• Users must not hint at the format of a password (for example “my family name”)

• Any user that suspects their password has been compromised must report the incident to the ICT Service Desk and change all passwords in line with the Password Construction guidelines.

9. Application Development

Application developers must ensure that their programmes contain the following security precautions:

• Applications must support authentication of individual users and not generic passwords for teams or groups of staff.

• Applications must not store passwords in clear text or in any easily reversible form.

• Applications must not transmit passwords in clear text over the network

• Applications must provide role management, which allow one user to take over the functions of another without having to know their password.

Policy Compliance

10. All employees, and anyone who delivers services on the Council’s behalf e.g. contractors, partners, agents or other third parties with access to the Council’s information assets have a responsibility to comply with this policy which can be found at Information Management and Security Policies, and to promptly report any suspected or observed security breach

Security breaches that result from a deliberate or negligent disregard of any security policy requirements may, in the Council’s absolute discretion, result in disciplinary action being taken against that employee. In the event that breaches arise from the deliberate or negligent disregard of the Council’s security policy requirements by a user who is not a direct employee of the Council, the Council shall take such punitive action against that user and/or their employer as the Council in its absolute discretion deems appropriate.

The Council may, in its absolute discretion refer the matter of any breach of the Council’s security policy requirements to the police for investigation and (if appropriate) the instigation of criminal proceedings if in the reasonable opinion of the Council such breach has or is likely to lead to the commissioning of a criminal offence.

If you don’t understand the implications of this policy or how it applies to you please contact the following for advice: ICT Service Desk at ictservicedesk@steria.co.uk or the Information Management Service at informationsecurity@.uk

11. Related Standards, Policies and Processes

• Password Construction Guidelines (appendix 1)

References

12. This policy and other related information security policies, standards and procedures can be found at Information Management and Security Policies

Policy Review

13. This policy will be reviewed as it is deemed appropriate, but no less frequently than every 12 months.

Appendix 1: Password Construction Guidelines

What is a poor password?

A poor password is one that can be easily guessed, or can be cracked using software easily available on the Internet. Do not use any of the following in your password:

• Your name, the name of your spouse, child, pet, boss etc. Do not use names in any form.

• Your username.

• Anything that can easily be found out about you e.g. your house name, street, city, your birthday, license plate number, your national insurance number, phone number, favourite pop star, movie, song etc.

• Family member’s birthdays.

• A password composed of all digits or all letters.

• A word with a single digit on the end e.g. summer1.

• Key patterns such as 'qwerty'.

• A derivative of any of your personal passwords e.g. home email address, social networking, online shopping, etc.

What is a good password?

• At least 8 characters long.

• Have both upper and lower case letters.

• Have both alpha and numeric characters.

• Have digits and punctuation (e.g. @ : } { ) ( " ! ?).

• Do not appear systematic e.g. abc, or 123.

• Are easy to remember so that they don't need to be written down.

How do I choose a good password?

• Use a sentence like 'I love shopping, especially for Christmas presents' and turn this into a password such as - Ils,e4Cp - using the first letter of each word, substituting numbers for words where possible (e.g. 4 instead of ‘for’). This looks like gobbledegook which is good because it is hard to crack.

• You could do something simple like picking 2 words, splitting them into non dictionary words and adding a number and other characters in the middle, e.g. summer evening becomes Sum99*ng (note at least 1 letter is capitalised).

• Substitute numbers for letters - some numbers look like a letter e.g. number 5 looks like the letter S, number 2 looks like the letter Z, number 1 looks like the letter L, number 3 looks like the letter E.

• Substitute special characters - e.g. use the $ to replace S, use ! to replace l. Combine this with using the first letters of words that make up a movie such as 'Star Wars: The Empire Strikes Back Episode 5' - this becomes $Wte$be5, or also include some number for letter substitution and this becomes $Wt3$b35.

• Use compound words and spice them up with numbers or special characters, or create your own spelling of one or both words e.g.

• Tunafish becomes toona&Fish2

• Rocketship becomes rokiT7shiP

• Doghouse becomes DAWG~howz8

• Use keyboard patterns using numbers and the shift key occasionally (but be careful not to use simple patterns such as qwerty).

• Use the Password Generator. This presents you with a selection of passwords and you can select the one that suits you, and that you will find easy to remember

Document Control

|Author: |John Deane: ICT Operations Manager |

|Owner: |Stewart Edgar: Chief Fire Officer and Operations |

|Document Number: |V0.5 |

|Revision History |Date of next revision: January 2018 |

|Revision date |Summary of Changes |Version |

|Dec 2016 |Initial document written by The ICT Service |V0.1 |

|Jan 2017 |Including comments from IMS |V0.2 |

|Jan 2017 |Including comments from Sopra Steria |V0.3 |

|May 2017 |Policy prepared for ICT Governance board |V0.4 |

|June 2017 |Policy updated to include changes requested prior to ICT Governance Board approval |V0.5 |

|July 2017 |Final version 1 published to Staffnet |V1.0 |

| | |

Document Approvals

|Version |Approved By |Date |

|V1.0 |ICT Governance Board |July 2017 |

................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download