Title System Security

SOP Number IT/013/R.1

SOP Title System Security

NAME TITLE DATE Author Sandeep R. Yadav System Admin 27/11/2022 Reviewer Milind Khedekar Senior Manager 27/11/2022 Authoriser Mahaveer Devannavar General Manager 27/11/2022

Effective Date : 01/12/2022 Review Date : 28/11/2022

1.PURPOSE

The purpose of this policy is to establish a standard for the creation of strong passwords, the protection of those passwords, and the frequency of change to safeguard the system from any type of intrusion

2.INTRODUCTION

Passwords are an important aspect of computer security. They are the front line of protection for the user accounts. A poorly chosen password may result in a compromise of entire network. As such, all employees including contractors and vendors with access to systems are responsible for taking the appropriate steps, to select and secure their password

3.SCOPE

The scope of this document includes all personnel who have or are responsible for an account on any system that resides at any facility, has access to the servers, network devices and/or network. Scope defines benchmark to set the access of the system more securely for creating, changing the password that is first layer of protection

4. RESPONSIBILITIES

4.1. Senior System Administrator :

The Senior System Administrator is responsible for ensuring that password policy is implemented efficiently. He is further accountable to maintain the standard benchmark is followed. Complexity and password lock in no of attempt, password change frequency, usage of repeat password policy is set by him.

4.2. Junior System Administrator :

Junior System Administrator are responsible for working on password policies set by Seniors and to implement the same on servers that applicable to all users

5. SPECIFIC PROCEDURE

5.1 General :

• All systems-level passwords (e.g., root, enable, network administrator, application administration accounts, etc.) must be changed at least every 90 days

• All production system-level passwords must be part of the Information Security administrated global password management database

• All user-level passwords (e.g., email, web, desktop computer, etc.) must be changed at least every 90 days and cannot be reused the past 10 passwords

• Passwords must not be inserted into email messages or other forms of electronic communication

5.2 Guidelines :

Password construction requirements :

i. Be a minimum length of eight (8) characters on all systems

ii. Not be a dictionary word or proper name

iii. Not be the same as the user id

iv. Expire within a maximum of 90 calendar days

v. Not be identical to the previous ten (10) passwords

vi. Not be transmitted in the clear or plaintext outside the secure location

vii. Not be displayed when entered

viii. Ensure passwords are only reset for authorized user

xi. Minimum one special character to be used in password

x. Minimum one capital character to be used in password

xi. Minimum one number to be used while creating a password

5.3 Password change on first login :

• First password on creation of domain user and mail received on personal mail/mobile

•It is mandatory to change the first password by end user keeping the benchmark of password complexity set as per policy

5.4 Password deletion :

All passwords that are no longer needed must be deleted or disabled immediately. This includes, but is not limited to, the following.

• When a user retires, quits, is reassigned, released, dismissed, etc.

• Default passwords shall be changed immediately on all equipment.

• Contractor accounts, when no longer needed to perform their duties.

5.5 Password protection standards :

Do not use your user id as your password. Do not share organization passwords with anyone, including administrative assistants or secretaries. All passwords are to be treated as sensitive, confidential organization information.

Here is a list of “do not’s”

• Don’t reveal a password over the phone to anyone

• Don’t reveal a password in a mail message

• Don’t reveal a password to the boss

• Don’ talk about a password in front of others

• Don’t hint at the format of a password (e.g., “my family name”)

• Don’t reveal a password on questionnaires or security forms

• Don’t share a password with family members

• Don’t reveal a password to a co-worker while on vacation

• Don’t use the "Remember Password" feature of applications

• Don’t write passwords down and store them anywhere in your office

• Don’t store passwords in a file on any computer system unencrypted

If someone demands a password, refer them to this document or inform to Department of Information Technology Department

If an account or password is suspected to have been compromised, report the incident to organization and change all passwords

Password cracking or guessing may be performed on a periodic or random basis by the organization. If a password is guessed or cracked during one of these scans, the user will be required to change it.

5.6 Application development standards :

Application developers must ensure their programs contain the following security precautions,

• Should support authentication of individual users, not groups.

• Should not store passwords in clear text or in any easily reversible form

• Should provide some sort of role management, such that one user can take over the function of another without having to know the other’s password

5.7 Remote access users :

Access to the organization networks via remote access is to be controlled by using either a Virtual Private Network (in which a password and user id are required) or a form of advanced authentication (i.e., Biometrics, Tokens, Public Key Infrastructure (PKI), Certificates, etc.)

6.DEFINITIONS

Password protection is a security process that protects information accessible via computers that needs to be protected from certain users. Password protection allows only those with an authorized password to gain access to certain information

Two-Factor Authentication : Two-factor authentication often abbreviated 2FA – is a type of multi-factor authentication (MFA) during which the user accessing a password-protected site has to present two authentication factors in order to access certain data

Vault : The vault is the virtual storage of the password manager where all of your passwords and other credentials can be found.

7.CHANGE HISTORY

SOP No. Effective
Date Significant Changes Previous
SOP no. IT/013/R.1 28/11/2022 First version N.A.