The Password Policy outlines the process for choosing and safeguarding passwords in a secure manner. This policy is applicable to all staff, independent contractors, and any other individuals who possess an account on any system situated within any Netspective Communications LLC premises or have entry to the Netspective Communications LLC’s network.
Rotation requirements
-
Change all system-level passwords at least every quarterly days. Change all user-level passwords every 60 days. [FII-SCF-012-IAC-01]
Password Settings
Password Settings
Password complexity
-
A password should satisfy the below requirements [FII-SCF-012-IAC-16]
-
Contain at least three of the five following character classes
- Lower case characters
- Upper case characters
- Numbers
- Special characters (e.g.!@#$%^&*()-_+=[]|:;”.?/, etc.)
- Contain at least eight alphanumeric characters.
-
Password
-
Strong passwords do not have any of the following characteristics
-
Be less than eight characters.
-
Contain common words found in a dictionary.
-
Contain common usage words such as:
- Names of family, friends, pets, co-workers, fantasy characters, etc.
- Computer terms and names, commands, sites, companies, software, or hardware.
- Birthdays or other personal information such as addresses and phone numbers.
- Word or number patterns like Aaabbb123, Abcdef123, Abc123321, etc.
-
Password Protection Standards
-
All users must enable Multi-factor Authentication (MFA) or two-factor authentication (2FA) on their accounts and keep it enabled at all times. [FII-SCF-012-IAC-10]
MFA/2FA Enabled users
-
Users must use an MFA/2FA such as a security token, biometric authentication, or a one-time code sent to a trusted device as the required means of authentication. They cannot use passwords as the sole means of authentication.
-
Always use different passwords for your Netspective Communications LLC’s accounts compared to other personal accounts (e.g. personal ISP account, email, social networking, etc.).
-
Do not share your Netspective Communications LLC’s usernames and passwords with anyone at any time. Treat all passwords as sensitive and confidential information.
- Never write down or store user account passwords online without encryption.
- Do not disclose your passwords in electronic communications such as email or chat sessions.
- Always decline the use of any “Remember Password” feature. Some applications store passwords in plain text format to enable remembering passwords, which poses a threat to password compromise (e.g. Mozilla Firefox, Internet Explorer, FTP/SFTP, etc.).
- Any suspect that your password has been compromised, immediately change your password and report the incident to the CISO.
- The computer system will temporarily block an employee’s access after 5 unsuccessful login attempts. An employee must contact the Devops team to unblock their user identification. [FII-SCF-012-IAC-10]
History of temporary disabled users list
Password protection
- Netspective Communications LLC should treat all passwords as confidential information and not share them with anyone. If someone asks you to share a password, deny the request and contact the system owner for assistance in provisioning an individual user account.
- Do not write down passwords, store them in emails, electronic notes, or mobile devices, or share them over the phone. If you need to store passwords electronically, use a password manager that has been approved by IT. If you absolutely have to share a password, use a designated password manager or grant access to an application through a single sign-on provider.
- Avoid using the “Remember Password” feature of applications and web browsers.
- Any suspect that a credential has been compromised, immediately rotate the password in question and notify the Engineering/Security team (contact@medigy.com).