IS7025 - Password Security

Purpose

User authentication is a means to control who has access to an information processing system and card holder data environment. Controlling the access is necessary for all Non-Public Information. Access gained by a non-authorized entity can cause loss of information confidentiality, integrity and availability that may result in loss of revenue, liability, loss of trust to DMACC.

Password procedure shall ensure uniform password standards across DMACC and shall encourage all general users and users with administrator and super user privilege to follow good security practices in the selection and use of passwords.

Scope

This procedure applies to:

• All general users and users with administrator or super user privileges and who have access to information processing systems and assets that are owned or leased by DMACC

Procedure Statements

Access to sensitive information at DMACC shall be authenticated with a password and these must always be protected during their lifecycle including generation, delivery, storage, and usage.

General Password Requirements

Users shall be able to set and change their own passwords.

Systems and applications shall enforce password change on first login after a new account has been allocated.

Systems and applications shall also enforce password change after a password reset owing to forgotten password or any other reasons.

Password expiry shall be set for 180 days.

Password history shall be at least last 2 passwords.

System Components shall enforce complex passwords; for passwords to be termed as complex, they shall have at minimum, combination of the following characteristics:

Minimum length of eight (8) characters

Letters - Upper- or Lower-Case Letters (A, B, C …Z, a, b, c …z)

Westernized Arabic Numerals (0, 1, 2….9)

Non-alphanumeric “special characters” for example, punctuation or symbols (! @ # $ ^ * ( )_ < > ? | { } - ~ = ) / \)

The account shall be locked out after five (5) failed password attempts. Locked out accounts shall be enabled automatically after Fifteen (15) to thirty (30) minutes. There shall be a provision for system administrators to enable the locked-out account manually during the thirty (30) minute lockout duration.

Three (3) days prior to password expiry the user shall be alerted by a system warning message to change the password on every login.

Passwords shall be encrypted when transmitted across any network.

The display and printing of passwords must be masked using asterisks, or otherwise obscured such that unauthorized parties will not be able to observe or subsequently recover them.

Passwords must not be logged or captured.

Usage of group and shared password is prohibited.

Passwords shall never be written down or stored in an unprotected fashion (including mobile or similar devices) without encryption.

Passwords shall not contain whole or part of the user’s first or last name.

DMACC Technical Support shall carry out proper Identity & verification check of the user before disseminating new password as per the password reset request.

“Remember Password” feature of applications shall not be used (e.g., web browsers, websites).

Sharing of passwords is not permitted under any circumstances.

Requirements for Administrative/ Super User Privilege Accounts

A user account / service account that have “administrator” or “super user” privileges shall have a different password from all other accounts known by that user.

If an employee has dual roles as user and administrator or super user, whenever possible, the employee shall log into the account with the least privileges to perform their work.

In the event a staff member who has privileged access is terminated or has resigned; the passphrase for the privileged access shall be changed on the same day. The DMACC IT Security Team (IST) shall be responsible for ensuring that the passphrase is changed on same day.

All users with Administrator or super user privilege shall sign an undertaking to keep passphrase confidential and acknowledge liability for transactions done using their passwords.

First use & Password resets

First time / reset password shall be delivered to employee through DMACC Technical Support.

Temporary unique passwords shall be set for new accounts.

Temporary unique passwords shall be assigned when users request for passwords resets.

Password requirements defined by this procedure are applicable to temporary passwords.

User shall be forced to change password at first login.

When changing a password, the user shall be prompted to re-enter the new password for verification.

Resetting Default Passwords

Default passwords shall be reset immediately on first initialization by any system, network / infrastructure device or application and these must be moved into production only after all default passwords are changed.

System Boot password and Configuration password shall be in sync.

Storage of Administrative Account Passphrase & Emergency Usage

Centralized repository must be used for users with Administrator or super user privileges while managing storage of administrative passphrases for multiple Infrastructure devices & servers.

Access to Centralized password repository shall be maintained under the control of the DMACC IST. In case of emergency, access to centralized repository must be granted in following way:

Prior permission is taken from the DMACC IST.

• In the absence / non-availability of DMACC IST, the Executive Director, Information Solutions is responsible.
• Log details regarding the use of repository password shall be maintained.

Compliance to Password Security Procedure

The DMACC IST may conduct offline password cracking and online password guessing testing for compliance monitoring on a periodic basis.

If a password is guessed or cracked during one of these scans, the user will be asked to change it.

Systems for which passwords requirements cannot be enforced due to system limitations shall be documented by Information Security.

Password Management System

DMACC shall try to implement password management system.

The password management mechanism shall be authenticated by either the AD user account or a master key which is linked to a certificate-based authentication

The password repository database shall be encrypted using AES 256-bit encryption

A good password management system shall:

• enforce the use of individual user IDs and passwords to maintain accountability
• allow users to select and change their own passwords and include a confirmation procedure to allow for input errors
• enforce a choice of quality passwords
• force users to change their passwords at the first log-on
• enforce regular password changes and as needed
• maintain a record of previously used passwords and prevent re-use
• not display passwords on the screen when being entered
• store password files separately from application system data
• store and transmit passwords in protected form