Password Management Policy

• Table of Contents

  • EDC Inc Password Management Policy
  • Policy Purpose
  • Scope
  • Policy
  • Password Creation
  • Password Protection
  • Password Change
  • Password Management Tools
  • Exceptions
  • Enforcement
  • Contacts
  • Summary

EDC Inc Password Management Policy

This policy outlines the requirements for creating, managing, and protecting passwords at EDC Inc. It applies to all individuals who have or are responsible for an account (or any form of access that supports or requires a password) on any system that resides at any EDC Inc facility, has access to the EDC Inc network, or stores any non-public EDC Inc information.

Policy Purpose

The purpose of this policy is to establish a standard for the creation of strong passwords, the protection of those passwords, and the frequency of change. The policy’s goal is to ensure the security and privacy of EDC Inc’s information systems and data by preventing unauthorized access.

Scope

This policy applies to all personnel who have or are responsible for an account (or any form of access that supports or requires a password) on any system that resides at any EDC Inc facility, has access to the EDC Inc network, or stores any non-public EDC Inc information.

Policy

Password Creation

All user-level and system-level passwords must conform to the Password Construction Guidelines. Passwords are used for various purposes at EDC Inc. Some of the more common uses include: user level accounts, web accounts, email accounts, screen saver protection, voicemail password, and local router logins.

Password Protection

Passwords must not be shared with anyone. All passwords are to be treated as sensitive, confidential EDC Inc information. Passwords must not be inserted into email messages or other forms of electronic communication.

Password Change

All system-level passwords (e.g., root, enable, NT admin, application administration accounts, etc.) must be changed on at least a quarterly basis. All user-level passwords (e.g., email, web, desktop computer, etc.) must be changed at least every six months. The recommended change interval is every four months.

Password Management Tools

EDC Inc has standardized on the use of Active Directory for password management. All IT departments, including IT Server Operations, IT Server Build Operations, IT-SOC, Corporate Physical Security, IT Security Operations, IT Monitoring Operations, IT Database Operations, and IT Audit and Compliance, are required to use this tool to manage their passwords.

Exceptions

Any exception to the policy must be approved by IT Security in advance. An “IT Exception” form must be submitted to IT Security for approval.

Enforcement

Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.

Contacts

• IT Server Operations: Responsible for OS patching and password management on servers.
• IT Server Build Operations: Responsible for initial password setup on new servers.
• IT-SOC (Incident management): Responsible for responding to password-related incidents.
• Corporate Physical Security: Responsible for physical security of servers and other hardware.
• IT Security Operations: Responsible for approving “IT Exceptions” and enforcing password policy.
• IT Monitoring Operations: Responsible for monitoring password policy compliance.
• IT Database Operations: Responsible for password management on databases.
• IT Audit and Compliance: Responsible for auditing password policy compliance.

Summary

EDC Inc’s Password Management Policy is designed to protect the integrity, availability, and confidentiality of our information systems and data. By adhering to this policy, we can ensure that our systems and data are protected from unauthorized access. This policy is enforced by IT Security Operations and compliance is monitored by IT Monitoring Operations and IT Audit and Compliance. Any exceptions to this policy must be approved by IT Security Operations.

3 comments