Scribd
Upload
22 views5 pages

CIT-02 Password Policy

The document outlines the Password Policy for Creative International Maintenance Co. (CMC), emphasizing the importance of strong password creation, protection, and management for all personnel with access to CMC systems. It specifies requirements for password complexity, expiration, and guidelines for password sharing and recovery, along with penalties for violations. The policy also includes provisions for remote access and application development standards to enhance security.

Uploaded by

Einnahr Efilym
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
22 views5 pages

CIT-02 Password Policy

The document outlines the Password Policy for Creative International Maintenance Co. (CMC), emphasizing the importance of strong password creation, protection, and management for all personnel with access to CMC systems. It specifies requirements for password complexity, expiration, and guidelines for password sharing and recovery, along with penalties for violations. The policy also includes provisions for remote access and application development standards to enhance security.

Uploaded by

Einnahr Efilym
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 5

Issue date: SEP.16.

2023
CREATIVE INTERNATIONAL MAINTENANCE CO.
Revision Number: 00
INSPECTION AND ENGINEERING MAINTENANCE
SERVICES Document Number: CIT-02
PASSWORD POLICY Page 2 of 5

1.0 Overview
Passwords are an important aspect of computer security. They are the front line of
protection for user accounts. A poorly chosen password may result in a compromise
of CMC’s entire network. As such, all CMC employees (including contractors and
vendors with access to CMC systems) are responsible for taking the appropriate
steps, as outlined below, to select and secure their password.

2.0 Purpose
The purpose of this policy is to establish a standard for the creation of strong
passwords, the protection of those passwords, and the frequency of change.

3.0 Scope
The scope of this policy includes all personnel who have or are responsible for an
account (or any form of access that supports or requires a password) on any system
that resides at any CMC facility, that has access to the CMC network.

4.0 Acronym & Definition


CMC – CREATIVE INTERNATIONAL MAINTENANCE CO.
IT – Information Technology
VPN – Virtual Private Network
POC – Point of Contact an individual or a department that handles communication
with customers. They serve as coordinators of information in terms of an
activity or a project and act as an organization's representatives.

5.0 Policy

4.1 General
 All systems-level passwords (e.g. network administrator, application
administration accounts, etc.) must be changed at least every 90 days.
 All user-level passwords (e.g., email, web, desktop computer, etc.) must
be changed at least every 90 days and cannot be reused the past 12
passwords.
 Passwords must not be inserted into email messages or other forms of
electronic communication.
 All user-level, system-level, passwords must conform to the guidelines
described below.
Guidelines:

Password Construction Requirements

1. Be a minimum length of eight (8) alphanumeric characters and special


characters on all systems.
2. Not be a dictionary word or proper name.
3. Not be the same as the User ID.
4. Expire within a maximum of 90 calendar days.
5. Not be identical to the previous ten (12) passwords.
6. Not be transmitted in the clear or plaintext outside the secure location.
Issue date: SEP.16.2023
CREATIVE INTERNATIONAL MAINTENANCE CO.
Revision Number: 00
INSPECTION AND ENGINEERING MAINTENANCE
SERVICES Document Number: CIT-02
PASSWORD POLICY Page 3 of 5

7. Password should not be displayed when entered.


8. Ensure passwords are only reset for authorized user.
9. If a password is guessed or entered incorrectly by the user in 10
attempts account will be locked out.
10. Screen savers should be set as automatically locked within 15mins of
inactivity.

4.2 Password Deletion

4.2.1 All passwords that are no longer needed must be deleted or disabled
immediately. This includes, but is not limited to, the following:

 When a user retires, quits, is reassigned, released, dismissed, etc.

 Default passwords shall be changed immediately on all equipment.

 Client/Contractor accounts, when no longer needed to perform their


duties.

4.2.2 When a password is no longer needed, the following procedures


should be followed Employee should notify his or her immediate
supervisor.

 CMC should inform his or her clients/contractors point-of-contact


(POC).

 Supervisor should fill out a CIT-02-F1 Password creation/deletion


form and send it to clients/contractors point-of-contact (POC).

 CMC’s must inform clients when employees provided with


clients/contractor’s user credentials no longer need their access, or
are transferred, re-assigned, retired, resigned or no longer
associated with CMC.

 An IT in-charge will check to ensure that the password has been


deleted and user account was deleted or suspended.

 The CIT-02-F1 Password creation/deletion form will be filed in a


secure filing system.

4.3 Password Protection Standards

Do not use your User ID as your password. Do not share CMC passwords with
anyone, including administrative assistants or secretaries. All passwords are
to be treated as sensitive, Confidential CMC information.

Here is a list of “do not’s”

 Don’t reveal a password over the phone to anyone

 Don’t reveal a password in a mail message


Issue date: SEP.16.2023
CREATIVE INTERNATIONAL MAINTENANCE CO.
Revision Number: 00
INSPECTION AND ENGINEERING MAINTENANCE
SERVICES Document Number: CIT-02
PASSWORD POLICY Page 4 of 5

 Don’t reveal a password to the boss

 Don’t talk about a password in front of others

 Don’t hint at the format of a password (e.g., “my family name”)

 Don’t reveal a password on questionnaires or security forms

 Don’t share a password with family members

 Don’t reveal a password to a co-worker while on vacation

 Don’t use the "Remember Password" feature of applications and web


browsers.

 Don’t write passwords down, electronically store, or disclose any password


or authentication code that is used to access assets & critical facilities.

 Don’t store passwords in a file on ANY computer system unencrypted.

 Don’t disclose client/customers policies, procedures and standards or any


type of data with unauthorized entities or on the internet.

 Don’t use personal email to share and transmit client/customers data.

If someone demands a password, refer them to this document or have them


call IT Department.

If an account or password is suspected to have been compromised, report the


incident to IT Department or client/customers POC and change all passwords.

Multi-factor authentication must be enforced on all remote access, including


access from the internet, to CMC company computing resources.

Multi-factor authentication must be enforced on all Cloud service access,


including access to cloud-based email.

4.4 Application Development Standards

Application developers must ensure their programs contain the following


security precautions:

 Should support authentication of individual users, not groups.

 Should not store passwords in clear text or in any easily reversible form.

 Should provide some sort of role management, such that one user can take
over the function of another without having to know the other’s password.
Issue date: SEP.16.2023
CREATIVE INTERNATIONAL MAINTENANCE CO.
Revision Number: 00
INSPECTION AND ENGINEERING MAINTENANCE
SERVICES Document Number: CIT-02
PASSWORD POLICY Page 5 of 5

4.5 Remote Access Users

Access to the CMC networks via remote access is to be controlled by using


either a Virtual Private Network (in which a password and user id are required)
or a form of advanced authentication (i.e., Biometrics, Tokens, Certificates,
etc.).

4.6 Password Recovery

 If a company email account or password has been forgotten, report the


incident to IT Department for password reset. IT department shall send a
temporary password and shall be change by the company user after
successful login.

 If company device/computer password has been forgotten, report the


incident to IT Department for password reset. IT department shall send a
temporary password and shall be change by the company user after
successful login.

6.0 Penalties

Any employee found to have violated this policy may be subject to disciplinary
action, up to and including termination of employment.

7.0 Key Relevant Documents and Records

CIT-01 Acceptable usage Policy


CIT-03 Asset Management Policy
CIT-04 Third Party & Contractor Access Policy
CIT-06 Remote Access Policy
CIT-07 Data Sanitization Policy
CIT-01-F1 Password Creation/Deletion Form

8.0 Revision History

Rev. Date Nature of Changes Approved By

00 SEP.16.2023 Initial release ABDUL MOHSIN

You might also like