KMZ Data Center Password Policy

KMZ:

Khan Muhammad Zohaib

DC:

KMZ Headquarters DC

BCP:

Business Continuity Plan

SLA:

Service Level Agreements

HoD

Head of Department

Anti-X:

Anti- Virus, Anti-Malware, Anti- Spam, Firewalls etc.

IT Security:

Information Technology Security Team

DLP:

Data Leakage/Loss Prevention

2 Abstract
This document contains the policies and procedures that concern password securityusage within the KMZ. While some of the policy items can be enforced by operating system configurations, it is important for all users to recognize and use these proceduresto ensure the security of the information resources.
The document also describes audit requirements in terms of approvals and log recordsto enable cross-checks on account and password creation, modification and deletion.
3 Introduction
3.1 Background
Access to computing resources and data, at the KMZ are controlled by user account identifiers (User-ID’s) and Password. This is the primary identification process. The
identification processes are one of the most important components in the information security policy, which is required to ensure protection of information and technology
systems.
3.2 Objectives
In order to ensure correct usage of accounts, linked to individual biometric parameters and to passwords, all users are required to understand the security ID and password
policy and then request through that grants them use of the given account and associated privileges.

Password Policy

3.3 Readership
All staff of the KMZ must be familiar with and follow the procedures outlined here to help ensure protection of information resources and system. In particular, Network and
Infrastructure Division (DC technical support) staff will be required to implement as much control over password structure within the operating systems as possible.
4 Policy
The biometric fingerprint identifier is the key part in the user authentication process. The password identification is used as identification method. The identity of each individual,
who accesses KMZ information, must be verified before any access is granted. This identification is performed using the passwords used with KMZ systems.
The following rules govern an individual’s identification and the password policy:

1. Systems shall be set to lock out further logon attempts for at least 15 minutes or after five consecutive failed username or password attempts have occurred.
2. The logon sequence provided by each operating system will require the entry of the User ID and password, each at appropriate prompts.
3. Security audit must be enabled on each operating system to record the following
security alerts:
a. Logon and Logoff events – success and failure
b. Resetting of passwords
c. Changing any of the user attributes (i.e. Win user profile)
4. All user level passwords should be created with the following characteristics:
a. Accept and support as a minimum password consisting of 8 non-blank printable characters drawn from 3 out of the following 4-character sets:
i. English upper case.
ii. English lower case.
iii. Numeric characters (0 through 9).
iv. Special (printable) characters.
b. Users are empowered to change their passwords, and Maximum Password age could be 60 days.
c. Users are allowed and encouraged to select passwords longer than 8 characters if they wish.
d. If the password needs to be sent across Network that should be
encrypted/hashed.
e. If shared passwords are authorized in exceptional circumstances, they must be changed promptly whenever one of the users ceases to be authorized for its use

Password Policy

The auto complete option of web browser forms should be disabled.  The Password should not be saved in Web Browse forms, or any kind of tools
or software to access the critical Information resources.
Passwords or other information that might assist unauthorized access to computer terminals or printers. Passwords must not be recorded in audit trails or
logs.
5. All user passwords for core/critical servers and devices should be created with the following characteristics:
Accept and support as a minimum password consisting of 10 non-blank
printable characters drawn from 3 out of the following 4-character sets:
i. English upper case.
ii. English lower case.
iii. Numeric characters (0 through 9).
iv. Special (printable) characters.
v. Avoid dictionary and easily guessable words (e.g myname12345678)
b. Administrator are empowered to change the passwords and Maximum
password age is 14 days,
c. The administrative credentials for Servers and critical Services should never be
saved in any kind of administrative tools and software.
d. The share of Administrative Passwords of the critical Servers and Network
Devices should be strictly prohibited.
e. The LOG-ON banner should be used, to intimate the logging in user, that the
Only Authorized people.
f. The passwords of the Servers, Critical Services and Network Devices should be
always kept in Save Cabinet. And Cabinet access is allowed to only two persons (IT
Manager and ISO).
g. Password should be sealed in envelopes, before keeping it into Save Cabinet.
h. The password should be crossed checked before sealing it.
6. If password needs to be shared over the network, it must be ensured that file is
protected with password or encrypted.
7. Passwords used within  KMZ systems must not be used on other systems
outside the KMZ.
8. Passwords (and thus accounts) must not be shared with others.
9. Passwords must not be stored in readable form in batch files or other locations
without special security precautions that take this requirement into account.
10. All service vendor default passwords must be automatically disabled upon
completion of on-site system service

Password Policy

11. If a suspected disclosure of passwords has occurred, all involved account passwords shall be immediately changed, the users informed and the action entered in the Account Logbook.
12. When a user calls for a password reset, the relevant person will call the user back to confirm their request before proceeding.
13. New passwords will be issued in a state that requires it to be changed when the user logs on to the system for the first time.
14. All above policies are applied to the following operating environments:
i. Windows Passwords,
ii. Screen Saver Passwords and
iii. Password secured applications.
15. Any application that implements specific username and password routines must also comply with the above policies. It is the sole responsibility of the Applications
Administrator and users of the applications to adhere to the above policies.
16. In the DC, any staff member, who uses a privileged account, must have another normal, non-privileged, account for normal daily operations that does not require
special privileges.
17. In the DC, any staff member, who require a privileged account, should be granted only the appropriate privileges to carry out their assigned duties.
18. System and Administrator level accounts must be held and used only by the Windows Administrator and must not be shared with others.

5 Password Creation and Use
1. Every user account must be created using the Account Maintenance Form (AMF) or request through security manager (software), which must be signed by the user
and user’s Manager or IT Coordinator.
2. On the receipt of the new password, the user must sign the AMF, a copy of which is maintained by Network and Infrastructure Division.
3. All user access to KMZ information systems and network systems must be via
his own allocated user account.
4. All account passwords must be memorized, never written down.

6 Password Modification
Occasionally DC Technical support may be called upon to reset a user’s password. (e.g. user changes his password just before going on vacation and then cannot remember it when he returns from vacation). The following procedure must be followed whenever DC technical support Technical Operations have to reset a user’s password:
1. The operator must verify that the user requesting the password reset is the actual
owner of the account

Password Policy

2. The operator sets a new password for the account. The password must be preexpired so that the user is forced to change the password when logon process is
attempted for the first time after the password has been reset.
3. If the password is not reset in the presence of the account owner, it will be passed to him verbally or by telephone within the KMZ building only.
4. Passwords are not to be shared with others. This practice is not allowed. If a temporary access is required to an account by other than the owner of the account
(e.g. secretary left on vacation), an email must be sent by the relevant IT Coordinator or Department Manager.
5. When using a temporary password, the system should disable the option for the
user to update the biometric (fingerprint) details for that account.
7 Audit Requirements
All requests must be logged in security management (Software) and kept available for
audit, and at any time, by:
1. Manager, KMZ
2. Network and Infrastructure Manager KMZ
3. Information Security Auditor
Or by:
4. Internal Audit or
5. External Auditors, on written request to KMZ Manager