Scribd Logo
Upload

Welcome to Scribd!

  • Password Policy Recomendations

    Uploaded by

    Usman Hamid
    49 views2 pages
    Policy

    Copyright

    © © All Rights Reserved

    Available Formats

    TXT, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    Policy

    Copyright:

    © All Rights Reserved
    Download as TXT, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    49 views2 pages

    Password Policy Recomendations

    Uploaded by

    Usman Hamid
    Policy

    Copyright:

    © All Rights Reserved
    Download as TXT, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 2

    ISO 27001 Recommended controls for Password policy

    ==================================================
    A.9.2.4
    Allocation of secret Authentication information
    Allocation of secret Authentication information shall be controled trhou
    gh formal management process
    A.9.3.1
    Use of secret authentication information
    Users shall be required to follow the organization s practices in the use
    of secret authentication information.
    A.9.4.2
    Secure log-on procedures
    Where required by the access control policy, access to systems and appli
    cations shall be controlled by a secure log-on procedure.
    A.9.4.3
    Password Management System
    password Management system shall be interactive and shall ensure quality
    passwords.
    -----------------------------------------------------------------------------Suggested password policy
    =========================
    Enforce password history
    Enforce maximum password age / Enforce password Expiry
    Enforce Minimum password length
    Enforce password complexity Requirement
    If the password is forgotten what should a user do? Enforce forgotten password p
    rocedure
    Suggestions about password security for end users (should be part of policy as e
    mployees should follow below recomendations)
    =================================================
    Do not use the same password for official accounts as for other non-official acc
    ess (e.g., personal ISP account, option trading, benefits, etc.). Wherever possi
    ble, do not use the same password for various official access needs. For example
    , select one password for the QCQA and a separate password for system login.
    Do not share official passwords with anyone. All passwords are to be treated as
    sensitive confidential official information.
    Do not reveal a password over the phone to ANYONE.
    Do not reveal a password in an email message.
    Do not reveal a password to the boss.
    Do not talk about a password in front of others.
    Do not hint at the format of a password (e.g., "my family name")
    Do not reveal a password on questionnaires or security forms
    Do not share a password with family members.
    Do not reveal a password to co-workers while on vacation
    Do not use the "Remember Password" feature of applications.
    Do not write passwords down and store them anywhere in your office.
    Do not store passwords in a file on ANY computer system.
    If an account or password is suspected to have been compromised, report the inci
    dent to Network Administrator and change all the passwords.
    --------------------------------------------------------------------------------

    Use any password storage system


    - keepass (open source)
    - Lastpass (free for desktop and $12/ year for mobile)
    other recommendations:
    - password Gieni ($19.95/ year)
    - SplashID ($19.95 for desktop and $9.95 for mobile)
    --------------------------------------------------------------------------------

    You might also like