[Network Password Management Policy &
Procedures) [Not Protectively Marked)
Network Password Management
Policy & Procedures
Document Control Information
Document Ref ISO 27001 – Section 11
Issue No Version 1.3
Issue Date April 2009, June 2010, September 2011
Status FINAL
Approved By ICT Control Environment Group
Next Review Date September 2012
Author Janette Pashley
Service Business Change & Process Management
Distribution ICTCE Group
ICT Liaison Group
ICT Service – Iain Bowie & Pam Plant Internal Audit Service – Andrew Metcalfe Human Resources –Vyvian Lewis
(Network Password Management Policy &
Procedures Section 11 [Not Protectively Marked ]
CONTENTS
1. Policy Statement 2. Purpose 3. Scope 4. Definition 5. Risks6. Applying the Policy
6.1. Choosing a Password 6.2. Password Construction 6.3. Password Protection
6.4. How do I change my Network Password?
6.5. What do I do if I am Locked out of my PC or forgotten my password
7. Role and Responsibilities 8. Policy Compliance 9. Review
10. Associated References 11. Change History
(Network Password Management Policy &
Procedures Section 11 [Not Protectively Marked ]
1. Policy Statement
1.1 In order to strengthen the security and confidentiality of information, the
Council has established specific requirements for protecting information and information systems against unauthorised access.
2. Purpose
2.1 Information security is the protection of information against accidental or
malicious disclosure, modification or destruction. Information is an important, valuable asset of Calderdale Council which must be managed with care. All information has a value to the Council. However, not all of this information has an equal value or requires the same level of protection.
2.2 Access controls are put in place to protect information by controlling who has
the rights to use different information resources and by guarding against unauthorised use.
Key Messages
All users must use strong passwords.
Passwords must be protected at all times and must be changed at least every 90 days.
User access rights must be reviewed at regular intervals.
It is a user‟s responsibility to prevent their user ID (LID) and password being used to gain unauthorised access to Council systems.
Partner agencies or 3rd party suppliers must not be given details of how to access the Council‟s network without permission from the Corporate Information Manager and Head of Business Change & Performance Management.
(Network Password Management Policy &
Procedures Section 11 [Not Protectively Marked ]
2.3 The management and security of passwords is an important element in protecting against the unauthorised access to Council Information systems.
2.4 The purpose of this policy is to establish a standard for the creation of „strong‟
passwords, the protection of those passwords, and the frequency of change.
3. Scope
3.1 Passwords are used to protect all information systems. Users must be aware
that all system authentication credentials assigned to them are for their own use. Authentication credentials must not be shared or disclosed to any third party, other than authorised system support personnel.
3.2 This policy applies to all Councillors, Committees, Departments, Partners,
Council employees, contractual third parties and agents of the Council who use Calderdale Council provided ICT facilities and equipment, or have access to, or custody of, Calderdale Council information.
3.3. All users must understand and adopt/use this policy and are responsible for
ensuring the safety and security of the Council‟s systems, information and data that they use.
3.4 All users have a role to play and a contribution to make to the safe and secure
use of technology and the information/data that it holds.
4. Definition
4.1 Access control rules and procedures are required to regulate who can access
Calderdale Council information resources or systems and the associated access privileges. This policy applies at all times and should be adhered to whenever accessing the Council‟s information in any format, and on any device.
5. Risks
5.1 Calderdale MBC recognises that there are risks associated with users
accessing Council systems in order to conduct official Council business.
5.2 Passwords are an important aspect of computer system security. They are the
first line of protection for user accounts. A poorly chosen password may result in a potentially serious breach in network and systems security, resulting in:-
(Network Password Management Policy &
Procedures Section 11 [Not Protectively Marked ]
Loss or exposure of sensitive data.
Compromising of the system and/or other network systems.
5.3 Non-compliance with this policy could have a significant effect on the efficient
operation of the Council and may result in financial loss and an inability to provide necessary services to our customers.
6. Applying the Policy 6.1 Choosing Passwords
6.1.1 Passwords are the first line of defence for our ICT systems and together with
the user ID (LID) help to establish that people are who they claim to be.
6.1.2 A poorly chosen or misused password is a security risk and may impact upon
the confidentiality, integrity or availability of the Council‟s computers and systems.
6.2 Password Construction
6.2.1 Strong passwords MUST have a minimum of seven characters and consist
of characters from three of the following groups:-
Group Examples
Uppercase characters A, B, C ...
Lowercase characters a, b, c ...
Numerals 0, 1, 2, 3, 4, 5, 6, 7, 8, 9
Symbols (all characters not defined as letters or numerals)
! “ £ $ % ^ & * ( ) _ + - = { } [ ] : @ ~ ; „ # | < > ? \ , . /
6.2.2 Passwords must never be written down or stored on the computer. Create
passwords that can be easily remembered. One way to do this is to create a password based on a song title, affirmation, or other phrase. For example, the phrase might be:-, “This May Be One Way To Remember”; and the password could be:-, “TmB1w2R” or “TmB1W(R)” or variation following the guidelines above.
(Network Password Management Policy &
Procedures Section 11 [Not Protectively Marked ]
6.2.3 Passwords will require to be changed every 90 days and the same password cannot be re-used within 20 password changes.
6.3 Password Protection
6.3.1 Passwords are effective only if they remain undisclosed to others people, are
changed regularly and are sufficiently sophisticated to render them difficult to be „cracked‟.
6.3.2 Guidance below constitutes good password management by each individual
designed to protect themselves and the Council‟s data.
An important objective when choosing a password is to make it as difficult as possible for a would-be intruder to make educated guesses about what you have chosen. In order to ensure you protect your passwords some guidelines are:-
Never share your Council passwords with anyone, including administrative staff or secretaries.
Do not use your Council passwords for non-Council accounts. Don‟t use your user ID (Lid Number) to form part of your password. Don‟t use your first or last name or your spouse‟s/partner‟s/child‟s or
pet‟s name to form part of your password.
Don‟t use other information easily obtained about you for example licence plate numbers, telephone numbers, social security numbers, the brand of your vehicle, the name of the street you live on, etc. Don‟t reveal a password over the telephone, or in an email
message.
Don‟t talk, hint or reveal a password in front of others, questionnaires or security forms or to co-workers.
Don‟t use the “Remember Password” feature of applications e.g. Web browsers, Outlook etc.
Don‟t write passwords down and store them in your office or in a file on ANY computer system (including mobile equipment e.g. laptops, USB memory sticks, CDs).
(Network Password Management Policy &
Procedures Section 11 [Not Protectively Marked ]
Where temporary staff are required to have access to systems upon the service authorisation they will be issued with their own ID and password. Once the temporary staff member has left the Council, ICT Service MUST
be notified in order for access to be deleted.
If you suspect or have reason to believe that your account or password has been compromised then change it immediately and report this to your Head of Service.
6.4 How do I Change my Network Password
6.4.1 You are required to change your password every 90 days and 14 days before
your password is required to be changed a reminder will appear on log on.
6.4.2 Before the password expiry date, think about what password you intend to
use see section 6.2 above Password Construction for guidance.
6.4.3 However if you suspect another user knows your password you must
change it immediately.
a) In order to change your password use Ctrl + Alt + Delete and the option ‘Change Password’ the following template will appear:
b) Enter you current password (Old Password) then enter your New Password, confirm it in the Confirm New Password box and select ok
(Network Password Management Policy &
Procedures Section 11 [Not Protectively Marked ]
6.5 What do I do if I am locked out of my PC or forgotten my Password
a) Should a user become locked out of their computer (because they have
entered an incorrect password more than five consecutive times) or have forgotten their password.
b) The unlocking of the account and or resetting of a users password can
only be carried out after receipt of authorisation from their line manager.
c) Your line manager will have to e-mail the ICT Service Desk
[email protected] detailing the name of the user, their LID
and extension number of the user‟s account to be either unlocked (should the user remember their password) or reset.
d) Failure to supply any of the above information could result in delays with
the user regaining access.
e) Where a password reset is required the user will be informed by the ICT
Service Helpdesk, by telephone, of their new password.
NOTE: The user should change their password to one of their choice upon password reset.
7 Roles and Responsibilities
7.1 Procedures have been established in 6.1 to 6.5 above to provide guidance to
all user access to council systems.
a) The Chief Executive has ultimate responsibility for compliance of this policy.
b) The ICTCE Group is responsible for detailing and reviewing the procedures in respect of password management controls.
c) Heads of Service and Service Managers are responsible for ensuring
that their staff clearly understand and adhere to this policy and receive training to help maintain security and confidentiality of information. Be
(Network Password Management Policy &
Procedures Section 11 [Not Protectively Marked ]
the first line of contact if a suspected account or password has been compromised.
d) All employees, contractors and third party users are required to adhere to the policies principles and procedures.
e) The Democratic & Partnership Services, Corporate Information Manager is responsible for:-
Reporting loss of sensitive personal data to the Information Commissioner.
Providing a point of contact for the reporting of the loss of Council information/data.
f) Head of Business Change & Performance Management - ICT Services is responsible for:-
Monitoring the ICT infrastructure
Dealing with user access controls gained from Head of Service or Service Managers notifications.
Reporting relevant security breaches to GovCertUK and the Local Authority WARP (Warning, Advice and Reporting Policy).
g) The Head of Human Resources is responsible for:-
Providing advice to Council management in respect of disciplinary matters where it is suspected that the Councils Policies have been breached.
Detailing and reviewing the procedure in respect of ICTCE Code of Practice.
h) The Assistant Head of Finance (Internal Audit, LMS, Insurance and Risk Management) is responsible for:-
Carrying out a preliminary investigation into the reported incidents involving misuse, fraud & corruption of Council ICT equipment and information/data. Subject to reaching a satisfactory conclusion authorisation of any forensic investigation process.
Providing a point of contact for the reporting of potential misuse, fraud and corruption.
(Network Password Management Policy &
Procedures Section 11 [Not Protectively Marked ]
8 Policy Compliance
8.1 It will be a breach of this policy for any user to misuse their [„or other users‟]
authentication credentials. If any such misuse results in a user knowingly elevating their system privileges, above those that they have been authorised to use, this will be considered an act of gross misconduct.
8.2 If you do not understand the implications of this policy or how it may apply to
you, seek advice from the Head of business Change and Performance Management - ICT Service
9. Review
The ICT Control Environment is the owner of this document and is responsible for ensuring that this document is reviewed on a yearly basis.
A current version of this document and related documents will be available to all members of staff on the corporate intranet and is published.
This document has been approved by the ICT Control Environment on 20th September 2011 and is issued on a version controlled basis.
10. Associated References
The following Calderdale documents are directly relevant to this policy: Policy on Internet & E-mail Usage
ICT Code of Practice for Employees
ICTCE Standard on the Download of Software Remote and Mobile Working Device Policy Physical & Environmental Security Policy
ICT Information Security Incident Reporting Procedure.
Reporting the loss of laptops, Blackberry’s and personal data. ICT Information Security Incident Management Procedures
Information Governance Incident Reporting - Breach of Non-Technical Data Anti Fraud & Corruption Standards & Rules.
Whistle Blowing Policy Data Protection Policy
Information Protective Marking Policy
(Network Password Management Policy &
Procedures Section 11 [Not Protectively Marked ]
11. Change History
Rev Rev Date Rev By Issue Date Description
Version 1.0
J. Pashley 17th March
2009
Amendments made by Internal Audit before submission
1.2 June 2010 J Pashley June 2010 Slight amendments added to achieve layout consistency 1.3 July 2011 J Pashley September
2011
Minor word changes to section 6.3.2
