- Policy
2.1 Password creation
- All user-level and system-level passwords must conform to the Password Construction Guidelines.
- Users must use a separate, unique password for each of their work-related accounts. Users may not
use any work-related passwords for their own, personal accounts. - User accounts that have system-level privileges granted through group memberships or programs
such as Sudo must have a unique password from all other accounts held by that user to access
system-level privileges. In addition, it is highly recommended that some form of multi-factor
authentication is used for any privileged accounts.
2.2 Password change - Passwords should be changed only when there is reason to believe a password has been
compromised. - Password cracking or guessing may be performed on a periodic or random basis by the DataTrust
team or its delegates. If a password is guessed or cracked during one of these scans, the user will
be required to change it to be in compliance with the Password Construction Guidelines.
2.3 Password protection - Passwords must not be shared with anyone, including supervisors and co-workers. All passwords
are to be treated as sensitive, confidential DataTrust information. Corporate information security
recognises that legacy applications do not support proxy systems in place. Please refer to the
technical reference for additional details. - Passwords must not be inserted into email messages, alliance cases or other forms of electronic
communication, nor revealed over the phone to anyone.
DataTrust: Password Protection Policy 4 / 5
Updated: 21-04-2022 - Passwords may be stored only in ‘password managers’ authorised by the organisation.
- Do not use the ‘Remember Password’ feature of applications (for example, web browsers).
- Any user suspecting that his/her password may have been compromised must report the incident
and change all passwords.
2.4 Application development
Application developers must ensure that their programs contain the following security precautions: - Applications must support authentication of individual users, not groups.
- Applications must not store passwords in clear text or in any easily reversible form.
- Applications must not transmit passwords in clear text over the network.
- Applications must provide for some sort of role management, such that one user can take over the
functions of another without having to know the other’s password.
2.5 Multi-factor authentication
Multi-factor authentication is highly encouraged and should be used whenever possible, not only for work
related accounts but personal accounts also
Leave a Reply