Hello and welcome to this continued I t. Security Policy training from Cyber Harry. This is module to password management policy,
and I am Troy Lemaire.
Learning objective for this training will be password creation,
password change, password protection, application development and multi factor authentication.
But we're gonna use another Sands policy template, this one on password protection policy.
The overview is passwords. Important aspect of computer security. Poorly chosen password may result in unauthorized access
and our exploitation of our resources.
Purpose of the policies establishes standard for creation of strong passwords and protection of these passwords.
Go for the policy includes all personnel who have are responsible for an account on any system that resides at any facility that is owned by the company.
So let's get into the body of the policy
I'll user level insistent level passwords must conform to the password Construction guy lines that will be our next train. Where were we will talk about that.
Users must use a separate, unique password for each of their work related accounts. Users may not use any work related passwords for their own personal accounts,
so this is where you're going to have to have some type of leeway in regards to unique passwords for each of their work related accounts.
Basically, some accounts may have to be the same because they may have to link together. So you're gonna have to modify that as needed. And then any work related passwords for their own personal counts. You definitely don't want them using that.
There are situations where
you have sights outside of your work environment, such as linked in or Adobe that have gotten hat.
So if that user uses the same password password, 123 is an example on their work related accounts and then also use it for linked in an adobe.
Well, those accounts have been hacked, and so therefore, those credentials and passwords are public now, and it'll make it easier for them someone to be able to hack into the work accounts. So you want to make sure that they have
no relation whatsoever between their work passwords
and then their personal account passwords, even if it is a work related personal account
user accounts that have system level privilege granted through group memberships.
Such a pseudo are any type of admin must have a unique password from all other accounts held by that user access system level privileges.
Basically, most organizations will have a user account,
and then they will have a admit account.
Those accounts are different, and then those passwords should be different as well. You don't want the same person using the same password for both accounts, because it'll be easy to get those and somebody be able to go into that account and gain administrative access if they're able to get their normal access.
then additions Highly recommended. Some form of multi factor authentication is used for any privileged accounts.
Password changes. Password should be changed only when there is a reason to believe a password has been compromised.
type of thinking that is out there and newer guidance.
Sometimes you have certain systems that you want to mandate a certain time frame 30 day
to change your passwords. 60 day to change her password. 90 day to change your password so that they aren't having the same password in the system
or extended period of time.
Password. Cracking her guessing. Maybe perform on periodic around the bases by the Info SEC team or his delegates
passwords guest or cracked.
Then the users will be required to change it to be in compliance with the password construction guidelines.
That's where protection passwords not be shared with anyone, including supervisor and co workers.
They should should be treated as sensitive and confidential.
Passwords must not be inserted into email messages. Passwords may be stored only and password managers
that are authorized by the organization and do not use remember password feature
of applications. For example, Web browsers in a user, suspecting that his or her password may have been compromised, must report incidents
and change all passwords
due In regards to application development application developers must ensure their programs contain the following security precautions.
Application must support authentication of individual users, not groups. A patient must not store passwords and clear texts.
Applications may not transmit passwords and clear text over the network
application. Let's provide for some sort of role management so that one user can take over the function of another without having to know the others password.
That's all based on the type of information out there. Finding here for application of element is ways that if you did not follow these rules, it would be very easy for somebody to be able to hack, crack or guess these passwords because of the format that they're being passed for this application.
Multi factor authentication multi factor authentication is highly encourage and should be used whenever possible, not only for work later accounts, but personal accounts. Also
again, we're getting to the client's part.
Information team will verify compliance through various methods.
Any exceptions to the policy must be approved in advance, and then employees found that violated this policy may be subject to disciplinary action, so those are all the standard ones that we have in each policy or should have in each policy.
Well, summary Today we covered
password creation, password change,
password protection, application development and multi factor authentication.
So a recap question for password management policy
Users may not use any work related passwords. Four.
And that would be their personal accounts, even work related personal accounts.
Now the recap question passwords may only be stored in
blank blank, authorized by the organization
that would be password managers that are authorized by the organization.
Oh, in our next lecture, we're gonna look at more general policies were gonna continue from the password management and go into password construction, which is Reppert referenced in the password management policy
reached me on Cyberia message. My user name is that trial a mirror and thank you for attending this cyber ery training.