Password Policy
Overview
This policy is intended to establish guidelines for effectively creating, maintaining, and protecting passwords at LCANDCTA.
This policy shall apply to all employees and volunteers who have access to computerised systems that connect to the LCANDCTAs network or Stand alone computers. All digital data pertaining to client, staff, volunteers and supporters of LCANDCTA MUST have password protection. LCANDCTA has identified the data it holds through the data mapping process, which is reviewed annually.
Purpose and Scope
The purpose of this document is to set down appropriate standards for password setting and give guidance on how passwords should be effectively set in place and managed. The aim is that the regime governing passwords to be one that maintains the security of LCANDCTA systems and information.
This policy covers all access to LCANDCTA systems and data regardless of:
- Who is accessing those systems and that data;
- Where those accessing systems and data are located; and
- Who it is that makes those systems and that data available.
There may be limitations in systems that affect the ability to implement this policy to its fullest extent. In those cases, this policy will be implemented to the fullest extent possible within determined limits.
Responsibilities
LCANDCTA staff, volunteers, system administrators are responsible for ensuring that systems are operated in conformance with this policy and for ensuring that procedures and practices maintain adherence with this policy.
Password Creation
- All user and admin passwords must be at least [8] characters in length. Longer passwords are strongly encouraged.
- Shared accounts: Where multiple users need to access the same user area e.g. Reception staff, passwords will be generated following an understood system and changed every month or immediately following a staff member’s resignation.
- Passwords must be completely unique, and not used for any other systems or personal account.
- Default installation passwords must be changed immediately after installation is complete.
Password Aging
- User passwords must be changed every 6 months or, in the case of Reception, as indicated above. Previously used passwords may not be reused.
Password Protection
- Passwords must not be shared with anyone, save where provided for in this policy i.e. shared accounts (including co-workers and supervisors), and must not be revealed or sent electronically.
- Passwords shall not be written down.
- Administrative level passwords may be written down where they may provide the only means of access to a given system or facility in certain circumstances such as for emergency or for continuity. In such cases, the documented password must be stored in a sealed envelope in lockable storage with controlled access.
- Passwords must not be stored in any electronic file unless the information can be encrypted and that access to the file itself can be password protected.
- User IDs and passwords must not be scripted to enable automatic login.
- “Remember Password” feature on websites and applications should not be used.
- All mobile devices that connect to the company network must be secured with a password.
Enforcement
It is the responsibility of the end user to ensure enforcement with the policies above.
If you believe your password may have been compromised, this should be reported immediatelyto Christine Brown, Director and change the password.
Date Policy Ratifiied: 1/2/2019
Date for Policy Review: Directors meeting July 2020
NB Policies can be ratified at anytime if change to Government guidelines, or not effective in practise.