Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Version History

« Previous Version 9 Current »

Purpose:
The purpose of this policy is to establish secure and effective password management practices that protect the confidentiality, integrity, and availability of the Company's information assets. This policy applies to all employees, contractors, and vendors with access to the APU's systems.

Scope:
This policy covers all user, application, system, and network level passwords, including those for web-applications and servers. However, the implementation of this policy is subject to the capabilities of each system and application.

Effective Date:
1st January 2025

Policy:

  1. Responsibility and Accountability:

    • All individuals with access to the Company's systems must select strong, secure passwords and are responsible for keeping their passwords confidential.

  2. Prohibited Use of Passwords:

    • Passwords must not be shared through non-secure channels, including but not limited to email, social media, and other forms of electronic communication not explicitly approved for secure information exchange.

  3. Password Strength and Complexity:

    • Passwords must be at least 12 characters long and include a mix of uppercase letters, lowercase letters, numbers, and special characters. Passwords must not contain personal information, common dictionary words, or easily guessable sequences.

  4. Initial Password Use and Change:

    • Default passwords for new accounts must be unique and complex. Users are required to change their password upon the first login to ensure initial account security. Please click here to learn about changing APKey password.

  5. Password Expiry and History:

    • Passwords must be changed at least every 365 days. The system will remember the last 4 passwords, and they cannot be reused.

  6. Frequency of Password Changes:

    • Users are encouraged to change their passwords more frequently if any suspicion of compromise arises. Mandatory password changes are required after any security incident.

  7. Account Lockout Policy:

    • Accounts will be locked after five consecutive failed login attempts and will remain locked for 15 minutes to prevent unauthorized access through brute force attacks.

    • The account lockout counter will reset only after the account lockout duration period as mentioned above has elapsed.

  8. Secure Password Storage:

    • Passwords must be stored securely using salted hashes to prevent unauthorized retrieval and decryption. Clear text storage of passwords is strictly prohibited.

  9. Protection of Authentication Credentials:

    • Users must protect their passwords, PINs, security tokens, and other authentication methods. The use of password managers is recommended for secure password storage.

  10. Password Reset:

    • Users are permitted to reset their passwords whenever necessary, especially if a compromise is suspected.

  11. Web-Based Application Authentication:

    • All web-based applications must implement a secure authentication layer, with multi-factor authentication (MFA) strongly recommended for enhanced security.

  12. Unattended Sessions:

    • Workstations must be configured to automatically lock after 30 minutes of inactivity to prevent unauthorized access.

Summary

Policy Area

Requirements

Password Strength

Passwords must be at least 12 characters, include a mix of character types, and avoid personal information and common words.

Password Expiry

Passwords must be changed every 365 days or earlier where applicable.

Password History

The last 4 passwords cannot be reused.

Account Lockout

Accounts lock after 5 failed attempts for 30 minutes.

Unattended Sessions

Workstations lock after 30 minutes of inactivity.

Minimum Password Age

Users must retain a password for the 5 days before changing it.

Additional Security Measures:

  • Multi-Factor Authentication (MFA): MFA is required (subject to system/application capability) for accessing sensitive systems to add an additional layer of security beyond just passwords.

  • Security Awareness Training: All users recommended undergo annual security awareness training, which includes recognizing and defending against phishing and social engineering attacks.

  • Password Policy Audits: Yearly audits will be conducted to ensure compliance with this password policy.

  • Incident Response: In the event of a suspected password compromise, users must follow the APU's incident response plan to mitigate and report the incident.

Compliance:
Failure to comply with this policy may result in disciplinary action. Compliance with this policy will be monitored and audited by the Technology Services.

Review and Revision:
This policy will be reviewed and updated as necessary to reflect changes in technology, threats, and organizational priorities.

  • No labels

Copyright © Asia Pacific University. All Rights Reserved.