INTERNAL STAFF PASSWORD MANAGEMENT POLICY
|
Document Identification |
HSNZ/POL/19 |
|
|
Document Name |
Password Management Policy |
|
|
Master Copy |
CISO |
|
|
Version Number |
1.3 |
|
|
Date Of Release |
15 Aug 2023 |
|
|
Prepared By |
Eparama Tuibenau |
CISO |
|
Approved by |
Kevin McAfee |
Managing Director |
VERSION HISTORY
|
Sl No |
Version No. |
Prepared by |
Approved by |
Description of Version |
Date |
Reason for Version Change |
|
|
From |
To |
||||||
|
1 |
1.0 |
- |
CISO |
MD |
First Release |
14 Apr 2020 |
No changes made |
|
1 |
1.0 |
1.1 |
CISO |
MD |
Updated |
11 July 2021 |
Modifications due to changes in HealthSafe |
|
1 |
1.1 |
1.2 |
CISO |
MD |
Reviewed |
28 July 2022 |
Annual review |
|
1 |
1.2 |
1.3 |
CISO |
MD |
Reviewed |
15 Aug 2023 |
Annual review |
DOCUMENT STATUS
|
Date |
Document Status |
|
14 Apr 2020 |
Modified |
|
11 Jul 2021 |
Reviewed |
|
28 Jul 2022 |
Reviewed |
|
15 Aug 2023 |
Current |
Table of Contents
1 Purpose
2 Scope
3 Input
4 Output
5 Interacting Process
6 Abbreviations, Acronyms and Definitions
7 Procedure
8 Monitoring the Process
9 Records
- PURPOSE
The purpose of this document is to establish and maintain a policy for Password Management for HealthSafe NZ. - SCOPE
These procedures apply to all aspects of password management. - ABBREVIATIONS, ACRONYMS AND DEFINITIONS
|
Abbreviation |
Description |
|
FH |
Functional Head |
|
IT |
Information Technology Department |
|
TL/PM |
Team Lead / Project Manager |
|
CISO |
Chief Information Security Officer |
4 INPUT
Validating the access
5 OUTPUT
A complex and valid authentication to be provided to access the various resources
6 INTERACTING PROCESS
All users
7 PROCEDURE
Staff must use LastPass (lastpass.com) as their ONLY method of storing and managing passwords and must meet the following complexity requirements.
- Passwords must be at least twelve [12] characters in length or more.
- Passwords must contain a mixture of uppercase and lowercase letter, numbers and special characters.
- All staff are required to change their LastPass master password every 12 months.
The IT Administrators should have a separate admin account and their passwords must meet the following additional complexity requirements.
- Where supported by the system, passwords must be at least twelve [12] characters in length or more.
- Must use LastPass platform dashboard to manage staff access and passwords
- At the time of staff account creation, a common password is used. Staff are expected to change their password in compliance with the password policy during their first login.
- Password guessing controls used within the environment where possible are:
- Lock account after three [3] successive failed login attempts.
- Staff must change their LastPass Master Password every 12 months.
- Staff may only have access to system-level passwords on a need-to-know basis.
- Staff passwords must not be disclosed to anyone other than the password owner under any circumstances.
- Administrative passwords should be stored in LastPass.
- IT team maintains a log of all administrative passwords in a password-protected or encrypted form in LastPass.
- Password strengths should be in accordance to CISO acceptable standards
8 MONITORING THE PROCESS
- IT team to verify and log the deactivated Staff accounts
9 RECORDS
- IT trouble ticket
- LastPass administrator logs and policy configurations
- LastPass password strength score