19. HealthSafe Password Management Policy



INTERNAL STAFF PASSWORD MANAGEMENT POLICY



Document Identification 

HSNZ/POL/19

Document Name

Password Management Policy

Master Copy

CISO

Version Number

1.3

Date Of Release 

15 Aug 2023

Prepared By

Eparama Tuibenau

CISO

Approved by

Kevin McAfee

Managing Director


 


VERSION HISTORY


Sl No

Version No.

Prepared by

Approved by

Description of Version

Date

Reason for Version Change

From

To

1

1.0

-

CISO

MD

First Release

14 Apr 2020 

No changes made

1

1.0

1.1

CISO

MD

Updated

11 July 2021 

Modifications due to changes in HealthSafe

1

1.1

1.2

CISO

MD

Reviewed

28 July 2022

Annual review

1

1.2

1.3

CISO

MD

Reviewed

15 Aug 2023

Annual review


DOCUMENT STATUS


Date

Document Status

14 Apr 2020

Modified

11 Jul 2021

Reviewed

28 Jul 2022

Reviewed

15 Aug 2023

Current


Table of Contents

1 Purpose


2 Scope


3 Input


4 Output


5 Interacting Process


6 Abbreviations, Acronyms and Definitions


7 Procedure


8 Monitoring the Process


9 Records




  1. PURPOSE
    The purpose of this document is to establish and maintain a policy for Password Management for HealthSafe NZ.

  2. SCOPE
    These procedures apply to all aspects of password management.

  3. ABBREVIATIONS, ACRONYMS AND DEFINITIONS

Abbreviation

Description

FH

Functional Head

IT

Information Technology Department

TL/PM

Team Lead / Project Manager

CISO

Chief Information Security Officer


4 INPUT

Validating the access


5 OUTPUT

A complex and valid authentication to be provided to access the various resources


6 INTERACTING PROCESS

All users


7 PROCEDURE

Staff must use LastPass (lastpass.com) as their ONLY method of storing and managing passwords and must meet the following complexity requirements.

  • Passwords must be at least twelve [12] characters in length or more.
  • Passwords must contain a mixture of uppercase and lowercase letter, numbers and special characters.
  • All staff are required to change their LastPass master password every 12 months.

The IT Administrators should have a separate admin account and their passwords must meet the following additional complexity requirements.

  • Where supported by the system, passwords must be at least twelve [12] characters in length or more.
  • Must use LastPass platform dashboard to manage staff access and passwords
  • At the time of staff account creation, a common password is used. Staff are expected to change their password in compliance with the password policy during their first login. 
  • Password guessing controls used within the environment where possible are:
  • Lock account after three [3] successive failed login attempts.
  • Staff must change their LastPass Master Password every 12 months.
  • Staff may only have access to system-level passwords on a need-to-know basis.
  • Staff passwords must not be disclosed to anyone other than the password owner under any circumstances.  
  • Administrative passwords should be stored in LastPass. 
  • IT team maintains a log of all administrative passwords in a password-protected or encrypted form in LastPass.
  • Password strengths should be in accordance to CISO acceptable standards


8 MONITORING THE PROCESS

  • IT team to verify and log the deactivated Staff accounts

9 RECORDS

  • IT trouble ticket
  • LastPass administrator logs and policy configurations
  • LastPass password strength score