Password Policy
Purpose
The purpose of these procedures and standards is to implement and maintain password complexity and multi-factor authentication (MFA) requirements in compliance with the guidelines provided in the current version of the New Zealand Information Security Manual (NZISM).
Scope
These procedures apply to all employees, contractors, and third-party vendors who have access to BTIT's managed application services, particularly those with system and service administrative privileges.
Procedures and Standards
1. Password Complexity Standards
1.1 Password Creation
Length: Passwords must be at least 12 characters long.
Character Variety: Passwords must include a mix of uppercase letters, lowercase letters, numbers, and special characters.
Uniqueness: Passwords must not include common words, phrases, or easily guessable patterns (e.g., "password123", "admin", "qwerty").
Avoid Personal Information: Passwords must not include easily obtainable personal information (e.g., names, birth dates).
1.2 Password Management
Expiration: Passwords must be changed every 90 days.
Reuse: Password reuse is prohibited. Users cannot reuse their previous 10 passwords.
Storage: Passwords must be stored securely using encryption. Plaintext storage of passwords is strictly prohibited.
Password Managers: Use of enterprise-approved password managers is encouraged to help users maintain strong, unique passwords for different systems and services.
1.3 Password Change Process
Verification: Users must verify their identity before changing their password.
Notification: Users will receive a notification when their password is about to expire and will be prompted to change it.
Documentation: All password changes must be documented in the system logs for auditing purposes.
2. Multi-Factor Authentication (MFA) Standards
2.1 MFA Implementation
Mandatory Use: MFA is mandatory for all system and service administrators.
Methods: MFA methods must include at least two of the following:
Something you know (e.g., password or PIN).
Something you have (e.g., smart card, hardware token, or mobile app).
Something you are (e.g., biometric verification such as fingerprint or facial recognition).
2.2 Configuration
Access Points: MFA must be implemented for all administrative access points, including remote access, console access, and privileged accounts.
Authentication Factors: Configure systems to require two-factor authentication for administrative access. Acceptable methods include:
Hardware tokens (e.g., YubiKey).
Authenticator apps (e.g., Google Authenticator, Microsoft Authenticator).
SMS-based codes (only as a backup method).
2.3 Enrollment
Onboarding: New administrators must enroll in MFA during the onboarding process.
Training: Provide training on how to use MFA methods and troubleshoot common issues.
Periodic Review: Periodically review and update MFA methods to incorporate new technologies and best practices.
3. Compliance and Monitoring
3.1 Regular Audits
Audit Frequency: Conduct audits at least quarterly to ensure compliance with password complexity and MFA requirements.
Audit Scope: Include checks for password length, complexity, expiration, reuse, and the implementation of MFA.
Reporting: Document audit findings and report any non-compliance to the security team for immediate remediation.
3.2 Incident Reporting
Detection: Use monitoring tools to detect suspicious activity related to password usage and authentication attempts.
Reporting: Any suspected or confirmed breach of password policies or MFA requirements must be reported immediately to the security team.
Response: Investigate reported incidents promptly and take corrective actions to mitigate risks.
3.3 Training and Awareness
Employee Training: Conduct regular training sessions for all employees on the importance of strong passwords and MFA.
Administrator Training: Ensure that system and service administrators receive in-depth training on configuring and managing MFA.
Awareness Campaigns: Run periodic awareness campaigns to remind users of best practices for password management and the importance of MFA.
4. Exceptions and Exemptions
4.1 Approval Process
Request Submission: Submit any requests for exceptions or exemptions to the Chief Information Security Officer (CISO) or equivalent authority.
Justification: Provide a detailed justification for the exception, including potential risks and mitigation measures.
Approval and Documentation: Approved exceptions must be documented, including the duration of the exemption and any conditions that apply.
Periodic Review: Review approved exceptions periodically to determine if they are still necessary and appropriate.
5. Policy Review and Updates
5.1 Annual Review
Review Cycle: Conduct an annual review of the Password Complexity and MFA Policy to ensure it remains current with NZISM guidelines and industry best practices.
Stakeholder Involvement: Involve relevant stakeholders in the review process to gather feedback and identify areas for improvement.
5.2 Policy Updates
Documentation: Document any changes to the policy and update all related procedures and standards.
Communication: Communicate policy updates to all employees, contractors, and third-party vendors.