The purpose of the Password Policy (the “Policy”) is to establish a standard for the creation of strong passwords, the protection of those passwords, and the frequency of change.
The scope of this policy includes all personnel who have or are responsible for an account (or any form of access that supports or requires a password) on any system that is part of the network.
Read, Understand, and Comply with this policy.
Any questions related to this policy can be directed to the Service Desk.
Approve and enforce compliance with this policy.
Manage and review this policy at least annually.
Collect evidence as required.
Answer all questions or comments related to this policy.
Ensure this policy is readily available for all employees within the Service Desk.
All critical or highly sensitive system-level passwords (e.g., root, enable, network administrator, application administration accounts, etc.) must be changed at least every 90 days.
All user-level passwords (e.g., email, web, desktop computer, etc.) must be changed at least every 180 days, and users may not reuse the past 5 passwords.
All production system-level passwords must be stored within the global password management database (or another repository). The information security team is responsible for repository administration. All User accounts with access to back-end, administrative, or privileged systems must have a unique password from all other accounts held by that user.
Passwords must not be inserted into email messages or other forms of electronic communication.
All passwords must conform to the guidelines described in Section 4.2 of this policy.
Employees are provided the use of a password manager called “Zoho Vault” to securely store and manage passwords.
Passwords must not be shared with anyone, including supervisors and coworkers. All passwords are to be treated as sensitive, confidential Voyages Encore Travel Inc. information. IT Security recognizes that legacy applications do not support proxy systems in place.
Passwords for all systems must adhere to the following settings:
Passwords are changed every 180 days.
Enforce password history - passwords may not be reused in the last 5 iterations.
Contains a minimum of 12 alphanumeric and special characters.
Contains at least one capital letter, number and special character.
May not be a dictionary word, a proper name, or include the User ID.
Not be displayed when entered.
Limit repeated access attempts by locking out the user ID after five attempts.
Set the lockout duration to a minimum of 30 minutes or until an administrator enables the user ID.
If a session has been idle for more than 10 minutes, the PC will lock and the user will need to log back in.
All settings for critical applications must be reviewed annually.
There are no exceptions to these settings.
All passwords that are no longer needed must be deleted or disabled immediately. This includes, but is not limited to, the following:
When a user is reassigned, released, or dismissed
Default passwords shall be changed immediately on all equipment
Contractor accounts, when no longer needed to perform their duties
Application developers must ensure their programs contain the following security precautions:
Applications support authentication of individual users, not groups.
Applications do not store passwords in clear text or in any easily reversible form.
Applications provide some sort of role management, such that one user can take over the function of another without having to know the other’s password.
Access to the Encore network via remote access is to be controlled by using either a Virtual Private Network (“VPN”), in which a password, Multi Factor Authentication (“MFA”), and user id are required.
The Information Security Office will verify compliance to this policy through various methods, including but not limited to: business tool reports, internal, and external audits. All those found in violation of the policy may be subject to disciplinary action up to and including termination.