Purpose of Policy

[FIRM NAME]

SECURITY POLICY

Purpose of Policy

The purpose of this policy is to establish a standard for creation of complex passwords, the protection of those passwords, and the frequency of change.

This policy includes all personnel who have access that supports or requires a password on any system that resides at any [Firm Name] facility, has access to the [Firm Name] network, or stores any non-public [Firm Name] information.

Policy

1. New network accounts. The employee’s manager coordinates requests through Human Resources (HR). HR then coordinates the creation of a unique User ID and password.

2. Network accounts may be modified at the request of the manager or user via email to [Firm Name]’s IT department.

3. When a team member is terminated, the manager coordinates with HR [tailor roles to your business] to perform out-placement activities. HR then coordinates with IT to either delete or disable the user account. The manager may request that the User ID remain active for a period of time to receive email to this User ID. If this is requested, the password will be changed immediately and the manager will be given access to this mailbox. If no request is made to keep the User ID active, the User ID is immediately disabled and contents deleted within a month.

4. Default accounts supplied by applications, databases, or operating system software will either be disabled, deleted, or have the password changed from the default password.

5. User IDs follow an approved naming convention to ensure consistency in creating User IDs. Each individual logs on using his or her own User ID and does not use anyone else’s User ID to log on. Network user IDs are created using the first initial of the first name and last name. In the case of duplicates the middle initial will also be used. In case of a third duplicate, a sequential number will be added to the end of the User ID.

6. All network and computer accounts must have an associated password to control access. The authentication password policy to gain access to the network is: [Password policy needs to be tailored to your business. Below is recommended.]

§ Must be at least 8 characters.

§ Must have upper- and lower-case characters

§ At least one special character.

§ Change every 180 days.

§ Cannot reuse last four (4) passwords.

§ Cannot increment password numerically (i.e., Password1, Password2)

§ Use password self-maintenance [If applicable]

- Once users enroll and set up secret questions, users can change passwords at any time or unlock their accounts without changing the password. This allows users to reset their password at any time without having to contact the IT Department.

7. Accounts will be locked out following a maximum of 10 invalid logon attempts.

8. All computers must be set to lock after a maximum of 15 minutes of non-activity. Exceptions will be made with approval of the [Title, e.g., COO].

9. All Domain user accounts are audited on a periodic basis.

10. [Firm Name] will have security systems that will include individual access codes or personal keys/fobs or similar technologies, where practical.

[Firm Name] uses Microsoft Active Directory for user authentication, which, with add-on third party tools, can support this capability.
[Firm Name] supports these capabilities when requested by our suppliers such as banks.