Purpose
Passwords are one of the primary mechanisms that protect critical WSB information systems and other resources from unauthorised use. Constructing secure passwords and ensuring proper password management are essential. Poor password management and protection could allow unauthorised access to the WSB’s Information Technology (IT) resources, which in turn could lead to the inappropriate disclosure and use of confidential or sensitive WSB information.
The purpose of this policy is to provide a clear guidance and present best practises for the creation of strong passwords, the management and protection of those passwords, and the frequency of change.
This policy is mandatory and by accessing any Information Technology (IT) resources which are owned or leased by the WSB, users are agreeing to abide by the terms of this policy.
Scope
This policy is authorised by WSB Senior Management Team and represents the WSB’s official position.
The policy takes precedence over all other relevant policies which may have been developed at a local level.
This policy applies to:
- All WSB Information Technology (I.T.) equipment, systems and applications which are capable of being password protected.
- All system developers and users (including WSB staff, contractors, consultants, interns, volunteers and authorised third party commercial service providers) of the WSB’s IT resources.
- All connections to (locally or remotely) the WSB network Domains (LAN/WAN/WiFi).
- All connections made to external networks through the WSB networks.
Definitions
A list of terms used throughout this policy are defined in Appendix A.
Policy
Principles of Password Security
Where technically feasible all WSB Information Technology (IT) resources must be protected by the use of strong passwords. All passwords created for use within the WSB must meet the requirements of this policy and adheres to the following standards.
| Standard(s) | Description |
| Length | All passwords must be a minimum of 8 characters in length. If existing systems are not capable of supporting 8 characters, then the maximum number of characters allowed within the system must be used |
| Complexity |
Passwords must contain a combination of letters (both upper & lower case), numbers (0-9) and at least one special character (for example: “, £, $, %, ^, &, *, @, #, ?, !, €).
Passwords must not be left blank
Passwords or part of a password must not contain:
|
| Recycling | No password may be re-used by a user within a 12-month period |
| Aging |
User-level passwords such as those used to access WSB computer devices, information systems and network domains must be changed at least every 180 days. System-level passwords such as those used by WSB information system administrators and network domain administrators must be changed at least every 90 days. |
| Password Security |
Each user is responsible for all activities performed on any WSB IT device, information system or application while logged in under their individual access account and password. With the exception of generic / group access accounts users must only use user access accounts and passwords which have been assigned to them. Users must ensure all passwords except those used for generic / group access accounts are kept confidential at all times and are not shared with others including their co-workers or third parties. Users must not write down their password(s) on or near their computer device. However, in exceptional circumstances where a password has to be written down, the password must be stored in a secure locked place, which is not easily accessible to others. Users must not send their passwords within email or chat messages. Users must change their passwords at least every 120 days or when instructed. Users who suspect their password is known by others must change their password immediately. Users must not misuse their own or another user’s password and knowingly elevate their information system access account or network domain access privileges above those that they have been authorised to use. User must ensure all default passwords which are supplied by a vendor for new WSB devices and systems are changed at installation time. |
System and Application Development Standards
System developers (including both WSB personnel and third party commercial service providers) who are responsible for developing information systems and applications for the WSB must ensure that the systems and applications they develop are capable of implementing, supporting and enforcing this policy in full.
System developers (including both WSB personnel and third party commercial service providers) who are responsible for developing information systems and applications for the WSB must ensure that the systems and applications they develop contain the minimum-security features:
- They must support authentication of individual users and not just groups.
- They must contain controls that can ensure that individuals can be
- held responsible for their actions.
- They must not store passwords in clear text or in any easily reversible form.
- The password should not be displayed on the screen when they are being entered.
- They must provide for some sort of role management, such that one user can take control of the functions of another without having to know the other user’s password.
- They must force users to change their password at their first logon.
- They must automatically ‘lock’ a user account after a defined number consecutive failed login attempts.
- They automatically ‘lock’ or log out user accounts after a defined period of inactivity.
- They should support Single Sign On (SSO) authentication to either the SCOUT.ORG platform or the WSB Office 365 tenancy.
- They must provide a logging facility that as a minimum is capable of recording all failed and successful login attempts.
Roles & Responsibilities
|
Stakeholders |
Responsibilities |
|
Senior Management Team |
Review, Approve and formally support this policy |
|
IT Department (Senior Manager, Digital & IT Services, IT Personnel) |
|
|
Line Managers, Supervisors, Department Heads |
|
|
Developers (internal / External) |
Ensuring the systems and applications they develop for the WSB are capable of implementing, supporting and enforcing this policy in full. |
|
Users |
|
Policy Distribution & Awareness
This policy and it's supporting policies, standards and guidelines will be published on the WSB Dropbox.
Soft copies of the policy and its supporting policies, standards and guidelines will be available on WSB Staff Support Center.
The IT Personnel and/or the Senior Manager, Digital & IT Services may make periodic policy announcements by email.
WSB line managers will ensure that all existing and new staff, contractors, consultants, interns, volunteers and third-party commercial service providers who report to them are made aware of and have access to the policy and its supporting policies, standards and guidelines.
Individuals requiring clarification on any aspect of the policy and its supporting policies, standards and guidelines and/or advice on general I.T. security matters may email their queries to the Senior Manager, Digital & IT Services or the local IT Personnel.
Exceptions to this Policy
Exceptions to the guiding principles in this policy must be documented and formally approved by the Global Director, Communications , with evidence of support from the appropriate Senior Management Team.
Policy exceptions must describe:
- The nature of the exception.
- A reasonable explanation for why the policy exception is required
- Any risks created by the policy exception.
- Evidence of approval.
Policy Enforcement
The WSB reserves the right to take such action as it deems appropriate against individuals who breach the conditions of this policy. WSB staff, contractors, consultants, interns and volunteers who breach this policy maybe subject to disciplinary action, including suspension and dismissal as provided for in the WSB disciplinary procedure.
Breaches of this policy by a third-party commercial service provider, may lead to the withdrawal of WSB information technology resources to that third party commercial service provider and/or the cancellation of any contract(s) between the WSB and the third-party commercial service provider.
The WSB reserves the right to refer any use of its IT resources for illegal activities to the relevant Authorities.
Review & Update
This policy will be reviewed and updated annually or more frequently if necessary, to ensure any changes to the WSB’s organisation structure and business practices are properly reflected in the policy.
Appendix A: Definitions
Information: Any data in an electronic format that is capable of being processed or has already been processed.
Information Technology (I.T.) resources: Includes all computer facilities and devices, networks and data communications infrastructure, telecommunications systems and equipment, internet/intranet and email facilities, software, information systems and applications, account usernames and passwords, and information and data that are owned or leased by the WSB.
IT Personnel: These are the individuals responsible for the day to day management of a WSB network domain. Also includes WSB personnel who have been authorised to create and manage user accounts and passwords on a WSB network domain
Line manager: The individual a user reports directly to.
Password: A string of characters that a user must supply in order to gain access to an IT resource.
Process / Processed / Processing: Performing any manual or automated operation or set of operations on information including:
- Obtaining, recording or keeping the information.
- Collecting, organising, storing, altering or adapting the information.
- Retrieving, consulting or using the information.
- Disclosing the information or data by transmitting, disseminating or otherwise making it available.
- Aligning, combining, blocking, erasing or destroying the information.
System Developer: Any WSB personnel or third party commercial service providers who are responsible for developing electronic information systems and application for the WSB or its customers.
Users: Any authorised individual who uses the WSB’s IT resources.