1.12.11.16
SECURITY. Password policy.
- A. This policy establishes a standard for creation of strong passwords, the protection of those passwords, and the frequency of change.
- B. Passwords must be at least eight (8) alphanumeric characters long.
- C. All system-level passwords (e.g., root, enable, NT admin, application administration accounts, etc.) must be changed at least every 6 months. Password changes will be addressed immediately by the password authority when personnel changes are made to staff that have root access.
- D. Passwords must not be stored on unencrypted or other insecure forms (i.e., word document, post-its, labels, etc.).
- E. All user-level passwords (e.g., email, web, desktop computer, etc.) must be changed periodically. The minimum change interval is every 4 months.
- F. User accounts that have system-level privileges granted through group memberships or programs such as "sudo" must have a unique password from all other accounts held by that user.
- G. Passwords must not be inserted into email messages or other forms of electronic communication.
- H. All user-level and system-level passwords must conform to the guidelines described below.
I. A password authority shall be established by the agency CIO or IT lead to disseminate passwords, facilitate as the gatekeeper for system-level passwords, and be the point of contact for password-related security breaches. Password may only be obtained or requested from the password authority of the agency.
History of 1.12.11 NMAC: [RESERVED]
[1.12.11.16 NMAC - N, 06-15-2005]