Overview
Passwords are an important aspect of computer security. They are the front line of protection for user accounts. A poorly chosen password may result in a compromise of entire network and system security. As such, all VIDIZMO users (including contractors, vendors and customers with access to VIDIZMO systems) are responsible for taking the appropriate steps, as outlined below, to select and secure their password.
Purpose
The purpose of this policy is to establish a standard for the creation of strong passwords, the protection of passwords, and the frequency of change.
Scope
The scope of this policy includes all who have or are responsible for an account (or any form of access that supports or requires a password) on VIDIZMO SaaS, or VIDIZMO on-premises dedicated system.
Policy General
- All systems-level passwords (e.g., root, network administrator, application administration accounts, etc.) must be changed at least every 90 days.
- All user-level passwords (e.g., email, web, desktop computer, etc.) must be changed at least every 90 days and cannot be reused the past 10 passwords.
- All user-level, system-level, and access level passwords must conform to the guidelines described below.
Guidelines (Password Construction Requirements)
- Be a minimum length of eight (8) characters on all systems
- Not be a dictionary word or proper name
- Not be the same as the User ID
- Expire within a maximum of 90 calendar days
- Not be identical to the previous ten (10) passwords
- Not be transmitted in the clear or plaintext outside the secure location
- Not be displayed when entered
- Ensure passwords are only reset for authorized user
Password Deletion
All passwords that are no longer needed must be deleted or disabled immediately. This includes, but is not limited to, the following:
- When a user retires, quits, is reassigned, released, dismissed, etc.
- Default passwords shall be changed immediately on all equipment.
- Contractor accounts, when no longer needed to perform their duties.
Password Protection Standards
Do not use your User ID as your password. Do not share VIDIZMO passwords with anyone, including administrative assistants or secretaries. All passwords are to be treated as sensitive, Confidential VIDIZMO information.
Here is a list of “do not’s”
- Don’t reveal a password over the phone to anyone
- Don’t reveal a password in an mail message
- Don’t reveal a password to the boss
- Don’t talk about a password in front of others
- Don’t hint at the format of a password (e.g., “my family name”)
- Don’t reveal a password on questionnaires or security forms
- Don’t share a password with family members
- Don’t reveal a password to a co-worker while on vacation
- Don’t use the "Remember Password" feature of applications
- Don’t write passwords down and store them anywhere in your office
- Don’t store passwords in a file on ANY computer system unencrypted
If someone demands a password, refer them to this document or have them contact VIDIZMO support team (support@vidizmo.com) for help and assistance.
If an account or password is suspected to have been compromised, report the incident to VIDIZMO support team (support@vidizmo.com) and change all passwords.
Password cracking or guessing may be performed on a periodic or random basis by VIDIZMO. If a password is guessed or cracked during one of these scans, the user will be required to change it.
Application Development Standards
Application developers must ensure their programs contain the following security precautions:
- Should support authentication of individual users, not groups.
- Should not store passwords in clear text or in any easily reversible form.
- Should provide some sort of role management, such that one user can take over the function of another without having to know the other’s password.
- Should support Terminal Access Controller Access Control System+ (TACACS+), Remote Authentication Dial-In User Service (RADIUS), and/or X.509 with Lightweight Directory Access Protocol (LDAP) security retrieval, wherever possible.
Remote Access Users
Access to the VIDIZMO systems via remote access is to be controlled by using either a Virtual Private Network (in which a password and user id are required) or a form of advanced authentication (i.e., Biometrics, Tokens, Public Key Infrastructure (PKI), Certificates, etc.).
Support Information
For help and assistance with password protection in VIDIZMO, please contact VIDIZMO support team (support@vidizmo.com).
--End of document--