IT Baseline Protection Manual - The Information Warfare Site
19.12.2012 Views
Share Embed Flag

IT Baseline Protection Manual - The Information Warfare Site

IT Baseline Protection Manual - The Information Warfare Site

IT Baseline Protection Manual - The Information Warfare Site

SHOW MORE
SHOW LESS
ePAPER READ
DOWNLOAD ePAPER
iwar.org.uk

Create successful ePaper yourself

Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.

START NOW

Safeguard Catalogue - Organisation Remarks<br />

____________________________________________________________________ .........................................<br />

S 2.11 Provisions governing the use of passwords<br />

Initiation responsibility: Head of <strong>IT</strong> Section, <strong>IT</strong> Security Management<br />

Implementation responsibility: <strong>IT</strong> security management, users<br />

If passwords are used for authentication in an <strong>IT</strong> system, the safety of the<br />

management of access privileges of the system will decisively depend on the<br />

correct use of the respective passwords. For this purpose, it is advisable to<br />

introduce a set of provisions governing password use and to inform the users<br />

accordingly.<br />

<strong>The</strong> following rules regarding password use should be observed:<br />

- It must not be possible to guess the password as easily as names, motor<br />

vehicle licence numbers, birth dates, or the like.<br />

- <strong>The</strong> password should consist of at least one non-letter character (special<br />

character or number).<br />

- <strong>The</strong> password should consist of at least 6 characters. <strong>The</strong> number of<br />

password characters checked by the computer must be tested.<br />

- Preset passwords (e.g. by the manufacturer at the time of delivery) must be<br />

replaced by individually selected passwords.<br />

- Passwords must not be stored on programmable function keys.<br />

- <strong>The</strong> password must be kept secret and should only be known personally to<br />

the user.<br />

- <strong>The</strong> password should be laid down in writing only for the purpose of ist<br />

escrowing whereby it is kept safely in a sealed envelope. If an additional<br />

written record is made, the password should be kept at least as safely as a<br />

check identification card or a bank note (c.f. S 2.22 Depositing of<br />

passwords).<br />

- <strong>The</strong> password must be altered regularly, e.g. every 90 days.<br />

- <strong>The</strong> password should be altered if it has come to the knowledge of<br />

unauthorised persons.<br />

- After any alteration of the password, previous passwords should no longer<br />

be used.<br />

- Entry of the password should be made away from general view.<br />

Where feasible in data processing terms, the following complementary rules<br />

should be observed:<br />

- <strong>The</strong> selection of trivial passwords (BBBBBB, 123456) must be prevented.<br />

- Every user must be able to alter his own password at any time.<br />

- For initial log-on of new users, one-time passwords should be assigned, i.e.<br />

passwords which must be changed after their first use. In networks in<br />

which passwords are transferred in non-encrypted form, the constant use of<br />

one-time passwords is recommended (c.f. S 5.34 Use of one time<br />

passwords).<br />

____________________________________________________________________ .........................................<br />

<strong>IT</strong>-<strong>Baseline</strong> <strong>Protection</strong> <strong>Manual</strong>: Oktober 2000

logo

products

Resources

Company

Terms of service
Privacy policy
Cookie policy
Cookie settings
Imprint
Change language
Made with love in Switzerland
© 2024 Yumpu.com all rights reserved

Hooray! Your file is uploaded and ready to be published.

Saved successfully!

Ooh no, something went wrong!