Password Management Procedures

Obtaining A Unique User Identification or Changing Information

(Password Dispatching)

Step Person in Charge Action

To obtain a unique user ID for information systems other than network logon (switches, routers, load balancers, storages, firewalls, and other security product), contact network manager.

2. Network Administrator Implement actions per request.

Maintain documentation for audit purposes.

Deleting A Unique User Identification

(Password Withdrawing)

1. HR Supervisor When employee terminates employment with Xx, immediately request deletion of user account.

If the account needs to remain accessible for a limited time (maximum 75 working days beyond termination of employment),

 Contact network administrator to request a new, temporary password for the account to be given to the supervisor.

2. Network Administrator If account is to close immediately, delete account and contents.

If the supervisor has requested that the account remain temporarily open:

 Assign a new, temporary password and notify requesting supervisor,

 Upon effective date of NBPCAPP1.0, Employee PC/ Notebook/ Account Application form submitted, delete account and contents

Request for Group Account

1 Division

Manager Determine and review need for a group account.

Complete all areas of the NBGPAPP1.0, Group Account Application form including the business justification, names of the group account logon users, and their role(s).

Submit the NBGPAPP1.0, Group Account Application form to the Xx management for approval.

2. Management Review request.

Approve or deny. Report decision to requesting manager.

If the application is for network logon, forward the approved request to network administrator for implementation.

3. Network Administrator Assign a unique group account.

Assign a password to be used only by the approved Group users.

Notify requesting manager and management of new group account.

Add or Remove a User from group account

(Password Sharing or Changing)

1. Division

Manager To add a user into group account, let him know the password of the group account. Append this authorized user into the former NBGPAPP1.0, Group Account Application form and then submit it to network administrator.

Notify network administrator immediately when an employee is separated from Xx or transferred.

2. Network Administrator Assign a new password for the group account when a user should no longer have access under that group account.

Notify remaining approved users of this change.

Compromised Passwords

(Passwords Changing)

1. User Immediately create a new password.

Notify manager of incident and actions taken.

2. Division

Manager If a user's password has been compromised without their knowledge, inform the user of password compromise and the need to create a new password.

If a reported incident is determined to be greater than a single occurrence or results in an unauthorized disclosure of confidential or sensitive information, immediately contact the Xx Management.

Password Management Policy Exempting

1. Division Manager For the purpose of maintaining, testing or debugging the systems on servers, the status of servers could be changed to “Non-operating”.

For the purpose of consistently exchanging data, for example, accessing China mobile data or platform, the password should be changed according to policy other than Xx password management policy or procedures.

In these cases, the division manager involved should apply to exempt these servers from the password management policy.

If the exemption is approved, forward the approved decision to the network manager.

3. Network Manager Exempt the servers from the policy and procedures, and notify the network administrator not to apply policy to these servers in the future.

Notify requesting manager and Xx Management of exemption.

Password Management Policy

Purpose:

The purpose of this policy is to establish guidelines for creating and protecting unique user identifications, group accounts and "strong" passwords.

Policy:

1. General

a. All authorized users with access to the XX network and information systems are responsible for taking appropriate steps to select and secure strong passwords.

b. Passwords shall be used in conjunction with unique user identifications or group account to control access to the XX network, computers, and information systems.

2. Scope

All individuals who have been granted access to the XX network, equipments and information systems, including but not limited to full and part-time employees, temporary workers, volunteers, contractors, those employed by others to perform XX work, and others granted access are covered by this policy and shall comply with this and associated policies, procedures, and guidelines.

Network includes but is not limited to switches, routers, load balancers, storages, firewalls, and other security product.

Computers include but are not limited to personal computers, notebooks and all kinds of servers.

Information systems include but are not limited to operation systems (Windows series, Linux, UNIX, etc.), databases, and dedicated systems such as mail, anti-virus, finance, CMS, and so on.

3. User / Group Identification

a. Unique Identification (User Account). Authorized users shall be assigned unique user identifications for access to XX network and information systems.

User identifications must be used only by the assigned user.

b. Group Account. In circumstances where there is a clear business need, a unique identification may be assigned for a group of users. Approval shall be obtained from the management, documented, and reviewed annually. Additional controls may be required to maintain accountability.

The important group accounts include root, apache, mysql, ftp, tomcat, administrators, etc.

4. Password Construction

a. Strong passwords must meet all the following criteria.

A. Length. All passwords must contain at least eight ( characters. If the system cannot accommodate eight characters, the maximum number of characters the system allows shall be used.

B. Contain both alphabetic and numeric characters. All passwords shall contain at least one alphabetic (a-z) and one numeric character (0-9) as the system allows.

b. Passwords shall not be constructed by using personal information or words found in a dictionary.

c. Passwords shall not be constructed using alphabet letters in succession, such as abcd, aaa, bbb, or numbers in succession, such as 1234, 5432, 2468, 1111.

d. Password reuse. User generated passwords shall not be reused.

e. Identical password. If user used a password to logon a computer, it should not be used again on any other computers.

5. Password Disclosure

a. Recording passwords. Passwords of user ID’s shall not be written or otherwise recorded where they are accessible or recognizable by anyone else, such as taped to computer screens, stored under keyboards, or visible in a work area. Important passwords and their modification logs which need to be recorded by the requirements of XX management should be stored on an encrypted file. And this file should only be placed on a secret place determined by XX management.

b. Sharing passwords. Passwords of user ID’s shall not be shared or used by others. This includes a co-worker, manager, supervisor, friend, vendor, partner, information technology staff, administrative assistant, or others.

c. Automated logon prohibited. Macros, quick keys, shortcuts, or like technology to automate entry of User ID's and/or passwords shall not be constructed or used on public-used computers.

d. Compromised password. A password shall be changed immediately when it has been compromised or when there is suspicion that it has been compromised.

6. Password Control

a. Password changes. Passwords shall be changed once at lease every 60 days. Network and information systems shall require passwords to be changed every 60 days, where possible.

b. Initial or reset passwords issued by system administrators shall be valid only for the first log-on. Users shall create unique passwords at the first log-on or session.

c. Unsuccessful attempts. At most Five (5) consecutive, unsuccessful attempts to access a XX network or information system shall suspend or disable the user's ability to successfully log-on.

d. Vendor default passwords shall be changed before any computer or communications system is released for production and used for XX business.

7. Compliance

a. Important passwords. A secure agreement should be signed by the user who will get the important group accounts and passwords.

b. Failure to comply with this policy and associated policies, standards, guidelines, and procedures may result in disciplinary actions up to and including dismissal from state service for employees or termination of contracts for contractors, partners, consultants, and other entities. Legal actions also may be taken for violations of applicable regulations and laws.