User Security Settings and System Configurations Procedure

Purpose statement

This procedure defines the use, setup and configuration rules for passwords, user account settings and employee owned devices.

Scope

This procedure applies to all users including town employees (including but not limited to full-time, part-time, students, volunteers, temporary and interns, elected officials, and any individual representing or acting on behalf of the town in any manner, who use or access town provided Information Technology (IT) resources.

Procedure

User passwords:

  1. All users will be supplied a unique network password for their first logon attempt. When prompted by the system, immediately after the first login, users must change their password.
  2. Each password must adhere to the following criteria:
    a. Cannot contain two consecutive characters that appear in the user name.
    b. Must be at least ten characters in length.
    c. Repeat passwords will not be accepted.
    d. Must contain characters from three of the following four categories: UPPERCASE characters [A-Z]; lowercase characters [a-z]; numbers [0-9]; and symbols [!, $, @,#, %].
  3. Passwords will expire every 90 days and users will be prompted to change it 14 days prior to the expiration of the password, to avoid being locked out of the system.
  4. A history of previously used passwords will be maintained and passwords may not be reused.  Users must select new passwords that are sufficiently different from their previous passwords.  Passwords should not be written down and stored in places that may be in view of others.
  5. If a password has been incorrectly entered 5 consecutive times, the user account will be locked for 10 minutes. After 10 minutes, the account will unlock automatically and the user may attempt to login again. Should the next series of attempts be unsuccessful, the account will require manual release by the IS Help Desk. At any time the user may contact the Help Desk to be un-locked and/or have their password reset.
  6. Passwords can be changed at any time while logged into the network using the CTRL+ALT+DEL combination of keys and selecting the “Change Password” option.
  7. Passwords should never be distributed or shared.  Access to information may be provided to others through alternative methods such as shared network drives, user permission for access to emails etc. A password is linked to a particular user and therefore the usage is linked to that users account and subject to review when required.
  8. If a user feels their password has become compromised they should contact the Help Desk, and have the password reset and/or notify their manager if they feel at risk.

Password Selection Guidelines:

Selecting a strong, unique and easy to remember password is difficult, and tends to lead to passwords that are easy to guess.  For example, a user who would use “password”, when confronted with complexity rules will often choose “Password1”, or “Password!”.  When forced to change, that same user will likely move to “Password2”, or “Password@”.  To counter this, the following guidelines should be followed when selecting a new password.

  1. Make the password as long as possible.  Longer passwords take orders of magnitude longer to crack with current technology, and are much harder to guess.
    1. For example, the password “!Summer1” meets all of the complexity requirements, but can be cracked by a specialized password cracking computer in under 20 hours (https://www.grc.com/haystack.htm).
    2. The password “!Great Password1” also meets all of the complexity requirements, however it would take over one hundred billion centuries to crack on the same computer.
  2. To make the password easy to remember, use multiple words together.  A line from a movie or book makes an excellent choice as it will be long, and easy to remember, and the punctuation at the end of the sentence (or in the sentence) meets the requirement of a non letter or number character.
    1. For example the password “!My Dog has spots”  Meets all of the complexity requirements, is easy to remember and is extremely strong.

User account settings and types:

  1. All user accounts will be created in line with the principal of least privilege.  Users will be assigned only the permissions and access needed to execute their roles and responsibilities.
  2. Programs, software and applications must be pre-approved by the IS department and proper licensing requirements must be met.
  3. Users can receive support from IS via Remote Desktop software but will be required to accept the incoming request to ensure confidential documents are not at risk. Users will also be notified when the remote connection has been disconnected.
  4. An approved list of administrators will be kept by IS listing administrators of systems, applications and networks and will be reviewed at minimum annually, and additionally where job change or separation occurs to minimize impact or risk.

System configurations:

  1. A non-removable password protected screensaver will be pre set on every system and user. The screensaver will time out after 20 minutes of inactivity and will require the users Windows/Network password to unlock the computer.
  2. All systems issued by IS will be configured based on the IS Access Request Application and standard programming build. Should changes be required after delivery, a new form will be required to process the requests.
  3. New versions of software or programs must first be tested and approved by IS. Any special needs or requests will require additional approval.
  4. Any additional software installed or configured by IS will be tested and approved prior to rollout to the town. Examples include; anti-virus software, print queues, power saving tools and communication tools etc.
  5. Users of town IT resources will not alter the configuration of hardware or software, remove programs or change settings without approval from the IS department.
  6. Software and hardware configurations will remain as standard and ‘out of the box’ where possible, to reduce the risk of customized applications and dependency for programming changes.
  7. Town equipment will use approved anti-virus tools which will be installed by a member of the IS department and shall not be altered, removed or uninstalled by the users of said resources.

Employee owned devices (BYOD – Bring Your Own Device):

  1. Mobile and employee owned devices are subject to all IS policies and procedures for acceptable use and practices. The use of personal devices must be approved by the employee`s reporting manager through the System Access Request process.
  2. In order to access town networks and corporate data, personal devices will have to be registered by the IS department with the inventory technology that is used to support all mobile devices containing corporate data or applications.
  3. The inventory technology:
    a. records the application software name and version, device serial number and associated staff name
    b. ensures a device password is enabled and that the password follows town standards,
    c. ensures user-configuration of town applications are locked and location services can be enabled.
  4. End users wishing to connect devices to the corporate provided networks are subject to remote monitoring and/or inspection by technology centrally managed by the IS department. Inventory technology will ensure proper authentication to networks and integrity to corporate information or documents.
  5. IS will manage security processes, policies and applications to ensure availability of networks using technologies that are protected and secure. Any attempt to bypass security measures will be considered a violation of IS+S policies and procedures and the device will be refused connection.
  6. In the event of a lost or stolen device, the employee agrees to notify the IS department to ensure that appropriate steps can be taken to protect company information which can include service disconnection, data lockout and/or remote removal of corporate data and applications.
  7. Business applications will be licensed and maintained by the IS department with the use of inventory technology. Requests for additional information or applications are to be requested through the submission of the System Access Request process. If approved, IS will update the inventory technology to enable the use of the requested corporate information or applications.
  8. Town provided devices and applications will be supported. However, the IS department is not responsible for and will not support personal devices or applications.
  9. The town is not responsible for any additional technology or communication costs associated with the staff using their own device.

COBIT framework objectives:

  • DS 5.5 – Security Testing, Surveillance and Monitoring
  • DS 5.9 – Malicious Software Prevention, Detection and Correction
  • DS 5.10 – Network Security
  • DS 9 – Manage the Configuration
  • DS 9.3 – Configuration Integrity Review
  • DS 5.4 – User Account Management

Responsibilities

Users

  • Adhering to the User Security Settings, System Configuration and Usage Procedure.
  • All activities on their personal accounts; and their personal passwords.
  • Ensuring confidential information is handled appropriately.
  • Reporting any known or suspected violations to their supervisor or manager.

Management

  • Making employees aware of User Security Settings, System Configuration and Usage Procedure and reporting any breaches.
  • Ensuring that any town owned hardware/software is being used and regarded in the scope of the procedure listed above.

Information Systems

The IS department shall in conjunction with departments, provide leadership, management and control over corporate data application systems and software in order to ensure corporate strategies are supported and that information to manage the town is standardized, consistent and reliable.

  • Monitoring the use of IT resources to ensure compliance with the User Security Settings, System Configuration procedure
  • Purchasing all computer hardware, software, video and communications technologies following town purchasing policies and guidelines
  • Providing user manuals and other appropriate user tools for independent study by user departments, where appropriate
  • Operating a help desk support service for user inquiries on all standard applications and acting as a consultant for approval of deviations from the standard.
  • All computer equipment installations, modifications, and relocations.