| Complete | Requirement | Action | Comment |
|---|---|---|---|
| Must Not | Password Dissemination | Any and all passwords must be kept secret, known only to the person who created it. Under no circumstances should a user give a password to anyone unless law enforcement requires it. Discuss with your lawyer in the event of a required legal dissemination. Passwords should not be given to management, technical professionals, or anyone else who asks for it. | |
| Must | Password Entropy | All passwords must meet all of the following requirements. 1. Passwords must be at least 8 characters long. 2. Each password must have at least 1 numeric integer. 3) All passwords must have at least 1 lower case letter. 4) all passwords must have at least 1 upper case letter. 5) all passwords must have at least one non letter / non number character in them. | |
| Must | Dekstop Locking | Any time you physically leave your workstation or any other host that contains a user input or user output device (like keyboard, mouse and monitor for example), either lock the screen, shell, or log out completely. | |
| Should Not | Password Reuse | People should not reuse passwords in environments where there is not a single sign on for everything. This is especially the case with password protected keys, encrypted shares, access to personal sites like retirement, bank, etc. This is not always avoidable but use different passwords where it is possible. | |
| Should Not | Software installation | Users should not install any software that is not approved. Contact your helpdesk for more information - To be filled out. Advanced or power users who are running programs or scripts that have not been installed by the helpdesk may be liable for any damage they do. When possible scripts or programs should not be run as your normal user if possible. Especially if this user account has access to sensitive passwords or keys. | |
| Should Not | Software installation | Users should not install any software that is not approved. Contact your helpdesk for more information - To be filled out. Advanced or power users who are running programs or scripts that have not been installed by the helpdesk may be liable for any damage they do. When possible scripts or programs should not be run as your normal user if possible. Especially if this user account has access to sensitive passwords or keys. | |
| Must Not | Relocate information offsite | Information contained on file shares, in databases or on your workstation should be assumed to have a non-sharable license. As such it should not be transfered offsite without the express written concent of both the CIO (To be filled out) and the CSO (To be filled out). This includes printed copies or data in any form. | |
| Must | Key Security | Any keys kept on any host must be readable only by the owner of that key. | |
| Must | Encryption Backups | Users who use encryption keys must have those keys backed up to a location that can be taken offline. Ideally a usb key or other such device. This device must be kept in a secure location and only connected to a host while a backup is being made, or while a key from that device is being used. The filesystem this key backup exists on should be encrypted. |