Laserfiche WebLink
TETON COUNTY ADMINISTRATIVE POLICIES Revision: <br />Date: 11/23/15 <br />Password Management Original Issue Date: 11/23/15 <br />Number of Pages: 2 <br />See also "Computers, Technology & Information Security Policy" Approved: BOCC <br />Employee passwords are the first line of defense in securing the county from inappropriate or malicious access to <br />data and services. Compromised user accounts can become "stepping stones" for administrator -level penetration <br />by unauthorized individuals, resulting in catastrophic data breaches. This policy provides guidelines for consistent <br />and secure password management and includes mandates on how passwords should be generated, used, stored and <br />changed, as well as instructions for handling password compromises. Every county employee, contract worker, <br />consultant, and elected official must adhere to this policy. <br />General Requirements. The following guidelines should always be followed when creating, managing and <br />storing passwords: <br />1. Blank or easily -guessed passwords such as "password" or "12345" are prohibited. <br />2. Passwords should not contain dictionary words such as "kitchen" or "automotive." <br />3. Passwords must be complex, containing at least 8 characters and a mixture of lower case, upper case, <br />numbers and punctuation characters. For example, "1331ltOWer!" should be used in place of "Belltower" <br />as it is considerably more secure. <br />4. Passwords should never contain security -sensitive information such as social security numbers or date of <br />birth. Passwords should also not include public information related to an employee's personal life, such as <br />the names of their children, hobbies, favorite sports team, etc. <br />5. Use different passwords on different systems. A Windows account password should not be the same as a <br />Quickbooks password. It is especially critical that passwords used to log on to "external accounts" (such <br />as third -party websites like Facebook) are not the same passwords used to log on to "internal accounts" <br />(such your County computer or email). Using different passwords protects internal accounts from data <br />breaches that may occur on external accounts. <br />6. Passwords should not be sent through email, texting or instant messaging services. <br />7. Ideally, passwords should not be written down. However, if a password is written down, the password <br />must be kept in a secure location not visible to others. Never put user names and passwords on notes <br />stuck to monitors or other visible locations <br />8. The IT department will never ask you for passwords, but will, instead, set temporary passwords for <br />employees who cannot log into their accounts. <br />9. When configuring security questions designed to protect against lost passwords, always choose fact -based <br />questions such as, "What street did you grow up on?" rather than opinion -based questions such as, "What <br />is your favorite food?" (Opinion -based questions are more difficult to remember since opinions change <br />over time.) Never pick security questions with answers that could be easily researched such as, "Where <br />did you go to high school?" <br />Device Management Strategies. Any device on which County information is stored must be secured with a <br />password. Always lock screens/devices when away or not in use. Pressing "Windows -L" will immediately lock a <br />Windows screen with the logged -on user's password. Screen savers that auto log users out after a certain time are <br />another good option. Employees should avoid using public systems or un -trusted devices to access County <br />resources since these may have been configured to steal passwords or log keystrokes. <br />Passwords must not be stored on insecure devices (hereby defined as smartphones/tablets/computers) which do <br />not have password protection and do not utilize encrypted storage. Biometrics may be used for authentication to <br />County systems but must not replace the use of passwords. Keep in mind that the best security model is "two - <br />factor authentication," something you have (a door card) and something you know (a password). <br />