Read passwordManagement.pdf text version

University of Wisconsin-Madison HIPAA Security Best Practices Guidelines #6 1. Guideline Name: Password Management 2. Definition and Purpose: Passwords are an important aspect of computer security. They are the front line of protection for user accounts. A poorly chosen password may result in the compromise of HCC's entire network. As such, all HCC employees (including contractors and vendors with access to the HCC systems) are responsible for taking the appropriate steps, as outlined below, to select and secure their passwords. 3. Reference to HIPAA Standard: Security Management Process (161.308(a)(1)); Information Access Management (161.308(a)(4)); Security Awareness and Training (161.308(a)(5)); Access Control (161.312(a)); Person or Entity Authentication (164.312(d)). 4. Description of Best Practice Guideline: A. B. C. D. Passwords must be changed regularly. The change interval is chosen by the department, based on risk assessment and should not exceed 2 years. The use of password history files is recommended. Passwords must not be inserted into email messages or other forms of electronic communication unless protected. Where SNMP is used, the community strings must be defined as something other than the standard defaults of "public," "private" and "system" and must be different from the passwords used to log in interactively. A keyed hash must be used where available (e.g., SNMPv2). Passwords should not be shared with others. In cases where password sharing is unavoidable, restricted accounts should be established to protect information resources. General Password Construction Guidelines 1. Use a passphrase which is typically composed of multiple words or acronyms 2. Contain both upper and lower case characters (e.g., a-z, A-Z) 3. Have digits and punctuation characters as well as letters (e.g., 0-9, [email protected]#$%^&*()_+|~-=\`{}[]:";'<>?,./) 4. Is at least 6 alphanumeric characters long. 5. Is not a word in any language, slang, dialect, jargon, etc. 6. Is not based on personal information, names or family, etc.




Password Management Guidelines: 1. Passwords, if they need to be written down or stored on-line, must be stored in a secure place separate from the application or system that is begin protected by the password. 2. An Escrow account of mission critical system and user passwords should be maintained in a secure environment. 3. One should not use the "Remember Password" feature of applications (e.g., Eudora, Outlook, Netscape Messenger) unless your system or application has the means to encrypt the "remembered password". 4. If an account or password is suspected to have been compromised, report the incident to HCC Security team and change all passwords. 5. Password cracking or guessing may be performed on a periodic or random basis by HCC Security team or its delegates. If a password is guessed or cracked during one of these scans, the user will be required to change it. Application developers must ensure their programs contain the following security precautions: 1. Should support authentication of individual users, not groups. 2. Should not store passwords in clear text or in any easily reversible form. 3. Should provide for some sort of role management, such that one user can take over the functions of another without having to know the other's password. 4. Should support TACACS+, RADIUS and/or X.509 with LDAP security retrieval, wherever possible.


5. Reference Documents and Websites: A. B. C. The SANS Institute Security Policy Sample ­ Password Policy. See Policy.pdf Ross Anderson, Security Engineering, chapter 2 (Wiley, 2001) [Cambridge] Rick Smith, Authentication: From Passwords to Public Keys (ISBN 0-20161599-1, Addison-Wesley, 2002) See [University of Minnesota]

6. Document Revision History: Date Revised: 9/24/2003 11/5/2003 12/4/2003 12/10/2003 Revised by: Theresa J. Regge Theresa J. Regge UW HIPAA Security II Taskforce, Regge UW HIPAA Security II Committee, Regge


3 pages

Report File (DMCA)

Our content is added by our users. We aim to remove reported files within 1 working day. Please use this link to notify us:

Report this file as copyright or inappropriate


You might also be interested in