The URL can be used to link to this page

Home My WebLink AboutDocumentation_Regular_Tab 06_12/9/2021Agenda Item #6. Regular Council STAFF MEMO Meeting: Regular Council -Dec 09 2021 Staff Contact: Merlene Reid, Director, HR &Risk Department: HR Management WM�A Personnel Policy Addition -Passwords 3.8a SUMMARY: I In order to maximize password security and minimize its misuse or theft, Personnel Policy Passwords (3.8a) has been created to establish the Village's requirements for acceptable password selection and maintenance. It impacts all persons with an account or any form of access that requires a password on any system in a Village facility. It is anticipated that this policy when combined with other internal policies, will significantly strengthen the Village's ability to remain safe from malicious intrusions. This document and any attachments may be reproduced upon request in an alternative format by completing our Accessibility Feedback Form, sending an e-mail to the Village Clerk or calling 561-768-0443. POTENTIAL MOTION / DIRECTION TIM '• .•• ov,mo 0 Passwords 3.8a ADA Page 44 of 222 Agenda Item #6. VILLAGE OF TEQUESTA PERSONNEL POLICY TITLE: PASSWORDS POLICY: 3.8a EFFECTIVE: December 9, 2021 REVISED: New PAGES: CONTENTS: This policy consists of the following numbered sections: I. Purpose II. Policy Statement III. Scope IV. Procedure I. PURPOSE: To establish the Village of Tequesta's requirements for acceptable password selection and maintenance in order to maximize password security and minimize its misuse or theft. II. POLICY STATEMENT: Passwords are the most frequently used form of authentication for accessing a computing resource. They are often the weakest link in securing data due to the use of weak passwords, the proliferation of automated password -cracking programs, and the activity of malicious hackers and spammers. Password use must therefore adhere to the terms of this policy. III. SCOPE: The scope of this policy includes all personnel who have or are responsible for an account (or any form of access that supports or requires a password) on any system that resides at any Village of Tequesta facility, or has access to The Village of Tequesta network. The Village Manager, Departmental managers, and security and/or system administrators are also expected to set a good example through a consistent practice of sound security procedures. IV. PROCEDURE: Greater risks require a heightened level of protection. Stronger passwords augmented with alternate security measures such as multi -factor authentication, will be added in such situations. High risk systems include but are not limited to systems that provide access to critical or sensitive information, controlled access to shared data, a system or application with weaker security, and administrator accounts that maintain the access of other accounts or provide access to a security infrastructure. Certain multi -factor authenticators will require employees to use their personal cell -phones in the authentication process. This usage is minimal and will not place any added costs or burden on the employee. In general, a password's strength will increase with length, complexity and frequency of changes. Consequently, all passwords (email, web, desktop computer, etc.) will be strong passwords and follow the standards listed below. 1. All passwords must meet the following minimum standards, except where technically infeasible: • be at least fourteen characters in length • contain at least one lowercase character • contain at least one number • contain at least one special character • contain at least one uppercase character • cannot contain your first name, last name, or username • cannot match your last three passwords 2. To help prevent identity theft, personal or fiscally useful, information such as Social Security or credit card numbers must NEVER be used as a user ID or a password. 3. All passwords are to be treated as sensitive information and should therefore never be written down or stored on-line unless adequately secured. 4. Passwords should not be inserted into email messages or other forms of electronic communication. 5. Passwords that could be used to access sensitive information must be encrypted in transit. 6. The same password should not be used for access to accounts external to The Village of Tequesta (e.g., online banking, benefits, etc.). 7. It is recommended that passwords be changed at least every six months. Windows network password change will be compelled every 365 days. 8. Individual passwords should not be shared with anyone, including administrative assistants or IT administrators. Shared passwords used to protect network devices, shared folders or files require a designated individual to be responsible for the maintenance of those passwords, and that person will ensure that only Page 45 of 222 Agenda Item #6. VILLAGE OF TEQUESTA PERSONNEL POLICY appropriately authorized employees have access to the passwords. 9. If a password is suspected to have been compromised, it should be changed immediately and the incident reported to the IT Department. 10. Password cracking or guessing may be performed on a periodic or random basis by the IT Department or its delegates. If a password is guessed or cracked during one of these scans, the password owner will be required to change it immediately. 11. A user incorrectly entering their password will be locked out of The Village of Tequesta network after 5 attempts. They will need to contact the IT Department to unlock their account and will be required to reset their password. APPROVAL: JEREMY ALLEN, VILLAGE MANAGER TEQUESTA, FLORIDA Page 46 of 222