Password Policy
1. Objective

The objective of this policy is to establish a standard for creating strong passwords, protecting passwords, and the frequency for changing passwords, reducing the risk of unauthorized access and exploitation of Icanio Technology Labs Private Limited (Icanio) Information Assets.

Information Assets include, but are not limited to, computer equipment, hand-held or mobile devices, operating systems, applications, storage media, network accounts, email, cloud services, voicemail, internet browsing capabilities, and remote access capabilities owned or leased by Icanio.

2. Scope

This policy applies to:

  1. All staff members working for Icanio who have access to the Icanio's and/ or client’s
  2. information.
  3. All staff members, vendors, and third-party employees who have access to Icanio’s information processing systems and the data contained in them. This includes the data accessed by licensed third parties, which is, in turn, deployed to and used by their clients.
  4. All stakeholders and interested parties who are relevant to the operations of Icanio.
3. Roles and Responsibilities

The Chief Information Security Officer (CISO) is responsible for implementing and communicating this policy throughout the company and for auditing user compliance with this procedure.

The Information Security Team comprising of the HR Manager, and the Information Technology team are responsible for the implementation of the policy.

All users of Icanio and client technologies are responsible for following this policy.

4. Policy Statements

4.1 Network Passwords

Network passwords expire every 180 days and must be changed to enable continued access to email, the PC desktop, Windows file shares, the Internet, and other applications accessed through the network.
All passwords must meet the following guidelines, except where technically infeasible:

  1. Must contain at least twelve (12) alphanumeric characters.
  2. Must contain at least two (2) non-alphabetic characters and at least three (3) alphabetic characters.
  3. At least one (1) alphabetic character must be upper-case and at least one (1) must be lower-case.
  4. User must not use a password that is the same as any of the last four passwords previously used.
  5. Associates must create strong passwords.
  6. To help prevent identity theft, personal or fiscally useful information such as Aadhar or credit card numbers must never be used as a user ID or a password.
  7. All passwords are considered Private information and should be handled according to the Icanio’s Data privacy policy. As such, they should never be written down or stored online unless adequately secured.
  8. The same password should not be used for access needs external to Icanio (e.g., online banking, benefits, etc.).
  9. Passwords should not be inserted into email messages or other forms of electronic communication.
  10. If a password is suspected of being compromised, it should be changed immediately, and the incident reported to the Icanio help desk.
  11. Password cracking or guessing may be performed on a periodic or random basis by IT Security. If a password is guessed or cracked during one of these scans, the password owner will be required to change it immediately.
  12. Verify when users create or update passwords, that the passwords are not found on the organization-defined list of commonly used, expected, or compromised passwords.
  13. Allow and encourage users to select long passwords and passphrases, including spaces and all printable characters.
  14. Employ automated tools to assist the user in selecting strong passwords and authenticators.
  15. Ensure passwords are changed whenever there is any indication of possible system or password compromise.
  16. Require that default vendor passwords must be altered following the installation of systems or software.
  17. Force temporary passwords to be changed at the first log-on.
  18. Require immediate selection of a new password upon account recovery.

4.2 Remote Access Passwords

Anyone accessing critical financial systems, or systems interacting with Confidential or Highly Confidential data remotely must use two-factor authentication.

Persons, infrastructure, and software are identified and authenticated prior to accessing information assets, whether locally or remotely.

4.3 IT Department

4.3.1 System Passwords

All system-level passwords (e.g., root, enable, Windows Administrator, application administration accounts, etc.) must be changed on at least an annual basis.

User accounts that have system-level privileges granted through group memberships or programs such as "sudo" must have a unique password from all other accounts held by that user.

All system-level passwords must be strong passwords.

4.3.2 Application Passwords

Application developers must request application passwords from Information Technology and develop their applications to:

Not store passwords in clear text or in any easily reversible form. At a minimum, passwords should be encoded.

Provide for some sort of role management wherever possible, such that one user can take over the functions of another without having to know the other's password.

Authenticate individual users, not groups.

4.3.3 User Accounts

When setting up user accounts, never send the complete account credentials in the same electronic transmission. Instead, send them out-of-band. For example, send the account name or ID via email and provide the password separately.

4.4 Icanio device (desktop/laptop) Administrator Passwords

Admin passwords for client devices must be changed at least every six months.

Where technically and administratively feasible, attempts to guess a password should be automatically limited to ten incorrect guesses. Access should then be locked in a minimum of ten minutes unless a local system administrator intercedes.

Failed attempts should be logged unless such action results in the display of a failed password. It is recommended that these logs be retained for a minimum of 30 days.

New internal and external infrastructure and software are registered, authorized, and documented prior to being granted access credentials and implemented on the network or access point. Credentials are removed and access is disabled when access is no longer required, or the infrastructure and software are no longer in use.

4.5 Icanio Administrator Passwords

Passwords for servers must be changed as related personnel changes occur.

If an account or password is suspected to have been compromised, the incident must be reported to Chief Information Security Officer (CISO), and potentially affected passwords must be changed immediately.

Uniform responses should be provided for failed attempts, producing simple error messages such as “Access denied”. A standard response minimizes clues that could result from hacker attacks.

4.6 Password Protection Guidelines

  1. Always use different passwords for Icanio accounts from other non-Icanio accounts (e.g., Facebook, Twitter, LinkedIn, personal ISP account, option trading, benefits, etc.).
  2. Never use your PC/Network password for cloud applications.
  3. Where possible, use different passwords for each Icanio system.
  4. Do not share Icanio passwords with anyone, including administrative assistants and Help Desk associates.
  5. Passwords are classified as Highly Confidential data according to the Data Classification Policy.
  6. Never write down passwords or store them online without encryption.
  7. Do not speak about a password in front of others.
  8. Do not hint at the format of a password (e.g., "my family name")
  9. Do not reveal a password on questionnaires or security forms.
  10. If someone demands a password, refer them to this policy and direct them to Information Security.
  11. Always decline the use of the "Remember Password" feature of applications (e.g., Facebook, Twitter, LinkedIn, etc.).
  12. If you suspect your account or password is compromised, report the incident to Information Security or call the Help Desk.
5. Enforcement of Policy

This policy will be enforced by the IS Manager and/or IT Team. Violations may result in disciplinary action, which may include suspension, restriction of access, or more severe penalties up to and including termination of employment. Where illegal activities or theft of Icanio property (physical or intellectual) are suspected, the Icanio may report such activities to the applicable authorities.

6. Maintenance of Policy

The compliance to this policy and supporting policies shall be audited on a yearly basis; exceptions identified during the audit shall be immediately and appropriately addressed.

The security policy shall be reviewed annually unless there is a major change in the organization or the environment affecting the organization, in which case it shall be done on a need basis.

Security policy shall be reviewed and revised whenever a major security risk or an incident is identified.

7. References

ISO 27001:2022

  1. A.5.17 - Authentication Information
  2. A.8.5 - Secure authentication
Version
Date
Revision Author
Summary of Changes
Approved By
Position
0.1
01.08.2024
Green IT Ventures
Draft

 1.0

01.10.2024

Green IT Ventures

Initial release

Jebastin Prabhaharan

CEO

DECLARATION:

This is to confirm that I have read and understood the above mentioned policy.

Click here to fill the acknowledgement form.