feat: adds some draft policies
All checks were successful
ci / build_and_publish (push) Successful in 23s
All checks were successful
ci / build_and_publish (push) Successful in 23s
This commit is contained in:
parent
1ad26e6266
commit
f66adc0b65
9 changed files with 4710 additions and 2 deletions
147
policies/password_auth.bs
Normal file
147
policies/password_auth.bs
Normal file
|
|
@ -0,0 +1,147 @@
|
|||
<h1>Passwords and Authentication Policy</h1>
|
||||
<pre class="metadata">
|
||||
Status: DREAM
|
||||
Local Boilerplate: header yes, copyright yes, defaults yes
|
||||
Boilerplate: status no
|
||||
TR: https://www.sr2.uk/policies/password-auth/
|
||||
Shortname: password-auth
|
||||
Complain About: accidental-2119 yes
|
||||
No Editor: true
|
||||
!Version: 1.0
|
||||
Abstract: A policy defining an effective authentication management procedures when conducting company-related business.
|
||||
</pre>
|
||||
|
||||
# Objective # {#objective}
|
||||
|
||||
This policy defines an effective authentication management procedures when conducting company-related business and
|
||||
includes the:
|
||||
|
||||
* issuing and selection of strong authentication methods and credentials;
|
||||
* protection of secret authentication credentials;
|
||||
* frequency of change in terms of authentication credentials;
|
||||
* reporting of any suspected breach or lost authentication credentials;
|
||||
* use of authentication methods with third party systems (including cloud technology).
|
||||
|
||||
Authentication is a key method of securing our information – choosing weak authentication methods, or failing to keep
|
||||
the authentication credentials secure, places the confidentiality of our data at risk.
|
||||
|
||||
# Scope # {#scope}
|
||||
|
||||
The scope of the policy covers all individuals either employed or contracted to work with or for the company, either
|
||||
in-office or remotely.
|
||||
|
||||
# Definitions # {#definitions}
|
||||
|
||||
: Authentication method
|
||||
:: Any method by which a user may authenticate themselves in order to gain access to a location, data or service, such
|
||||
as text entry (e.g. passwords, passphrases, PINs), biometrics (e.g. fingerprints), etc.
|
||||
: Authentication credentials
|
||||
:: The specific data or information used by a user to authenticate themselves, including but not limited to passwords,
|
||||
passphrases, PINs, and biometric data.
|
||||
: Multi-Factor Authentication (MFA)
|
||||
:: An authentication method that requires the user to provide two or more verification factors to gain access, such as
|
||||
something they know (e.g., password), something they have (e.g., a security token or mobile device), and/or
|
||||
something they are (e.g., biometric data).
|
||||
: Cloud-based system
|
||||
:: A service or platform hosted over the internet that allows users to access data, applications and services remotely.
|
||||
: Password manager
|
||||
:: A software product used for the secure storage of passwords, which must be approved for use, and includes functions
|
||||
for generating strong passwords compliant with this policy.
|
||||
|
||||
# Policy # {#policy}
|
||||
|
||||
Authentication method covers any methods by which a user may authenticate themselves in order to gain access to a
|
||||
location, data or service, such as text entry (e.g. passwords, passphrases, PINs), biometrics (e.g. fingerprints), etc.
|
||||
The company ensures that authentication credentials are kept confidential by:
|
||||
|
||||
- storing authentication credentials in a secure manner;
|
||||
- changing manufacturer default authentication credentials and disabling guest accounts on all equipment;
|
||||
- issuing new users with temporary authentication credentials, which must be changed at first login to a stronger
|
||||
alternative (defined later);
|
||||
- authentication credentials issued to new users are done so in a secure manner (e.g. never in clear text via an email);
|
||||
- changing all multi-user credentials (e.g. for communal equipment) used by an employee in the event that their
|
||||
employment ends;
|
||||
- ensuring that access to user credentials is limited to ICT administrators for the purpose of resetting, revoking or
|
||||
problem resolution – authentication methods may only be reset once the identity of the user has been verified;
|
||||
- locking accounts after 5 failed login attempts in order to dissuade brute-forcing attempts;
|
||||
- training staff in the use of digital password managers, and the risks of storing passwords in any other form (such as
|
||||
a notebook at their workstation, or Post-It note).
|
||||
|
||||
Users must ensure that they do all they can to maintain the confidentiality of their authentication credentials by
|
||||
never:
|
||||
|
||||
- using company authentication credentials for any other account they hold (including personal accounts such as home
|
||||
utilities, email, online shopping services, etc);
|
||||
- having a physical copy of their credentials;
|
||||
- using a non-approved method for password generation;
|
||||
- entering authentication credentials on non-company equipment (for example, home or public access PCs);
|
||||
- revealing authentication credentials to anyone, including line managers, unless relaying information on temporary
|
||||
credentials which are changed immediately upon next login. This includes never
|
||||
sharing authentication credentials with co-workers (e.g. whilst on annual leave);
|
||||
- discussing authentication credentials in front of others.
|
||||
|
||||
## Password Authentication ## {#passwords}
|
||||
|
||||
Many services and policies only allow for password authentication methods, and so they are given a special focus here.
|
||||
Strong passwords MUST be used for authentication. The company defines a strong password as one generated by one of two
|
||||
processes: random string generation by a password manager or using diceware [[!EFF-DICE]].
|
||||
|
||||
Where a password is to be stored in a password manager, it MUST be randomly generated by the password manager with the
|
||||
parameters:
|
||||
|
||||
- having a minimum number of 14 characters in length;
|
||||
- using longer passwords where permitted by the service;
|
||||
- including a mixture of numbers, upper and lower case letters, and special characters.
|
||||
|
||||
Where special characters are not possible due to technical restrictions, the minimum length is 20 characters.
|
||||
|
||||
For the avoidance of doubt, weak passwords must never be used. Weak, text-based authentication credentials generally
|
||||
have one or more of the following characteristics:
|
||||
|
||||
- credential is the same, or partly the same, as the username;
|
||||
- names of family members, friends, or pets are used;
|
||||
- personal information about yourself or family members which can be easily found from social networking sites,
|
||||
including date of birth, phone number, street name, etc.;
|
||||
- consecutive alphanumeric characters or keys on the keyboard, such as ‘abc123’ or ‘qwerty’;
|
||||
- dictionary words including the inclusion of a number or character at the start or end or substituting numbers or
|
||||
punctuation for letters, for example, ‘P@55w0rd’;
|
||||
- a known word from any language (which may not be in a dictionary).
|
||||
|
||||
For passwords that are intended to be memorised, the MUST be generated using diceware. The above restrictions likely
|
||||
will not be met using this method as the intention is to provide a strong password that is easy to remember, and the
|
||||
strength comes from the underlying dice rolls. Any other method of generating a passphrase MUST NOT be used even if it
|
||||
results in one that bears similarity to a diceware-generated passphrase.
|
||||
|
||||
Memorised passphrases generated with diceware SHOULD be used for:
|
||||
|
||||
- end-user device login passphrase;
|
||||
- password manager decryption passphrase.
|
||||
|
||||
## Multi-Factor Authentication ## {#mfa}
|
||||
|
||||
Wherever the option is offered by a given service or piece of software, multi-factor authentication is to be used (e.g.
|
||||
a fingerprint and a passphrase, or a voice sample, PIN and verification SMS).
|
||||
|
||||
Where a hardware token is in use to authenticate to a system without a password, the token itself MUST be secured with
|
||||
a memorised PIN of at least 6 digits.
|
||||
|
||||
## Credentials for Cloud-Based Systems and Online Portals ## {#cloud}
|
||||
|
||||
It is to be remembered that the company makes use of cloud-based technology and online portals, which may not enforce
|
||||
strong authentication credentials. It is therefore up to the individual to ensure a good authentication regime is
|
||||
maintained, which is as strong as that used within the organisation. In line with the company’s "Internet Use
|
||||
Policy", users shall:
|
||||
|
||||
- not create an online account for business purposes without authorisation from a director;
|
||||
- advise a director when there is no longer a need to have the online account in order to ensure that it is
|
||||
removed.
|
||||
|
||||
## Credential Compromise Policy ## {#compromise}
|
||||
|
||||
In the event of a credential compromise, users SHALL take immediate action to secure the account by resetting or
|
||||
invalidating the credentials and report the incident to a director as soon as practical.
|
||||
It is policy that any password compromise event will be shared with CiviCERT members via the MISP platform to allow for
|
||||
shared learning from the incident.
|
||||
Directors will be responsible for determining if a data breach notification is necessary to our clients or to the
|
||||
Information Commissioners Office.
|
||||
|
||||
Loading…
Add table
Add a link
Reference in a new issue