Policy No. IS206
Passwords on Information Systems
Corporate Policy ManualCategory: Information Systems
Title: Passwords on Information Systems / Effective Date:
Policy Number: IS206 / Revision Date: March 15, 2010
1.0 Purpose
Passwords allow access to the majority of information systems that are accessed at CPS. As such they shall be properly protected to assure that they do not pose a risk to the organization. This policy defines guidelines for password construction, use, and management.
2.0 Personnel
PPS Incorporated and its affiliates CPS, IPS, CPS MedManagement, LLC, CPS MedManagement Puerto Rico, Inc RxRemoteSolutions, Inc, and any other affiliates (referenced as CPS).
3.0 REFERENCE and related documentation
· HIPAA Security Rule, 45 CFR § 142.308(a)(12)(i), Awareness Training
· HIPAA Security Rule, 45 CFR § 142.308(a)(12)(ii), Periodic Security Reminders
· HIPAA Security Rule, 45 CFR § 142.308(a)(12)(v), User Education in Password Management
· American Recovery and Reinvestment Act of 2009 (ARRA)
4.0 definitions
· Password – A confidential alphanumeric and/or character string used in conjunction with a user I.D. to verify the identity of the individual attempting to gain access to a computer system.
5.0 POLICY
5.1 User Passwords:
A. All users will create passwords that are at least 8 characters in length:
1. It is required that passwords be mixed alphanumeric characters using upper case letters, lower case letters and numbers (e.g. Passw0rd).
2. Users are strongly encouraged to use symbols (e.g. !*&@/}) when creating passwords to increase the difficulty of someone guessing it.
3. Users are strongly discouraged from using common words, names of family members or pets for password names.
4. When changing a password, it is advisable to select an entirely new combination of letters and numbers.
5. Do not use a common word or phrase and merely adjust the number at the end (e.g. Smith01, Smith02, etc.).
B. Users will not write passwords down or save a password in an electronic file on, near or around his/her computer.
C. Users will not share, disclose or provide a password to anyone, except as noted below:
1. For technical support purposes, a user may be asked to provide Information systems (IS) support staff with his/her user ID and password.
2. A user will change his/her password after service has been completed.
D. Users may use the same password across multiple CPS systems.
E. Users will not use CPS passwords on external or Internet based systems.
F. Users who have administrative access to systems will use different passwords for each system.
G. If a user becomes locked out of a system he/she will contact the CPS IS Help Desk or the site’s administrator for a password reset.
5.2 System Configurations for Passwords
A. Systems will be configured to disallow users to reuse a password that has been used past 5 times.
B. Systems will be configured to require users to change their password at least every 90 days.
C. Systems will be configured to lock out a user from the system ater at least 3 consecutive failed login attempts.
D. All system default user accounts will have the password reset before the system is set into production (e.g. guest and administrator accounts will be changed on Windows systems).
CPS Corporate Policy Manual
Policy No. IS206 Passwords on Information Systems
Effective: April 1, 2010 Page 2 of 2