BOISL

Sign In / Sign Up

Password Policy

Objective of Login-ID and Password Policy

To restrict unauthorized users accessing critical systems or processing critical information of the company and also to control and monitor the access of internal /external users.

Policy Applicability of Login-Id/ Password

The policy is applicable to all operating systems, database software and application software used by BOISL. Whenever software features do not support policy, the Deputy Chief Manager will make a call on the usage of such software.

Responsibilities

The system administrator will be responsible for maintaining password security control of all database, application and operating systems in the server. The users are responsible for their own accounts and passwords.

Policy Statement

  • Login-Ids should be sufficiently long
  • Passwords should be sufficiently long and difficult to crack.
  • The systems should force periodic change of passwords.
  • Repeated unsuccessful login attempt should be tracked.
  • Passwords will be stored on disk in encrypted form only.

Procedure

Procedure for system administrator of databases and operating systems

  • The login-id should have at-least 3 characters and should not exceed 8 characters.
  • The login-id can contain special characters as well as alphanumeric characters.
  • The password should be at least 8 characters in length.
  • The password should have at least 1 alphanumeric character and if required special character can also be used.
  • The password used should not be same as login-id.
  • When prompted for change, a new password has to be used but subsequently the new password can be substituted with the old password.
  • The first password would be initially allotted by system administrator.
  • The SA would ensure that the users will be prompted to change the password every 15 days irrespective of whether the user has actually used the said system for 15 days or not.
  • The password of user should be locked in the event of 3 continuous unsuccessful attempts to log-in. The system administrator has to periodically monitor the system log file to check such events.
  • The SA after verifying the facts shall unlock passwords for users whose password got locked.
  • All backup passwords for critical user-id should be kept in the IT department. The identified critical user-id and their password should be kept in sealed envelope in a safe, signed by two officials (DCM / CA & IT). If the relevant user is absent the relative sealed envelope may be opened with the permission of DCM (IT) / CA. The password be changed immediately and replaced with new sealed envelope. A logbook for such incident should be maintained. The same procedure would apply for supervisor and root password.

Procedure for users of databases and operating systems

  • The user has the option to change the password before expiry of the same by logging into the system.
  • The user has to change this password at the time of the first login.
  • On unsuccessful attempts to unlock the password the user has to approach the system administrator.

Procedure for system administrator of application systems

These procedures apply to the following applications available in the company and shall extend to any new applications developed or procured by the company in future.

  • DP Back-office system
  • Stamp duty system

The administrator should ensure that

  • The login-id should have at least 3 characters and should not exceed 8 characters.
  • The login-id should have alphanumeric characters and no special characters.
  • The password should have at least 8 characters in length and should not exceed 16 characters.
  • The password should have only alphanumeric characters and no special characters.
  • The password should not be the same as the login –id and should not have any resemblance whatsoever with login-id.
  • The first password used would be initially allotted by the system by default. The user would be prompted to change the password every 15 days irrespective of whether the user has actually used the said system for 15 days or not.
  • The user has the option to change the password before expiry of the same by logging into the BOISL system.
  • The last 8 passwords cannot be reused in its totality.
  • The password of the user should be locked in the event of 3 continuous unsuccessful attempts to login.
  • The SA after verifying the facts shall unlock the said password.
  • The unsuccessful attempts made by any of the user should be stored in a log and periodically the same needs to be monitored by an IT officer.
  • The software should enforce a password change following initial logon.

Procedure for users of application system.

  • User has not changed his password at the time of the first login to any application.
  • On consecutive unsuccessful attempts to unlock the password the user has to approach in writing to the system administrator.
  • User password should remain confidential and should not be shared, posted or otherwise divulged in any manner.
  • User should use the screen saver with the password, which should be activated within 5 minutes of idle period.