Password Management Policy (Sample)
Purpose:
The purpose of this policy is to establish a standard for the creation of strong passwords, the protection of those passwords, and the frequency of change.
Scope
The scope of this policy includes all personnel who have or are responsible for an account (or any form of access that supports or requires a password) on any business applications (including G-Suite) system that resides at any facility, and has access to our network, or stores any non-public internal information.
General Guidelines
a) All system-level passwords (e.g., root, enable, windows administrator, application administration accounts, etc.) must be changed at least once in 180 days
b) All user-level passwords (e.g., email, web, desktop computer, etc.) must be changed at least every 90 days.
c) Most of the Business Applications use an internal id which is firstname.lastname@company.com or firstnamelastname@company.com as the User ID. They are accessed via a single sign-on - Google G Suite.
d) For system resources, such as SNMP, the username (or community strings) must be defined as something other than the standard defaults of "private" and "system" and must be different from the passwords used to log in interactively.
e) All user-level and system-level (G-Suite) passwords must conform to the standard guidelines.