Policy 7230A - Department of Administration
Policy 7230A - Department of Administration
Policy 7230A - Department of Administration
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
four: upper case letters, lower case letters, numbers,<br />
and special characters.<br />
o Very low and low risk systems must have passwords at<br />
least six characters in length that make use <strong>of</strong> two <strong>of</strong><br />
the four: upper case letters, lower case letters,<br />
numbers, and special characters.<br />
• Where tokens, smart cards or other physical devices are used<br />
as authenticators they must be sourced from reputable<br />
manufacturers.<br />
4.1.1.d User ID and Authenticator Lifespan Management<br />
• User IDs must have a minimum lifespan equivalent to the term<br />
<strong>of</strong> affiliation with the agency.<br />
• Authenticators must have a lifespan according to the risk<br />
categorization <strong>of</strong> the system:<br />
o Very high and high risk systems must have passwords<br />
with a maximum lifespan <strong>of</strong> thirty days, a minimum<br />
lifespan <strong>of</strong> thirty days and a repeat frequency <strong>of</strong> twelve<br />
passwords.<br />
o Medium risk systems must have passwords with a<br />
maximum lifespan <strong>of</strong> sixty days, a minimum lifespan <strong>of</strong><br />
thirty days and a repeat frequency <strong>of</strong> eight passwords.<br />
o Very low and low risk systems must have passwords<br />
with a maximum lifespan <strong>of</strong> ninety days, a minimum<br />
lifespan <strong>of</strong> fifteen days and a repeat frequency <strong>of</strong> four<br />
passwords.<br />
4.2. Account Management<br />
No applicable Mandatory Baselines.<br />
4.3. Session Management<br />
No applicable Mandatory Baselines.<br />
4.4. Maintain Records<br />
Agencies must capture documentation appropriate to all access control processes:<br />
• Document and retain copies <strong>of</strong> issued user identifiers and authenticators.<br />
Mandatory Baselines<br />
Page 8 <strong>of</strong> 25