Password Policy V1.0
THE COMPANYis legally established with the main purpose of providing electronic retail
payment switching and clearing, card issuance and management, and related infrastructure
services for a wider implementation and use of electronic retail payment services in the financial
sector and the country at large.
To ensure its businesses are taken care of The companypossess and operate different kinds of
appliances like user computers (client pcs), database and application (administrative pcs), servers,
security (end point) device, email and other processing devices.
The proper operation of these appliances has a great impact on the performance and influence of
The company. Moreover, the different appliances should be secure to guarantee and achieve the
intended objective and mission set by The company. To properly secure the different appliances
implementing security policy has a significant and inevitable role for securing the different
appliances of The company.
Password Policy V1.0
Passwords are a means by which a user proves whether authorized or not to use a computing
device. Unauthorized access is a potentially major problem for anyone who uses a computer or
high-tech devices. The consequences for victims of these break-ins can include the loss of
valuable data. So, organizations like EthSwitch working on financial data, PII (card holder
information) the incidents might be catastrophic.
Password policy are unquestionably essential to security, but they are not the only method that
can or should be used to protect The companycomputers and devices. Anytime a system gets
hacked the first thing we are going to do is change the password, and it a smart move to prevent
stolen information from being used to gain access to users’ accounts. In addition to creating a
good password, The companystaff know how to safeguard it and use it wisely.
In today's cyber world, hackers and cyber-criminals are continuously finding new ways to gain
access to these devices in order to steal or exploit the critical information within. Careless use of
passwords, however, can be as bad as leaving one's computing devices unprotected and open. For
this reason, and beyond The companyand its employees create and protect their passwords with
Developing and Implementing a strong password policy is key to helping The companystaffs
safeguard critical systems The companyrely on every day businesses. The full negative effect of a
compromised account sometimes can take months or years to be felt. With the nature of
information, The companydeal with online each day, there’s no room to be relaxed about our
approach to account security.
Keeping The companyusers, systems, and resources secure today requires a combined effort
using strong password policies and staying on top of the latest not only user account password
security but also information security best practices.
1. Purpose
To Establish a standard for The companyfor creation of strong passwords, protection of those
passwords and frequency of change and to encourage The companystaff to apply strong
password, use them properly and enhance the computers, systems, servers, email, applications
2. Scope
The scope of this policy comprises all The companystaff/employee who have access or are
responsible for an account that supports or requires a password to access any service, computer,
system, email or other devices that resides at The companyFacility or in the cloud.
Password Policy V1.0
3. Objective
Implementing password policy to The company
 Exponentially reduce likelihood of security breach and a hacker cracking user password
and gaining access to device
 To prevent The companystaff password from being easily guessed
 Enforce the very famous security principle “need to know” access restriction
 To make The companystaff password easy to remember and hard to guess
 To prevent and restrict unauthorized access of The companyinfrastructure, computing and
endpoint device, application, database physical and virtualize devices
 To comply with regulatory standards like PCI/DSS
4. Responsibility statement
 Who approve the doc? Who implement? Who check and control
5. Policy
5.1 Policy Statement
The companyemployee/staff are responsible for protecting their computer or system access login
and password credentials and shall comply with the password parameters identified in this policy.
The companycomputer or system user passwords must meet the complexity requirements
outlined and must not be shared with or made available to anyone in any manner that is not
consistent with this policy/ procedure.
From best experience
Users having system level accounts like admin/roots/sudo shall have a unique password which is
d/t from the other accounts held by users
If a user’s session is idle for a period of 15 minutes, the user shall be logged off the session
Computing devices shall not be left unattended without enabling a password protected
screensaver or locking of the device
5.2 Password Requirement
Minimum requirements of passwords for The companystaff accounts are:
 At least eight (8) characters for password and fifteen (15) characters for passphrase
Password Policy V1.0
 Use a combination of at least three (3) character from the following four (4) types
(uppercase, lowercase, numbers or non-alphanumeric)
 Password shall contain at least one (1) lowercase letter, one (1) uppercase letter, and one
(1) number
5.3 Passphrase
User can and encourage to implement a passphrase to tighten the security of their account.
Passphrases should be unique to user.
 Use at least fifteen (15) characters
 Incorporate the four-character types (a space or special character can be used to separate
words or phrases in order to add complexity)
 Use a phrase that is easy to remember and hard to guess
 Abbreviate most of the words in the phrase to increase complexity
5.4 Password Duration/Expiration
The companyemployee shall change passwords once in every three (3) months utmost and the
minimum duration to change the password seven (7) to ten (10) days. (Comply with PCI/DSS)
I think you should be specific for some of them:
eg. All system-level passwords (eg. Root, enable, admin…) shall be changed at least once in 90
All users-level passwords (eg email, web, desktop, computer, etc) shall be changed once at least
every two months
5.5 Password Review/ Inspection
The company(System administrator) monitor/track password status/changes continuously.
5.6 Reuse Interval/Password History
The companystaffs shall not be reused passwords for at least five (5) generation. (comply with
5.7 Email notification
Password Policy V1.0
The companystaffs gets email notification prior to password expiry to remind and change their
actually expires.
To: EthSwitch staff,
Subject: Password Expiry
Dear User/EthSwitch,
Your email will expire in one-week time.
System Administrator
N.B the template of email will be according to The companyemail usage policy. Refer EthSwitch
email policy.
5.8 Password Storage
Passwords shall memorize and never written down or recorded along with corresponding account
information or usernames.
Passwords must not be remembered by unencrypted computer applications such as email. Use of
an encrypted password storage application is acceptable, although extreme care must be taken to
protect access to said application.
5.9 Password Sharing and Transfer
Passwords shall not be transferred or shared with others unless the user obtains appropriate
authorization to do so. When it is necessary to disseminate passwords in writing, reasonable
measures shall be taken to protect the password from unauthorized access. When communicating
a password to an authorized individual orally, take measures to ensure that the password is not
overheard by unauthorized individuals.
When employ take extended live his/her user name and password shalldisable andwhen employee
resigns and/or transferred he/she shall handover credentials to the immediate supervisor.
Password protection policy
Password shall not be revealed in an email message
Password shall not be revealed to the boss, with family members, to co-workers on any means
Users shall not talk about password in front of others
Users shall not hint about the format of their password (eg. My family name)
Password Policy V1.0
5.10 Electronic Transmission
Passwords shall not be transferred electronically over the Internet using insecure methods.
5.11 Password Reset
A user password reset in a situation either forgotten or expired.
All the password reset requests shall be initiated after authenticating the users through
otherappropriate means.
All the temporary passwords shall be communicated to the end users in a secure manner
Temporary passwords shall expire after their first use or after a certain predefined time period
A user receiving a new password shall change to a d/t one on first logon
5.12 Account Lockout
After three (I recommend from other experience) unsuccessful/invalid logon attempts
EthSwitchS.C user account lockout for fifteen minutes.
5.13 Reporting a Suspected Compromise or Breach
A user believes his/her password has been compromised or if asked to provide password to
another individual, immediately notify/report the incident to the relevant contact; The
companyinformation security or system admin teams.
5.14 Noncompliance
Violation of this policy/guideline may incur disciplinary measures and consequences, including
progressive disciplinary action up to and including termination of employment.
Any device that does not meet the minimum-security requirements outlined in this
policy/guideline may be removed and disabled from the The companyInfrastructure/network until
the device can comply with this policy/standard.
5.15 Exceptions
The companystaffs receive a prompt forcing message to change their password or The
companystaff member change their passwords prior to expiry date by presenting a valid
justification and get a prior approval from their immediate boss; password may change if any of
these situations apply:
Password Policy V1.0
Malware is running on user computer system, computing and endpoint devices, email
and other devices
 After the disclosure of The companyinfrastructure, system, application intrusion
 After receiving a notification of unauthorized access to a user account
 User shared passwords with someone who no longer needs access to the account
 If a user logged on to a public or shared computer
 Since a user last changed their password more than six month
To request a security exception, contact the Information security team and system administrator
5.16 Best Practice
 Use a passphrase that contain symbols, numbers, sentences and punctuation to create
longer, more complex safeguards
 Do not use the same password for every site, application and service
 Install freely available password manager software, but it is mandatory to check the
health of the software before deployment (free of malicious code and trojan horse
 Choose a password that is easy to remember, but hard to guess
 Avoid using login name or any variation of login name as password
 Avoid Personal Information including name, important dates, pets, etc
 Limit the number of failed login attempts
 At least four (4) characters must be changed when new passwords are created
 Never share password
 All system default password shall be changed before going to operational
 Passwords shall not be written down or physically stored anywhere in the office
 Do not use or apply “Remember Password” feature on websites and applications
6. Related Standards, Policies and Processes
6.1 Password Policy Acknowledgment Form
Password Policy V1.0
After reading this password policy, please sign the acknowledgment form and submit it to The
companyChief Corporate Service Office Human Resource. By signing below, the staffconfirm
that to implement password policy for their access privilege devices. Furthermore, the
undersigned also acknowledges that he/she has read and understands this policy before signing
this form. A user device revoked or disable from The companyinfrastructure until this
acknowledgment form is signed by the staff member and his/her immediate boss. After
completion, the form is filed in the individual’s human resources file or in a folder specifically
dedicated to password policy and maintained by the IT Infrastructure (system administrator)and
Information security department. These acknowledgment forms are subject to internal audit.
I have read the Password Policy. I understand the contents and will abide by this policy. I further
understand that should I commit any violation of this policy; my access privileges may be
revoked, disciplinary action and/or appropriate legal action may be taken.
Employee Name
Employee signature
CEO/CCOO/COO/Director/Manager Name
7. Definitions/Terms
is a crime that involves a computer and a network which is computeroriented crime
the process of converting information or data into a code, especially to
prevent unauthorized access
is a general rule, principle or a statement by which to determine a course of
is the practice of preventing unauthorized access, use, disclosure, disruption,
modification, inspection, recording or destruction of information
the restriction of data and allowing only the minimum required
Password Policy V1.0
data/information to perform one’s task. Nothing more nothing less
is a sequence of words or other text used to control access to a computer
system, program or data
a string of characters that allows access to a computer system or service
Payment Card Industry Data Security Standard
PersonallyIdentifiable Information is any data that could potentially be used
to identify a particular person
is a deliberate system of principles to guide decisions and achieve rational
outcomes. A policy is a statement of intent, and is implemented as a
procedure or protocol
8. Revision history
Review Schedule
Review Interval
Next review due by
Next review start
Two Year
June 2022
July 2022
Approved by
Version History
Version Date
Date of Change
Password Policy V1.0
Summary of Change
Password Policy V1.0