Cyber Security Policy Manual

IT Administrators

1. Configure password parameters in systems and applications according to the password configurations defined in this policy 1. Reset account passwords if needed 2. Troubleshoot failed logins and other account login issues

IT Service Desk

P OLICY 1) Requests for account creation and system access must be made through the IT Service Desk at 373.2322. The IT Service Desk must assign requests related to account creation and system access to the Cyber Security Analyst. 2) Requests for privileged and service accounts must be reviewed and approved by the Cyber Security Team. 3) Employees, consultants and contractors must complete, agree to and sign the Third Party Access Policy before an account is created. 4) User account must be unique and have an owner assigned to it to ensure that access to systems and applications is restricted by unique user account. 5) User account must follow the naming standard that complies with the City of Greensboro naming standard requirements (Lawson ID or Last Name, First Initial). 6) Access rights must be provided following the principles of least privilege and need to know. 7) Role-based access control must be used to ensure that users are assigned the proper access. Division Managers must determine the proper role to assign to each user in order to perform their job function within the system or application. Role security (if available) must be used to ensure that users have the proper access to tasks and functions within the system or application. 8) Identification, authorization and accounting mechanisms must be implemented to securely link users with access rules and prevent unauthorized access to systems and applications. 9) Access to confidential information must be restricted to authorized users whose job responsibility requires it as determined by Division Managers. 10) User password length must be a minimum of 14 characters. 11) Users must change their passwords every 365 days. 12) User account must be locked out after 5 failed login attempts with lockout duration set to forever or until the IT Service Desk or local IT team unlocks the account. 13) Users must keep their passwords secure and they must not write them down or share them with anyone. Passwords must be changed immediately if compromised or suspected of being compromised. 14) IT Service Desk or local IT team must use secure methods to communicate passwords to users. 15) Passwords must be encrypted or hashed when stored in the system or application.

Cyber Security Policy Manual

26