- | Ensure you change passwords at regular intervals, ‘even’ if you don’t receive any system notification |
- | Create smart combinations. (Smart combo.) For example, take the first two letters of your car’s make and combine it with the last two letters of your first school, and the first few digits of a number you know well to make up a password. Many automated programs used to “guess” passwords check for words in various dictionaries including medical, scientific and other dictionaries. |
- | Create a private acronym. (Think texting.) Consider using the first letters of a phrase you can easily remember. For example, “my first six string guitar was a Fender” becomes “mfsSGwaF”. Then add in digits and special characters to make it strong. A password such as “company123, yourname123 or asdfghjkl” is easy to guess. |
- | Never (under any circumstance) share your passwords or tokens/PINs with anybody. |
- | Never attempt (under any circumstance) to use the password/access credentials belonging to another User. |
- | Never use easily guessable passwords and PINs |
- | If you are part of a software development team, understand specific policy if any from Customer, on Access control & Authentication and follow the same. |
- | Never share with anyone, any customer-provided secure token cards and PINs/Passwords. |
- | Be cautious to log out of applications immediately after use. especially from public places like Cybercafes, Airports, free wireless hotspots etc. Ensure that your logon session has indeed ended. |
- | Ensure confidentiality of passwords/PINs used by you for voice communications/conferences over PSTN & VoIP phones. |
- | Do not write down or publicize your User credentials (including your personal ones) anywhere (hardcopy or electronic – especially on sticky notes, monitors, phone, keyboards, mouse pads, personal diaries, Calendars, free online storage & collaborative sites etc). The better way you adopt to create a password, lesser chance that you may forget. |
- | Never try accessing IT or Non-IT resources that you have no business authorization to use or access(including Customer Sites). |
- | Adhere to the your company password policy and access control policies at all times – even if a facility or application does not automatically enforce the same – Use complex passwords at all times (combination of alphanumeric, upper and lower case, and special characters). |
- | Use different passwords for different purposes (Eg: never use same password for official access and your access to personal email/social networking sites). |
- | If you no longer have a business need to access an application, you must voluntarily surrender access by raising an appropriate service request with the concerned application maintenance group, and ensure closure |
- | If you are moving within or outside projects/groups/functions, remember to report all types of application access that you have, and raise requests to surrender access to all the relevant applications – Do keep your supervisor posted of the surrender and ensure closure |
- | Return without fail, any secure token/any other authentication hardware/software provided to you, when you move out of your team/engagement |
- | Do not type in or read aloud passwords/PINs when others are nearby |
- | Do not disclose any of your passwords/PINs to anyone who approaches you claiming he/she needs it for some exigent purposes |
- | If you are in doubt about appropriate and inappropriate ways of using passwords and access to applications, seek clarifications from authorized groups. |
- | Do not use privileged access for purposes other than those you are authorized for! |
- | Do not make public, the types of privileged access /Names, IP addresses or any other internal system details of IT resources that you administer as part of your role. |
- | When you provision access to Users, ensure configuration management to take care of proper allocation of rights/privileges required for a user account. This will help prevent unauthorized access. |
- | When provisioning new applications/IT systems for internal use, integrate with Identity Management system for smooth provisioning of user accounts. Avoid local database based authentication. |
- | Do not create easily guessable passwords and PINs when you reset credentials for end-users |
- | Validate authenticity of all requests for resetting of passwords and access – Perform changes ONLY after you have validated. |
- | Do not disclose passwords/PINs in clear text or over the telephone, except when the procedure demands that you do so. Instruct the end-user to change the password/PIN immediately after you disclose the reset password/PIN. |
- | If you are managing a teleconference bridge, ensure ‘only’ authorized users are accessing the bridge for a given call – a simple voice-based attendance count followed by a validation of the number of active (inbound and outbound) connections will help ensure this. |
- | Ensure that you are able to reconcile user account management changes based on requests received and you are able to reach out to authorized Customer representatives in case of an anomaly. |
- | Be cautious against possibilities of human error – Eg: Sending One Customer’s credentials to another by mistake especially when you work on multiple Customer engagements carrying out remote infrastructure management serving multiple time zones/IT resources. |
- | Ensure access to facilities are revoked immediately after the valid period of use is completed for a given user or group of users – Close all revocation requests in a timely manner based on requests and impact. |
- | Perform or arrange for a periodic audit/sweep of all types of access and password controls – Rectify promptly, any vulnerabilities or exceptions. Audits to be conducted only after Company/Customer approval depending on who owns the IT resources. |
- | Do not perform, using your privileged access credentials, any activity that may be unethical / in violation of our security policies or which could result in legal/regulatory noncompliance. |
- | If for any reason, you are unfamiliar with the do’s and don’ts of privileged access assigned to you, do consult your supervisor and seek clarifications – this is ‘your’ responsibility! |
- | Review access & authorization (including changing administrative passwords) requirements of your team members at least once in a quarter or whenever team members change roles/exit the organization. |
- | Ensure that you inform the customer of any changes to the user accounts (including disabling the same) when team members accessing Customer systems in your project leave the organization. |