Password Standard (12001)

About this standard
This password standard is created to be used in healthcare organizations for information system access control purposes.

Une version française est disponible à: Norme sur les mots de passe

Introduction

Scope

This standard applies in the context of authentication with password. It is limited to the context where a user must authenticate to an information system; it does not include cases such as machine to machine authentication, nor authentication mechanisms without password (ex: using hardware devices).

Simulation

The content of this document is the result of a series of workshops, that were held at the University of Sherbrooke, in the context of the Microprogramme in standards health informatics.
The workshops are designed to simulate a committee of international standardization, where many countries participate in the adoption of a new standard.

Contributors

2009 contributors

  • Marc André Léger, Standard commitee director
  • Daniel Agagnier, HOD Belgium
  • Hugo Arenas, Delegate Argentina
  • Michel Boivin, Delegate France, Standard editor
  • Michel Charfeddine, HOD Danemark
  • Janet Errasmuspe, Delegate Danemark, Standard co-editor
  • Margaret Ann Kennedy, Delegate USA
  • Pasqualino Lavecchia, Delegate Canada, Standard co-editor
  • Chantal Lavoie, Delegate Belgium
  • Georges Moiny, HOD USA
  • Walter Hugo Ramirez, HOD Argentina
  • Jean- François Rancourt, HOD France, Standard co-editor
  • Craig Sadler, HOD Canada

General Principles & Policies

Security Policy

Security policy defines how a system will be secured, the latter for an organization or other entity. IT (Information Technology) being the focal point of this standard, security policy addresses the constraints of the rules that members are subjected to follow. Constraints concern the level of access permitted to a system or an application

Security policies encompass a wide range of interests. The process of establishing a secure relationship between two or many entities requires an approach fundamentally restrictive but within a scope acceptable to allow alteration of the constraints.

Policy guidelines have to adhere to certain standards and legislation applicable within their respective fields, such as the "Act concerning access to personal information".

Security policy is complex and subjective where human behavior influences the outcome of the intended result. The latter should be important fact in recognizing the benefits of education and continued implementation security policy within all facets of the organization.

Security policy is always in a state of progression. With the ever increasing Information Technology advances, the need the implement new policies and subsequently create rules

Directives

  • Entreprise must have a policie for creating passwords.
  • Taking into account this, we must establish the length depending on the level of importance of the system or application, depending on the sensitivity of data to be protected.
  • Validity of passwords: To respect the principle of confidentiality, it is important to establish rules on the validity period.
  • After a period of inactivity to one hour, the system will automatically re-authenticate the user or end the work session.
  • The password can be changed at any time.
  • The password must be changed at least once every 90 days.
  • The user account must be suspended after several consecutive unsuccessful attempts. A message should appear to the user telling him that he should contact the IT department to reactivate.
  • The user account is suspended when the user is absent for an extended period (eg more than six weeks) or leave the organization.
  • The management tool of computer privileges or administrative must include mechanisms to revise, suspend, revoke, to block or remove and log these privileges at any time.
  • The organization should establish a committee to create groups of users for the allocation of security levels.

Rules

Rules for creating passwords

  • Passwords must have a minimum length of 8 characters.
  • Passwords must meet at least 3 out of the 4 requirements for quality:
  1. at least (1) lower case letter
  2. at least (1) upper case letter
  3. at least (1) number
  4. at least (1) special character (?, *, %, etc.); in France document: ( ~ ! @ # $ % ^ * ( ) _ - + = { } [ ] | : ; " , ?) don't use < >& ou '
  • no more than 3 consecutive letters and numbers can be use (e.g. eee, 333 will not be allowed)
  • Users will be required to enroll by answering a set number of security questions. Users can pick any questions from a drop-down list and they must answer all questions that are presented. E.g Mother’s maiden name, favorite pet’s name, city of birth, ect.
  • Passwords must be changed, at a minimum, every 120 days.
  • Password cannot be part of a user name.
  • Passwords must not be repeated and accordingly a record of previously uses passwords will be maintained.
  • Passwords cannot be based on simple, consecutive keyboard combinations (e.g. QWERTY)
  • Users should not create passwords that can be found in a dictionary or a family name or pet name.
  • Users cannot use a password based on medical terminology (e.g. ICD10 code or Snomed terminology)
  • Passwords should be case sensitive.
  • No default password is allowed. Users must enter the new password through IT.
  • Users will be timed out if session is left idle for more than a specify time.
  • Blanks will not be allowed.
  • Alpha to numeric substitution will not be allowed.
  • Password encryption will be use to prevent password cracking and misuse.

Password will not display in text format.

Rules for using password

All passwords are to be treated as sensitive and confidential information. In particular,

  • Do not reveal a password over the phone to ANYONE
  • Do not reveal a password in an email message
  • Do not reveal a password to the boss
  • Do not talk about a password in front of others
  • Do not hint at the format of a password (e.g., "my family name")
  • Do not reveal a password on questionnaires or security forms
  • Do not share a password with family members
  • Do not reveal a password to co-workers while on vacation
  • It is forbidden to share a user account;
  • In some cases where the risk level is high, it may be necessary for the user to never use the same password for different access;
  • The user should never give their password, even for those responsible for security;
  • Users should never write on paper their passwords;
  • The user should never provide your password by phone, mail or instant messaging;
  • The user must ensure disconnection before leaving a job;
  • The user must change password at the slightest hint of compromise.
  • Health facilities must disable all the features enabling users to automatically store and a password.
  • The user must use a different password from one application to another.

Rules for managing passwords

  • Passwords must be encrypted during transfer over a telecommunications network.
  • Passwords must be encrypted when stored in a database or enterprise directory.
  • Password validation must be fast enough in roder to be acceptable from a user point of view. The validation time should be less than 1 second.
  • A user session must be ended after a certain period of inactivity. Each organization must determine the maximum time allowed; this period should be between 20 minutes and 60 minutes.
  • A user account must be disabled when an employee is absent for a period longer than the change password period.
  • A user account must be disabled when an employee leaves the company.

Single Sign-On

Single Sign- on is designed to minimize the number of times that a user must type their ID and password to sign into multiple applications. When a user launches an application on their workstation, the SSO client software automatically populates the ID and password fields in that application’s login screen. The system eliminates repetitive sign-ons by users.

In order to make the system more secure and prevent hacking or cracking of passwords, SSO will be use in conjunction with BIOMETRIC or proximity cards.

To enroll, a user name and initial password will be assigned to the user, followed by the registration of their finger print (thumb or index) or their retina. The user will be required to provide their characteristics twice, first time to register and second time to validate.

If the biometric authentication is successful, the Access Manager grants access to the secured applications or resource by issuing an SSO token that represents the user’s sign on and session information.

The system will intercept requests from unauthorized users.

The system will control access to systems based on policies assigned to the user.

The system will be audited on a regular basis to further prevent misuse/hacking or password cracking.

Vote : No formal concensus on this topic. Some adjustment were asked in order to add strong authentication like biometry or other device. Specific comments were registrered by Canada, USA and Argentina.

Glossary

Access control is the ability to permit or deny the use of a particular resource by a particular entity. Access control mechanisms can be used in managing physical resources (such as a movie theater, to which only ticketholders should be admitted), logical resources (a bank account, with a limited number of people authorized to make a withdrawal), or digital resources (for example, a private text document on a computer, which only certain users should be able to read).

Application: Operating Systems host Applications.

Entities: User, machine, other devices.

Information System (IS) : Structured set of all elements that contribute to information management in an enterprise, including material resources, technical, financial, human, intellectual or otherwise, that is computerized or not.

Information technology (IT) : Study, design, development, implementation, support or management of computer-based information systems, particularly software applications and computer hardware.

Password: A password is a string of alphanumeric characters, usually chosen by the user, that is used for authentication to prove identity or gain access to a resource. The password must be kept secret from those not allowed access.

Personal identification number (PIN): A numeric key shared between a user and a system that can be used to authenticate the user to the system. A personal identification number (PIN) is different from a password since it only use numeric characters and is usually shorter than a password; as a consequence the level a security is lower for a PIN compared to a password.

Single Sign-On (SSO) : Software solution based on a directory, allowing users to a corporate network to access, with complete transparency to all authorized resources on the basis of a single authentication performed at the initial access to network.

System: Operating Systems: Interface between user and hardware.

User: Individual who uses an IS.

References

[1] IS0 17799, « Information technology - Code of practice for information security management», ISO/IEC, 2005, http://www.iso.org/iso/fr/iso_catalogue/catalogue_tc/catalogue_detail.htm?csnumber=39612
[2] IS0 27799, « Information technology - Code of practice for information security management», ISO/TC 215, 2008, http://www.iso.org/iso/fr/catalogue_detail?csnumber=41298
[3] Club de sécurité des systèmes d’information Français (CLUSIF), « Présentation ISO 17799 -», http://www.hsc.fr/~schauer/clusif/Presentation-ISO17799.pdf
[4] National Institute of standard and technologiy (NIST), « Electronic Authentication Guideline – Information Security », NIST Special Publication 800-63-1, 2008, http://csrc.nist.gov/publications/nistpubs/800-63/SP800-63V1_0_2.pdf
[5] National Institute of standard and technologiy (NIST), « Security Requirements for cryptographic modules », Federal Information Processing Standard Publication, FIPS PUB 140-2, 2001, http://csrc.nist.gov/publications/fips/fips140-2/fips1402.pdf
[6] Bill Burr, « NIST E-Authentication Guidance SP 800-63 », NIST, 2004, http://www.biometrics.org/bc2004/Presentations/Conference/2%20Tuesday%20September%2021/Tue_Ballroom%20B/2%20NIST%20Session/3%20Burr_presentation.pdf
[7] UK National Health Services (NHS) – Western Cheshire, 2008, http://www.wcheshirepct.nhs.uk/default.asp?page=default.asp
[8] Virginia University – Password Standard, 2007, http://www.ts.vcu.edu/security/ismanagement/PasswordStandard.pdf
[9] Colorado Department of Public Health and Environment, 2005, http://www.cdphe.state.co.us/privacyandsecurity/PrivacyandSecurityPolicies/15-12PasswordManagement.pdf
[10] Bellevue Community College – Password management, 2006, http://bellevuecollege.edu/ir/ITSA/PDF/Standards/PasswordManagement.pdf
[11] State Services Commission New-Zelande– Password Standard, 2005, http://www.e.govt.nz/services/authentication/standards/password-standards/password-standard.pdf
[12] Institut pour la sécurité de l’information du Québec – Gestion des accès, 2007,
https://www.isiq.ca/en/outils/Guides/PME/
[13] INSTITUT POUR LA SÉCURITÉ DE L’INFORMATION DU QUÉBEC, « Choisir un mot de passe », 2007, https://www.isiq.ca/fr/Guides/Citoyens/mot_de_passe.html
[14] Ministère de la santé et des services sociaux (MSSS), Cadre global de gestion des actifs informationnels – Volet sur la sécurité, 2007, http://msssa4.msss.gouv.qc.ca/extranet/ri.nsf/49dd266bd183416e852566e2005c98b6/9c29ee7e5c5d42058525703b00725379/$FILE/Cadre%20global%20de%20gestion-volet%20securite_V2007-03.pdf
[15] ArCERT , "Manual de seguridad en redes", page 4-5.
[16] ArCERT, Presentation "Sensibilización en Seguridad Informática", 2003, http://www.arcert.gob.ar/cursos/curso_sensibilizacion/sensibilizacion-seg-inf.ppt
[17] Stanford Univirsity, "Administrative Guide Memo 64 - Identification and Authentication Systems", 2006, http://adminguide.stanford.edu/64.pdf
[18] University of Florida, "Guidelines to Help IT Workers Create Password Standards", 2008, http://www.it.ufl.edu/policies/security/documents/password-guidelines.pdf
[19] INSTITUTO ARGENTINO DE NORMALIZACIÓN (IRAM), “ESQUEMA 1 DE NORMA IRAM-ISO IEC 17799”, 2002, http://www.jefaturadegabinete.gov.ar/Paginas/UAI/Pdf/NormaISO17799.pdf
[20] Hôpital Européen Georges Pompidou, «COLLOQUE PRÉSENT ET AVENIR DES SYSTÈMES D’INFORMATION ET COMMUNICATION HOSPITALIERS (SICH) », 2002, http://www.adeli.org/voirdoc.php?dest=lalettre/l49p38.pdf
[21] Club de la sécurité des systèmes d’information français, « Étude de la réglementation et recommandations relative à la sécurité des systèmes », 2004, http://www.clusif.asso.fr/fr/production/ouvrages/pdf/Etude_sante.pdf
[22] Microsoft, « Strong passwords: How to create and use them », 2006, http://www.microsoft.com/protect/yourself/password/create.mspx
[23] Lakehead’s University, « Password Policy », 2005, http://policies.lakeheadu.ca/policy.php?pid=168
[24] Canadian Health Informatics, « Computer security 101: Do you know the basics? », 2005, http://www.canhealth.com/D05apr.html
[25] Centre d’excellence en technologie de l’information et de la communication, « La technologie eHealth en réponse aux défis des soins de santé belges », http://www.cetic.be/article798.html
[26] University of Alberta, « AICT Password Standards », http://www.ualberta.ca/CNS/policy/password-standards.html
[27] USAID, « Password Creation Standards », 2006, http://www.usaid.gov/policy/ads/500/545mau.pdf
[28] Health Alberta, « Password Standards », 2006, http://www.health.alberta.ca/documents/Password-Standards-AHW-2006.pdf
[29] Federal Deposit Insurance Corporation, « Use of Passwords », 2009, http://www.fdic.gov/formsdocuments/1360-10.doc
[30] National Institute of standard and technologiy (NIST), « Federal Information Processing Standards Publication 181 - Standard for Automated Password Generator (APG)», 1993, http://www.itl.nist.gov/fipspubs/fip181.htm
[31] National Institute of standard and technologiy (NIST), « Federal Information, Processing Standards Publication 112 - Standard for PASSWORD USAGE », 1985, http://www.itl.nist.gov/fipspubs/fip112.htm
[32] Silicon.com, « Introduction to Iris Recognition for personal identification », http://whitepapers.silicon.com/0,39024759,60024092p,00.htm
[33] University College of Santa Cruz, « Password Standards Strength », http://its.ucsc.edu/security/policies/password.php
[34] Office of the Privacy Commissoner of Canada, http://www.privcom.gc.ca
[90] Office de la langue française du Québec, 2009, http://www.oqlf.gouv.qc.ca/ressources/bibliotheque/dictionnaires/terminologie_sec_informatique/mot_de_passe.html
[91] Wikipedia, “Passwords”, 2009, http://en.wikipedia.org/wiki/Password.

Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-NonCommercial 3.0 License