Great American Title Company is hereinafter referred to as "the company."
1.0 Overview
A solid password policy is perhaps the most important security control an organization can employ. Since the responsibility for choosing good passwords falls on the users, a detailed and
2.0 Purpose
The purpose of this policy is to specify guidelines for use of passwords. Most importantly, this policy will help users understand why strong passwords are a necessity, and help them create passwords that are both secure and useable. Lastly, this policy will educate users on the secure use of passwords.
3.0 Scope
This policy applies to any person who is provided an account on the organization's systems or network, including: employees, contractors, underwriters, partners, and Department of Insurance.
4.0Policy
4.1Construction
The best security against a password incident is simple: following a sound password construction strategy. The organization mandates that users adhere to the following guidelines on password construction:
•Passwords should be at least 8 characters
•Email, mobile devices, DocuSign, Notarize and computer passwords must be significantly different and not contain the same keyboard sequences
•Where technology permits, Passwords should be comprised of a mix of letters, numbers and special characters (punctuation marks and symbols)
•Passwords should be comprised of a mix of upper and lower case characters
•Passwords should not be comprised of, or otherwise utilize, words that can be found in a dictionary
•Passwords should not be comprised of an obvious keyboard sequence (i.e., qwerty)
•Passwords should not include "guessable" data such as personal information about yourself, your spouse, your pet, your children, birthdays, addresses, phone numbers, locations, etc.
Creating and remembering strong passwords does not have to be difficult. Substituting numbers for letters is a common way to introduce extra characters - a '3' can be used for an 'E,' a '4' can be used for an 'A,' or a '0' for an 'O.' Symbols can be introduced this way as well, for example an 'i' can be changed to a '!.'
Another way to create an
4.2 Confidentiality
Passwords should be considered confidential data and treated with the same discretion as any of the organization's proprietary information. The following guidelines apply to the confidentiality of organization passwords:
•Users must not disclose their FAST password to anyone
•Users must not write down their passwords and leave them unsecured
•Users must not check the "save password" box when authenticating to applications
•Users must not use the same password for different systems and/or accounts
•Users must not send passwords via email or text to anyone (including the Information Security Officer).
•Users must not
•Users must provide their confidential computer PC, Outlook, Notarize and DocuSign passwords to the Information Security Officer in a sealed envelope.
4.3 Change Frequency
In order to maintain good security, passwords should be periodically changed. This limits the damage an attacker can do as well as helps to frustrate brute force attempts. At a minimum, users must change passwords every 90 days. The organization may use software that enforces this policy by expiring users' passwords after this time period.
•Common screen saver passwords on all Branch or Department computers and laptops must be changed immediately upon the departure of any user in that Branch or Department
4.4 Password Documentation
In order to maintain good security, passwords should be documented on the GATCO password form
•If an employee changes their password, the GATCO password form must be immediately filled out and provided to the Information Security Officer in a sealed envelope.
4.5 Incident Reporting
Since compromise of a single password can have a catastrophic impact on network security, it is the user’s responsibility to immediately report any suspicious activity involving his or her passwords to the IT Manager. Any request for passwords over the phone or email, whether the request came from organization personnel or not, should be expediently reported. When a password is suspected to have been compromised the IT Manager will request that the user, or users, change all his or her passwords. Refer to Incident Response Policy. All incidents should be reported using the Security Incident Report form.
4.6 Wire - Fraud Response
In the event of an actual financial loss involving a wire fraud, everyone on the escrow team associated with said file must immediately change their email passwords (escrow officer/assistant). The branch manager will determine if any additional users should be included. For security reasons, new email passwords must be significantly different when
4.7 Screensaver Passwords
Screensaver passwords offer an easy way to strengthen security by removing the opportunity for a malicious user, curious employee, or intruder to access network resources through an idle computer. For this reason screensaver passwords are required to be activated after a maximum of 10 minutes of inactivity, if not sooner.
4.8 Applicability of Other Policies
This document is part of the organization's cohesive set of security policies. Other policies may apply to the topics covered in this document and as such the applicable policies should be reviewed as needed.
5.0 Enforcement
This policy will be enforced by the Manager and/or Executive Team. Violations may result in disciplinary action, which may include suspension, restriction of access, or more severe penalties up to and including termination of employment. Where illegal activities or theft of company property (physical or intellectual) are suspected, the company may report such activities to the applicable authorities.
6.0 Definitions
Authentication A security method used to verify the identity of a user and authorize access to a system or network.
Password A sequence of characters that is used to authenticate a user to a file, computer, network, or other device. Also known as a passphrase or passcode.
Two Factor Authentication A means of authenticating a user that utilizes two methods: something the user has, and something the user knows. Examples are smart cards, tokens, or biometrics, in combination with a password.
Person A vetted and bona fide employee of GATCO
User A vetted and bona fide employee of GATCO
Contractor A vetted company or individual approved by GATCO to access GATCO system or network
7.0 Revision History
Revision 1.0, 10/13/2012
Revision 2.0, 09/01/2014
Revision 3.0, 02/26/2015
Revision 4.0, 11/17/2015
Revision 5.0, 12/22/2015
Revision 6.0, 11/28/2016
Revision 7.0, 06/20/2017
Revision 8.0, 06/12/2018
Revision 9.0, 08/07/2018
Revision 10.0, 11/15/2018
Revision 11.0, 01/15/2019
Revision 12.0, 03/01/2020
Revision 13.0, 12/10/2020