[ LTO MEMORANDUM CIRCULAR NO. 615-2005, May 05, 2005 ]

GUIDELINES IN THE IMPLEMENTATION OF THE PASSWORD POLICY CONFIGURATION



Pursuant to Unnumbered Memorandum dated 02 July 2004 otherwise known as "Implementation of the Password Policy Configuration, Group Policy Configuration, Delegation Configuration and ISA-Firewall Port Scanning", the following guidelines and procedures are hereby promulgated for the guidance and compliance of all users of the LTO-IT System.

A. Objective

  1. to establish a standard for the creation of appropriate password and the protection thereof;
  2. to define the guidelines to effectively manage security on the network;
  3. to ensure data integrity and confidentiality of information;
  4. to ensure the only authorized personnel have access to the network;
  5. to restrict access to information, systems and resources according to their roles and functions.

B. Definition of Terms

  1. Username - a unique system identifier assigned to every user.
  2. Account - refers to access privileges to the LTO-IT System
  3. Account Holder - a person to whom an account is issued
  4. Core Application - the system developed for the frontline processing of LTO; also called CoreApps. These are Driver's Licensing System (DLS), Motor Vehicle Registration System (MVRS), Revenue Collection System (RCS), Manufacturers, Assemblers, Importers & Dealers Reporting System (MAIDRS) and Law Enforcement & Traffic Adjudication System (LETAS).
  5. End-User - as LTO employee who uses and processes LTO transactions through the CoreApps; also called User.
  6. Password - a security measure used to restrict access to computer system and sensitive files. A password is a unique string of characters that a user types in as an identification code and as basis for authentication.
  7. System Administrators - Stradcom personnel who manage the operating system-level services and security; also called SysAd.
  8. Workstation - a microcomputer usually connected to a network, at which a user can perform applications and has a processing capability.
  9. Customer Care - an internal Stradcom organization of technical support specialists responsible for responding to requests for technical assistance pertaining to all system-related software and hardware matters.
  10. Site Support - a Stradcom employee assigned at the District Office to offer first-hand technical assistance to users.

C. General Password Policies

  1. Every user is accountable to his/her assigned username and password. Thus, users should never give out their assigned account username and password to others. Passwords must be kept confidential at all times. Any mishap that may occur on the system that is proven to be caused by an authorized use of one's username, the owner of the account shall be solely responsible for the actions that the unauthorized person appropriated.
  2. He shall not allow anyone to use his account. Any transaction/s tracked shall be charged to the account holder.
  3. User shall not reveal his password to anyone under any circumstance, even when on vacation or sick leave.
  4. Password shall never be written down on paper, desk, calendar and the like.
  5. Password shall not be trivial, predictable or obvious.
  6. Password shall not be the same as the account holder's name or his user logon name. Password must not include his relative's name, employee number, GSIS number, birth date, telephone number, or any information about him that could be easily learned or guessed.
  7. In case user has access to different systems, passwords shall not be the same for both system.

D. LTO-IT Domain Password Policies

  1. Monthly Expiration of Password - Network password shall automatically expire every thirty (30) days upon implementation of this Memorandum Circular. A message will be displayed on the user's workstation at least ten (10) days before his password expires.
  2. Password Length - Minimum of eight (8) and a maximum of one hundred twenty-seven (127) alphanumeric characters (mix of letters, numbers and special characters).
  3. Password History - Four (4) different passwords must be used before the user can reuse one of them.
  4. When one's password is near expiration date, the user will be prompted to change it upon logging in. On the pop-up window, the user will have to enter his current password and his new desired password, twice in a row. On the other hand, if the password has already expired and the user was not able to change his password, his account will be disabled.
  5. Failed invalid logon attempts for three (3) consecutive times shall automatically cause the lock out of the user's account.

E. Enabling of Accounts

  1. When a user's account has been locked, he shall immediately report this to the Site Support or Customer Care.
  2. The account holder shall state the reason as to why his domain account has been locked.
  3. The Customer Care shall create the Service Request (SR) detail and give it to the SysAd.
  4. Upon receipt of the request, the SysAd shall validate the cause of account locking before enabling the user's account.
  5. When the SysAd had determined that the reason is valid and acceptable, he shall then enable the user's domain account. Otherwise, the SysAd shall inform the Customer Care that the account is for investigation.
  6. The Customer Care shall inform the requesting individual that the request was implemented and that he can now access the domain.

F. Resetting of Passwords

  1. When a user need to reset or change his password, he shall report this to the Site Support or Customer Care.
  2. The Site Support shall validate the request and report the problem to the Customer Care for action.
  3. The Customer Care shall verify the request, create the Service Request (SR) Details and reset the user's password. Should the Customer Care be not able to solve the problem, the SR shall be forwarded to the SysAd for action and provide feedback to Customer Care.
  4. The Customer Care shall inform the requesting individual of his initial password and that he can now access the LTO-IT domain.
  5. The user shall then immediately change his password upon logging in to the domain.

G. Compliance

All users shall comply with this Password Security Policy, as well as procedures and practices developed and observed in support thereof.

Anyone who may have knowledge of suspicious misuse of the information system resources or compromise of account or password is enjoined to report the incident to the Systems Administrators or to the LTO and Stradcom's management for immediate and proper action.

Violation of standards, procedures and/or practices of systems administration security shall be immediately reported to the LTO management for appropriate administrative and/or criminal sanctions.

H. Effectivity

This Memorandum Circular shall take effect immediately.

For strict compliance.

Adopted: 05 May 2005

(SGD.) ANNELI R. LONTOC
Assistant Secretary