System Security & Controls on IDs and Passwords (Bank Level Security)

The tips and tools in this check list can help secure your system for system .

  • The input field for password MUST be masked while the users type in their passwords.
  • Password history can be configured and set minimum 3 generations. User cannot change password similar to previous password.
  • Password expiration can be configure and set to 60 days. System must enforce change password automatically every 60 days.
  • Minimum password length is 8 characters. (Recommend 8 characters).
  • Password MUST force to change on the first sign-on.
  • Account lockout can be configured. After 3 consecutive unsuccessful attempts, the user id must be locked.
  • Password must meet complexity requirements which include numbers, symbols and both upper or lowercase alphabet characters. Password composition must include at least 1 number, 1 special character, 1 upper and 1 lower case alphabet characters.
  • Users are allowed to change password without administrator assistance.
  • Dormant period can be configured. IDs that have been dormant or inactive for 30 days will be automatically revoked.
  • Users are not allowed to sign-on to more than one terminal at a time. Users must log-off from one terminal in order to sign-on another terminal.
  • The system must display the last sign-on information after a successful sign-on.
  • User IDs which are inactive for 15 minutes must be logged-off from the system.
  • Users are not allowed to use password to be same as their ID.
  • System must facilitate the admin by providing a list of inactive ID for more than 90 days or script for deletion.
  • Restriction of access using specified date and time is allowed where applicable.
  • Multi-level of access is allowed.
  • A warning statement on misuse computer information and facilities must be displayed:
    • Upon successful login to a system, or
    • Just before the login prompt to a system, or
    • On the same screen that provided the login to a system.