VeriFi EIDOS

9.1 Password Protection Management

Password protection must always be adopted and in accordance with the following rules unless the data controller has a Password Protection Policy which shall take precedence over these rules:-

  1. manufacturers’ default passwords are not to be used;
  2. the issue of passwords should be restricted on a need to know basis;
  3. the data manager for the location must have an overriding administration password enabling management of all other passwords;
  4. Data processors may share common passwords between groups of employees where necessary;
  5. passwords should not be issued to temporary employees;
  6. access to passwords shall be limited on a ‘need to know’ basis;
  7. common passwords may be applied e.g. CCTV and access control systems may have the same password; and
  8. passwords shall contain a minimum of 8 and a maximum of 10 characters and comprise numbers and letters one which shall be upper case and one symbol such as # or $ unless the manufacturers use a matrix or other method.