The URL can be used to link to this page

Home My WebLink About _ 4.15(a)-- Approval of New Personnel Password Policy � � �' � � � � � � ' � �' � � ' � ` CITY OF REDDING REPORT TO THE CITY COUNCIL MEETING DATE: December 3, 2024 FROM: Kari Kibler, Personnel ITEIVI NO. 4.15(a) Director ***APPROVED BY*** � �, � � � �� , i�]�r,Persr�nnel I�irectc�r ��f2f�12t?'�� rS' �P�ir�,C�i �� , ��f��j,�� kkibler@cityofredding.org btippin@cityofredding.org SUBJECT: 4.15(a)--Approval of new Personnel Password Policy Recommendation Adopt a City of Redding (City} Personnel Policy - Password Policy providing guidance for administering passwords for the City as part of its efforts to maintain the confidentiality, integrity, and availability of the City's information, systems, and networks. Fiscal Impact There is no fiscal impact associated with approving the proposed City of Redding (City) Personnel Policy-Password Policy. Alternative Action The City Council could decline to approve the proposed Password Policy or provide alternative direction to staff. Backg�ound/Analysis The City does not currently have a formal password policy and wishes to adopt a fortnal policy to improve the City's cybersecurity protections as well as establish a baseline for administering passwords across applications. Currently, our password procedure requires an 8-character password wi�h complexity requirements (e.g. special characters, numbers, capitalized and lower-case letters). The proposed policy would establish a 16-character password with no complexity requirements. Additionally, the current procedure requires passwords to expire every 90 days. With the change to a 16- character password,passwords would expire every 365 days. Report to Redding City Council November 25,2024 Re: 4.15(a)--Approval of New Personnel Password Policy Page 2 In addition, the policy would establish cybersecurity hygiene practices related to passwords, such as not sharing or writing down passwords. The proposed policy has been shared with each of the City's Bargaining TJnits and no concerns were identified. Environmental Review This is not a project defined under the California Environmental Quality Act, and no further action is required. Council P�^iority/City Mccnage� Goals • Government of the 215t Century — `Be relevant and proactive to the opportunities and challenges of today's residents and workforce. Anticipate the future to make better decisions today." Attachments ^Final Personnel Policy- Password Policy h��p� CITY OF REDDING, CALIFORNIA �{��°''F PERSONNEL POLICIES AND PROCEDURES SUBJECT EFFECTIVE PAGE DATE Password Policy 12/3/2024 1 Personnel Director City Manager Purpose The purpose of this policy is to establish a baseline for administering passwords for the City of Redding (City) as part of its effort to maintain the confidentiality, integrity, and availability of the City's information, systems, and networks. Scobe This policy applies to all City employees, contractors, and anyone who has a responsibility for an account or any form of access to the City's information systems. Individual departments or divisions may set their own password standards or procedures based on their requirements. However, standards or procedures must adhere at minimum to this policy and may not be less stringent. Res�onsibilitv The Cyber Security Officer(CSO)will be responsible for maintaining and updating this policy with the approval of the Chief Information Officer(CIO). The City's Network Operations Center(�NOC) Systems Administrators wi11 be responsible for administering technical controls in the City's A.c;t�i��I��-��1:�rr�domain and all supported City applications. The City's Integrated Fublic Safety(TPS) Systems Administrators will be responsible for administering technical controls in all supported Il'S applications. Redding Electric Utility(REU) Operation Technology Engineers (OTEs)will be responsible for administering technical controls in all supported REU domains and applications. Redding Municipal Utility(RMI�will be responsible for the technical controls in all supported RMU domains and applications. PolicX I) Individual Responsibilities a. Passwords must be changed immediately upon issuance for�he first-use. Initial passwords must be transmitted securely to individuals. b. An individual's passwords must never be shared for any reason. IT will never ask end-users for their password. c. Passwords must be secured—Do not write passwords down or save them in a file on your computer. Passwords may be stored in a secure manner utilizing IT approved password manager solutions. d. Users must log off or lock their workstations when not present. e. City passwords should not be the same as personal account passwords. f. Passwords must meet the re uirements outlined in this olic in Section IIi. h��p� CITY OF REDDING, CALIFORNIA �{��°''F PERSONNEL POLICIES AND PROCEDURES SUBJECT EFFECTIVE PAGE DATE Password Policy 12/3/2024 2 g. Compromised passwords shall be immediately changed and reported to the CSO or delegates. II) Responsibilities of�vste�ns l�r��s��n��'��s�c��ds a. Passwords must not be displayed while entering the password into the system. b. Passwords must be stored and transmitted in an encrypted format and not in clear-text. c. Passwords must not be stored in clear-text as part of a script or scheduled task. d. Systems available to the Internet that allow access to the inside network or confidential information must be protected using Multi-Factor Authentication (1VIFA). e. Systems must not store or allow `hints' for remembering a password. III) Password Requirements—Passwords must: a. Contain at least 16 characters. b. Not be the same as the User ID. c. N�ot be a single dictionary ward or proper name. d. Expire within 365 days. e. Not be the same as the previous 10 passwords. £ Not be transmitted or stored in clear-text. g. Systems or applications that cannot support the above requirements will be set to the highest level of password complexity supported by the system. IV) Advanced Authentication a. Advanced authentication (AA) can be used in place of passwords. b. AA includes the following methods: i. Biometric. ii. User-based digital certificates (Public Key Infrastructure (PKI)). iii. Smart-cards. iv. Hardware tokens. c. AA must: i. Be specific to an individual user. ii. Prohibit users from sharing a certificate. iii. Require the user to aetivate or provision a certificate with a passphrase or PIN. d. Identifier Management i. Each user must be uniquely identified and verified. ii. Identifier must be issued to the intended party. iii. User identifiers will be disabled after 90 days of inactivity. e. Authentication Management i. Authenticators will be distributed to end-users b IT. h��p� CITY OF REDDING, CALIFORNIA �{��°''F PERSONNEL POLICIES AND PROCEDURES SUBJECT EFFECTIVE PAGE DATE Password Policy 12/3/2024 3 ii. Lost/stolen/compromised authenticators wi11 be reported immediately and disabled by IT upon notice of compromise. iii. Authenticators will be refreshed on a 3-year cycle. iv. Authenticators shall not be loaned or shared with other users. V) Privileged Accounts a. Privileged accounts should be stored in a�r�vi�� es�Ac�� r��t(PAM) system and have their password rotated upon each use whenever possible. b. Privileged accounts that cannot be stored in a PAM system, or that cannot rotate passwords upon use, must change their password every 90 days. c. At least 4 characters must change with each password iteration. d. Passwords must meet the following complexity requirement: i. Minimum of 20 characters long. ii. Capital, lower-case, numbers, and special characters. VI) Service Accounts a. Service accounts should utilize a PAM or passward managed service accounts (i.e. Group Managed Service Accounts (gSMAs)) to rotate passwords once per year. b. Service account passwords should be generated from a PAM system and should utilize the following complexity requirements: i. Minimum of 20 characters long. ii. Capital, lower-case, numbers, and special characters. c. Service Account passwords must be changed when the Service Account administrator leaves the organization or changes roles within the organization. VII) Account Lockout a. Accounts will be locked out after 5 invalid attempts for 90 minutes. b. The account will remain locked for the lockout duration of 90 minutes or; until the end-user utilizes the AD Self Service tool or; the end-user contacts the Service Desk and verifies their identity to have the Service Desk unlock their account. i. Note: Thin client users must ca11 the Service Desk or use a PC to unlock accounts. AD Self-Service is not available on thin clients. Password Self Service for Active Directory • Passwords can be reset using the AD Self-Service tool at ��tt s�//�c�r�d�s .ci.r�c�dzr�bec�.��s:925�/ h��p� CITY OF REDDING, CALIFORNIA �{��°''F PERSONNEL POLICIES AND PROCEDURES SUBJECT EFFECTIVE PAGE DATE Password Policy 12/3/2024 4 • End-users can also access the AD Self-Service tool from their computer's logon screen using the"Reset Password/Unlock Account"button in the lower-left corner of the screen. Reporting a Suspected Compromised Password or Securitv Incident If you believe your password has been compromised or if you have been asked to provide your password to another individual including IT Support, a supervisor, or a coworker,promptly notify the CSO using one the following methods: • Phone: (530) 339-7209 • Email: :��c.��ri�c�,�c��t�f�°�dd�t��.� Reporting a cybersecurity incident can be done without fear or concern for retaliation. De�nitions Active Directory—Microsoft's proprietary directory service. A centralized database of user and computer accounts used for logging into computer systems. Systems Processing Passwords—The computers or applications that will be accepting passwords from end-users. This includes workstations, servers, and computer programs. Privileged Accounts—Accounts used for escalated rights on systems or applications. For example, administrator accounts or domain admin accounts. Privileged Access Management(PAM)—Software that manages privileged access in a centralized database and monitors, detects, and helps prevent unauthorized privileged access to critical resources. Service Accounts—Non-user accounts that are utilized to run a specific service, task, or function on a computer. Recommendations for Creatin�Compliant Passwords Use a passphrase rather than a password • Choose a sentence,phrase, or series of random and unrelated words. • Use a passphrase that is easy to remember and has meaning to you. Example Passphrases: • P�1T2S0: KOaTt�110C� W1t11�0y E' �v��a„1 , w;.4��i�,�,.,:_ ��w, ��;��s�� iH�,r1� t �,�s�s,��3,;w'� ,�� l..s��:'� tsz,.7C�;, �,J:i�� ;� jt tw',;'$4 (r��.i, h��p� CITY OF REDDING, CALIFORNIA �{��°''F PERSONNEL POLICIES AND PROCEDURES SUBJECT EFFECTIVE PAGE DATE Password Policy 12/3/2024 5 • Series of random words: stack process overbid press � .��.,� ,� �� ,�,o�� ,��,��r�;��zn�a�m� .'�te .{Y.}„o ��t �z�:�;'� 7�lM1@(,n,y 3.��.ist ��7 „4jLi(a.�4,.�M�� • Sentence: When I was 5, I learned to ride a bike. F"`�?��,n 3� ��f�i�:�� ,� �� 4 t��u.�� C, ��[��, �3. ,�,:.. �.�f �"4.� ii.,�r�t �a'� „ s,4a,.��,!��.�. . �� it�. �[`.'r��,a��€, �� ,.s.��. �kt��S� �'S° ., =i�fo-� ti)r� r ��.��3<�� s,;�3,#I 'a�:� I?+ � ,.�t1,l ,,.� �3�.�� r�>�.#!ti �i�(., ,,, .s��ka;i��'�,. , .,, �,a��,