Policy Text
Page 1 of 5 10/11 (NEW 10/13)
GENERAL ORDER
Network Password Policy
This General Order is to establis h a standard to comply with St ate and Federal policy in
regards to strong password creat ion, protection, management, an d enforcement.
I. Overview
Passwords are an important aspect of computer security. They ar e the front line of protection
for user accounts. A poorly chosen password may result in a com promise of the Sacramento
County Sheriff’s Department’s entire network. As such, all Sacr amento County Sheriff’s
Department employees (including volunteers, contractors and ven dors with access to
Sacramento County Sheriff’s system s) are responsible for taking the appropriate steps, as
outlined below, to select and secure their passwords.
II. Scope
The scope of this General Order i ncludes all personnel who have or are responsible for an
account (or any form o f access that supports or requires a pass word) on any system that
resides at any of Sacramento Coun ty Sheriff’s fa cilities, has a ccess to the Sacramento
County Sheriff’s network, DOJ’s Network or NCIC network, or sto res any non- public
Sacramento County Sheriff’ s Department information.
III. Policy
A. General
1. Passwords are not to be shar ed with another per son, or store d in
an easily accessible location.
2. All user-level passwords (e.g., email, web, desktop computer , etc.)
must be changed at least every 90 days.
3. User accounts with access to C LETS or NCIC privileges must h ave a
unique password from all other accounts held by that user.
4. Users who suspect that their password has become known by
another person shall change thei r password immediately.
5. Passwords must not be inserted into email messages or other forms of
electronic or written communication.
Page 2 of 5 10/11 (NEW 10/13) 6. All user-level, system-level, and NCIC access level password s must
conform to the guidelin es described below.
B. Password Creation
Passwords are used for various purposes at Sacramento County Sh eriff’s
Department. Some of the mo re common uses include : user level acc ounts,
web accounts, email accounts, screen saver protection, voicemai l password,
and local router logins. Because very few systems have support for one-time
tokens (i.e., Dynamic passwords which are used once); everyone should be
aware of how to select strong passwords.
1. Sacramento Sheriff’s user s with a system account to either t he
Sheriff Network or any or the IT Systems including access to th e
CLETS and NCIC must fo llow the secure password attributes below
to create and to authenticate an individual’s unique ID. (per FBI
CJIS Security Policy Versi on 5.1 section 5.6.2.1)
Passwords must: a. Contain both upper and lower case characters (e.g., a-z, A-Z ).
b. One letter must be Upper Case. c. Be a minimum length of eigh t (8) characters on all systems.
d. Contain digits, letters and at least one non-alpha numeric
character e.g., (0 - 9, ! @ # $ % ^ & * _ + { } [ ] : " ; < > ? , ).
e. Expire within 90 calendar days.
f. Not be identical to the pr evious ten (10) passwords.
g. Not be the same as the user ID. h. Not be a dictionary word wit hin any language or proper name.
i. Not contain any part of the previous password.
j. Not based on personal information, names of family, date of
birth, etc.
C. Password Deleti on or Sus pension:
A password deletion or suspension occurs when: 1. A user retires, resigns, or is released; a user is placed on
administrative leave; a user is on extended military leave or m edical
leave, etc.
Page 3 of 5 10/11 (NEW 10/13) 2. By order of a Division Command er or their designee for opera tional or
administrative necessity.
3. The user has 120 days of acco unt inactivity or the user is o ut of DOJ -
NCIC compliance.
4. Contractor, Affiliate, Consultants, Volunteer accounts, when no
longer needed to perform their duties.
Any Sacramento County Sheriff’ s employee who determines the pas sword is
no longer needed must:
5. Notify his or her immediate supervisor for passwords to be d eleted.
6. Contractor should inform his or her point-of-contact (POC), or the
Division’s Training Manager.
7. Supervisor or Division’s Tr aining Manager should send an e-m ail with
password deletion requests to : netteam@sacsheriff.com and
acc@sacsheriff.com.
Sacramento County Sheriff’s, Technical Services Division staff will then
delete or suspend the user’s passw ord and delete or suspend the user’s
account.
D. Application Development Standards
Application developers must ensur e their programs contain the f ollowing
security precautions: 1. All systems-level passwords (e. g., root, enable, network adm inistrator,
application administration accounts, etc.) must be changed at l east
every 90 days.
2. Should support authentication of individual users, not group s.
3. Passwords must not be displayed when entered.
4. Passwords must not be transmi tted in the clear outside the s ecure
location