The purpose of this policy is to establish the organizational requirements for Identification & Authentication management practices to ensure we operate within a secure infrastructure, using methods that meet or exceed industry best practices as well any governing compliance frameworks necessary to support our customers.

Provide guidance and operation methods and processes that must be maintained to conform with these policies.

Identify system users, processes acting on behalf of users, and devices.

Authenticate (or verify) the identities of users, processes, or devices, as a prerequisite to allowing access to organizational systems.

Use multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts.

Employ replay-resistant authentication mechanisms for network access to privileged and non-privileged accounts.

Prevent reuse of identifiers for a defined period.

Disable identifiers after a defined period of inactivity.

Enforce a minimum password complexity and change of characters when new passwords are created.

Prohibit password reuse for a specified number of generations.

Allow temporary password use for system logons with an immediate change to a permanent password.

Store and transmit only cryptographically-protected passwords.

Obscure feedback of authentication information.

All DLZP Group employees (including contractors and vendors with access to DLZP Group systems) are responsible for taking the appropriate steps, as outlined below, to select and secure their passwords.

The purpose of this Plan is to establish a standard for creation of strong passwords, the protection of those passwords, and the frequency of change.

The scope of this Plan includes all personnel who have or are responsible for an account (or any form of access that supports or requires a password) on any system that resides at any DLZP Group facility, has access to the DLZP Group network, or stores any non-public DLZP Group information.

• All system-level passwords (e.g., root, administrator, application administration accounts, etc.) must be changed on at least a quarterly basis.
• User accounts that have system-level privileges granted through group memberships must have a unique password from all other accounts held by that user.
• Passwords must not be inserted into email messages or other forms of electronic communication.
• All user-level and system-level passwords must conform to the guidelines described below.

Do not use the same password for DLZP Group accounts as for other non-DLZP Group access (e.g., personal ISP account, option trading, benefits, etc.). Where possible, don't use the same password for various DLZP Group access needs.

Do not share DLZP Group passwords with anyone, including administrative assistants or secretaries. All passwords are to be treated as sensitive, Confidential DLZP Group information.

Here is a list of “don’ts”:

• Don't reveal a password over the phone to ANYONE
• Don't reveal a password in an email message
• Don't reveal a password to the boss
• Don't talk about a password in front of others
• Don't hint at the format of a password (e.g., “my family name”)
• Don't reveal a password on questionnaires or security forms
• Don't share a password with family members
• Don't reveal a password to co-workers while on vacation

If someone demands a password, refer them to this document or have them call the DLZP Leadership.

Do not use the “Remember Password” feature of Windows or applications (e.g., Internet Explorer, Outlook, Netscape, etc.).

Again, do not write passwords down and store them anywhere in the office. Do not store passwords in a file on ANY computer system (including mobile or similar devices) without encryption.

If an account or password is suspected to have been compromised, report the incident and change all passwords.

Administrative password cracking or guessing may be performed on a periodic or random basis. If a password is guessed or cracked during one of these scans, the user will be required to change it.

Application developers must ensure their programs contain the following security precautions. Applications:

• should support authentication of individual users, not groups.
• should not store passwords in clear text or in any easily reversible form.
• should provide for some sort of role management, such that one user can take over the functions of another without having to know the other's password.

Access to the DLZP Group network via remote access (VPN) is to be controlled using either password authentication or a shared key system managed by a VPN client.

• Change passwords every 90 days (except system-level passwords which must be changed at least quarterly).
• Users cannot reuse any of their last 24 passwords.
• Password must be a minimum of 14 characters; it must contain one capital letter or special character and at least one number.

• New users receive a temporary password that needs to be changed every 90 days
• Users cannot reuse their previous password when prompted to change it
• Passwords must be a minimum of 14 characters; passwords require at least one capital letter and one number and one special character
• Passwords are encrypted using a 256 bit RC4 stream cipher during transmission to the server and are stored in the database using a secure 160-bit SHA hash value. This secure hash means that although passwords may be reset by an administrator they can never be retrieved from the database.

Any employee found to have violated this Plan may be subject to disciplinary action, up to and including termination of employment.