The security of all information created or hosted by Company is the responsibility of all employees. Disclosure is governed by departments and Company policies. The highest of ethical standards are required to prevent the inappropriate transfer of sensitive or confidential information.

Release of information is strictly for job related functions. Confidentiality is compromised when knowingly or inadvertently, information crosses the boundaries of job related activities.

Passwords

Users must be required to follow good security practices in the selection and use of passwords. Passwords provide a means of validating a user's identity and thereby establish access rights to information processing facilities or services. All agency staff must be advised to:

1. Keep passwords confidential
2. Avoid keeping a paper record of passwords, unless this can be stored securely
3. Change passwords whenever there is any indication of possible system or password compromise
4. Select quality passwords with a minimum length of eight characters which are:
   • easy to remember
   • not based on anything somebody else could easily guess or obtain using person related information, e.g. names, telephone numbers and dates of birth etc.
   • free of consecutive identical characters or all-numeric or all-alphabetical groups
5. Change passwords at regular intervals (passwords for privileged accounts should be changed more frequently than normal passwords)
6. Avoid reusing or cycling old passwords
7. Change temporary passwords at the first log-on
8. Not include passwords in any automated log-on process, e.g. stored in a macro or function key
9. Not share individual user passwords

Information Content

All information content hosted by Company is owned by and is the primary responsibility of the department responsible for collecting and maintaining the authenticity, integrity and accuracy of information. The objective of the Company is to protect the information from inadvertent or intentional damage as well as unauthorized disclosure or use according to the classification standards and procedural guidelines of Company.

The following procedures must be followed by all departments:

1. All information content must reflect the actual state of affairs of the respective Agency
2. Changes in the status of personnel who have system access are entered in the system immediately and the appropriate authorization / change form sent to the hosting agency's Security Administration
3. In the event of a dismissal, the respective Agency is to call and notify the hosting agency's Security Administration immediately