User Passwords and Accounts. All passwords will remain confidential and use ‘strong’ passwords that expire after a maximum of 90 calendar days. Accounts will automatically lockout after five (5) consecutive failed login attempts.
User Passwords and Accounts. As a minimum, user passwords will: remain confidential and will not be shared, posted, or otherwise divulged in any manner, consist of a minimum of eight (8) characters for standard user accounts (ten character for privileged user accounts), contain at least three of the following: uppercase characters (A through Z) lowercase characters (a through z) numeric characters (0 through 9) non-alphabetic characters (for example, !, $, #, %) not contain the account name or account ID or other easily guessed values, not allow the previous thirteen passwords to be reused, and be encrypted in storage and transmission expire after a maximum of 90 calendar days (30 days if privileged account user) User accounts will: automatically lockout after five (5) consecutive failed login attempts; and expire after a maximum of 90 calendar days without use (30 days if privileged account user) All remote access connections to Third Party internal networks and / or computer systems will require authorisation and will provide an approved means of access control at the “point of entry” to the Third Party’s computing or communication resources through multi-factor authentication. Such access will use secure access channels, such as a Virtual Private Network (VPN). All wireless access to Experian Information or Resource(s) will be approved by the Third-Party Information Security Office and use multi-factor authentication prior to being allowed connection to Third Party’s network. The Third Party will develop formal procedures to locate and remove unauthorised wireless devices from accessing Experian Information. Third Party networks that have access to the Experian Information will be logically isolated from any other network segments that allow wireless access. Applications developed by Third Party for Experian or applications and application programming interfaces (API’s) developed by Third Party involved in the processing of Experian information will follow a methodology that allows for: (i) defining security requirements as part of the requirements definition phase; (ii) using a design model that incorporates best practices in security; (iii) developing code in ways that minimise security vulnerabilities (such as cross-site scripting, SQL injection, buffer overflows, etc.); (iv) testing the code through static and dynamic assessments; and (v) deploying the application in a secure production environment. Web applications hosted by the third party for Experian will have a web applica...
