How to Create an Effective Privileged Password Policy

Within an organisation, privileged passwords represent a considerable risk. They don’t just offer extensive access to workstations and wider networks, but they’re often shared between team members with little or no personal accountability.

Gartner claims that insider threats factor in more than 20% of security breaches, and – if an external attacker gets hold of a privileged password – the consequences could be disastrous.

A privileged password policy is an effective way to enforce best practice around your most crucial accounts. But where do you begin to tackle the mammoth task of creating one for your organisation?

The three phases of password management

When it comes to privileged passwords, context is everything. An admin using a password to conduct some routine maintenance is one thing. An attacker using the password to gain access to your most critical systems is another.

An effective password policy should cover the three major contexts in which passwords are used. These are the three key phases of password management and security.

1. When accounts and passwords are created…

At the earliest stages, privileged accounts should be created with security in mind. That means passwords must meet appropriate complexity levels, and be tailored to their risk level.

You policy should include:

  • Passwords lengths for different roles around your organisation
  • How complex privileged passwords should be in comparison to user accounts

2. When you’re operating normally…

When things are going well, how are privileged passwords handled? What should day-to-day usage look like to meet your security expectations and keep your accounts safe?

Your policy should include:

  • How often passwords should be changed
  • When accounts should be locked out
  • Acceptable use for privileged passwords
  • Reporting and logging expectations

3. In the event of a breach…

It’s easy to plan for day-to-day operations, but you also need to be equipped with guidelines for the worst-case scenario.

Your policy should include:

  • What happens in the event of a compromised password?
  • The consequences of not following your policy

A free template for your password policy

To help you establish a privileged account management policy quickly and easily, Thycotic offers a detailed template that covers every key area of password management.

Available as a free download in a Microsoft Word format, the template was developed to meet best practice standards including:

  • SANS
  • NIST
  • GLBA
  • ISO 17799
  • ISO 9000

The template also describes how the policies you include can be enforced with Thycotic Secret Server – a centralised vault for your privileged passwords that offers complete control, full visibility, and time-saving automation.

Written by