Do You Have A Password Policy?

Do You Have A Password Policy?

Continuing our EstesCloud IT Security blog series which began with why you should write a security policy and do you have a malware policy, we continue with our next edition about malware.

A client recently changed managed IT service companies to EstesCloud and we quickly discovered some issues that involved passwords. It is typically only after an organizational change that password and security problems are exposed, so what’s the solution? We suggest creating a password security policy.

Basically a password security policy is a document that outlines how users can use and create passwords. This can also include guidelines for creating logins/ usernames and more. It is important to an organization’s security, as most assets are protected only with a name and a password.  Consider how many websites and doors open up with just a name and a password.  Now, consider the ramifications if those passwords were compromised!

It is likely you have never considered implementing a specific password policy, so let’s take a moment and look at some of the problems with not having one and some of the components to consider when you do write a password policy. Microsoft implements a default password security policy with these settings:

  1. Passwords must be changed every 42 days, but not more often than once a day.

  2. Passwords must be 7 or more characters

  3. 24 previous passwords are remembered and can’t be reused

  4. Passwords must be complex (UPPER, lower, numbers and symbols)

  5. Passwords cannot contain the username

Problems in neglecting having an password security policy implemented

1.   When an employee leaves.

When an employee leaves, regardless of death, quitting or termination, or even for temporary leaves of absence, the next person to handle the roles needs to have access to information. This can include computer passwords, website log-ins, e-mail access and more. Employees can set up their own logins and security passwords which causes the successor to not be able to access important information.

Example: Susie used an online payroll processing company and when she created her log-ins, used personal information in setting up the security questions. When she was terminated for not processing the payroll one week, all those answers went with her. She was not cooperative in providing that information to her former employer. This resulted in lost productivity when the owner had to prove ownership and reset the account, including transferring all the historical data.

2.   When changing a vendor.

This is similar to when an employee leaves, because the vendor is like an employee. They have information that they take with them when the contract ends, and getting it back, when they are no longer financially tied to you, is difficult.

Example: John was hired to replace the former IT company who failed to perform and test regular back up tests. When he attempted to resolve an issue with Microsoft, he didn’t have the information needed to login or verify the business. A password reset wasn’t working because it wasn’t know what e-mail address was used to create the account. This resulted in lost money by the company who had to pay John to troubleshoot something created by another vendor, who was already paid.

Components to consider in writing a password policy

1.   Purpose and Scope of the policy

Explain why this policy is being created and where it is to be implemented. For example, is it only for client data, or all web uses?

2.   How long a password can be in place before it needs to be changed

This is usually between 60 and 180 days for most companies. When there is less of a security risk, longer periods can be considered. Requiring changes more frequently than 30 days results in employee frustration, and usually users will write their passwords on a post-it note and leave it under the keyboard

3.   How long a password needs to be

Strong passwords are 8-14 characters. The longer, the harder they are to be cracked.  Think pass-phrase instead of pass-word and you’ll be safer.

4.   Variety of password characters

Requiring letters, capitalization, numbers and symbols can create a more secure password. It can also exclude things like repetition, use of a name or username, etc.

5.   How passwords are stored

Passwords may be stored in a secure document, in a shared cloud file, an encryption program or more, and needs to be specified. Additionally, note how passwords shouldn’t be stored, shared or communicated.

6.   How the policy will be enforced and disciplinary actions if not adhered to

Clearly communicate how this policy will be enforced and by whom. Lay out the action steps if the policy is not followed. This may also be where a component is added regarding an account lockout. Remember the end result is in creating security, not in creating endless disciplinary actions.

7.   Administrations rights

Define what the administration is able to access and when.

A good password policy can help a company keep information secure, as well as have an action plan in case of an organizational change that results in having a successor take over with tasks that require the use of a password. Partner with your IT company when creating your password policy as they are typically the administrators of the policy. They will be instrumental in setting up the behind-the-scene processes that will manage password security.

Click Here to see SANS for a sample password policy.

In some cases where single-factor authentication (name/password) is insufficient, we can help with multi-factor authentication (like PIN# and a text message).  EstesCloud ServerCare includes a password policy review, and depending on your company policy, we can propose a more secure password policy.

EstesCloud // Explore our Managed Services Solution:

CompleteCare: Maintaining your own IT infrastructure is expensive and frustrating. EstesCloud CompleteCare combines the benefits of our ServerCare and ClientCare programs into one comprehensive program that protects your entire IT infrastructure at a predictable fixed cost.  Let the EstesCloud team become your Trusted IT Advisor, so you can get back to growing your business.
Let’s start the conversation!


ServerCare: A proactive approach to IT that includes regular scheduled maintenance and monitoring is essential to maintaining a healthy network and a productive staff.
EstesCloud ServerCare will give you peace of mind knowing that our team is continually watching and caring for your servers.
Discover the Benefits of ServerCare.


ClientCare: Proactive support for your desktops, laptops, and mobile devices.  We provide all of the monitoring, patching, and security tools for your systems, plus full access to our help desk services 24/7/365.
EstesCloud ClientCare will ensure your valuable data is secure whenever and wherever it is needed.

Take control of your systems today.


ComplianceCare: Are you a medical provider under HIPAA or HITECH regulatory compliance? Are government auditors keeping you up at night? Our HIPPA IT Management Service will ensure you are HIPPA compliant.

For the health of your IT Enterprise.

Take the first step to reduce cost and increase the productivity of your business. Give us a call at 888.300.2340, and

Do you have a malware policy?

Do you have a malware policy?

Continuing our EstesCloud IT Security blog series on the importance of cyber security, which began with why you should write a security policy, we continue with our next edition about malware.

A server malware protection policy is designed to protect your systems from cyberattacks. Malware is software with the intention to damage or disable computers or computer systems. It can be code, spyware, cookies, viruses, worms, Trojan horses, and more that compromise your PC and possibly your whole network!  They can be very expensive to correct, not just in lost productivity, but also in equipment restoration or replacement.

Malicious software typically enters in 6 ways:

  1. E-mail attachments
  2. E-mail links to suspicious websites
  3. Website surfing to problematic websites
  4. Website links to malicious sites
  5. Exploiting vulnerabilities in the hosts, communication networks or perimeter systems.
  6. Convincing a user to install infected software/apps

How to create a server malware protection policy

Why a malware policy?

Just as with any policy, you will begin with the “Why”. Why are you creating the policy?  Presumably it’s to minimize the likelihood and the subsequent impact of an infection.

Who does it apply to?

Define and clarify the scope of the policy. What equipment is included?

What are we talking about?

Create some definitions about the vocabulary being used such as:

What is malware?

What damage can it cause?

What is an anti-virus program?

What is filtering software?

How is the malware policy activated?

Where do we go for additional resources?

The malware policy itself:

State what the policy is. Suggestions include:

  • What the anti-virus program is, who installs it and what devices require installation.
  • What to do in case of new devices, suspected infection, suspicious or problematic software links.
  • How and when scans should be run and if they are manual or automatically scheduled.
  • How the software should be monitored, updated and management of the required updates
  • Rules about installing applications, downloading information, updating software, and opening attachments.
  • The use of filtering programs such as website blockers and e-mail scanning.
  • Rules about spam, junk mail, chain e-mails, social sites and any other applicable areas of potential risk.

A malware policy response plan

Sometimes all the policies, plans and procedures can’t stop a cyberattack, in which case you may consider a malware response plan. This response plan should be included as part of the malware policy.

The malware policy back up plan kicks into action when there is an infection or a threat. It is typically a flow chart of action steps to mitigate as much damage as possible.

Step 1

Determine if there is a threat and how significant it is.

Step 2

Isolate the problem. The solution may require blocking internet services or shutting down a server or workstation to prevent further infection.

Step 3

Remove the problem. This is what the anti-virus programs are designed for. It may simply be a scan, repair, re-installing the OS from original disks, or even replacement of equipment.

Step 4

Recovery. Once the problem has been isolated and eliminated, check the systems for any other problems.  Depending on the depth of infection, you might consider the venerable “format C:” to remove most (but not all!) infections.  Be careful you don’t re-infect your system as you restore data, and make sure you close the attack vector so you don’t get re-infected!  It is absolutely essential that your backup and disaster recovery plan be 100%, as some infections (like CryptoWall) cannot be removed!

Step 5

Communication. Talk about the malware was able to cause damage. Talk about the situation with users and make any needed adjustments with the IT company to avoid it happening again in the future.

The bulk of information involved in a malware policy is in the communication to users about what it is, how it can be prevented and what to do in case there is an infection.

See SANS for a sample malware policy at https://www.sans.org/security-resources/policies/retired#server-malware-protection-policy

With EstesCloud ServerCare, ClientCare, and our HIPPA ComplianceCare antivirus and filtering software is installed to help reduce incidents, as well as provide support if there is an issue.

EstesCloud // Explore our Managed Services Solution:

CompleteCare: Maintaining your own IT infrastructure is expensive and frustrating. EstesCloud CompleteCare combines the benefits of our ServerCare and ClientCare programs into one comprehensive program that protects your entire IT infrastructure at a predictable fixed cost.  Let the EstesCloud team become your Trusted IT Advisor, so you can get back to growing your business.
Let’s start the conversation!


ServerCare: A proactive approach to IT that includes regular scheduled maintenance and monitoring is essential to maintaining a healthy network and a productive staff.
EstesCloud ServerCare will give you peace of mind knowing that our team is continually watching and caring for your servers.
Discover the Benefits of ServerCare.


ClientCare: Proactive support for your desktops, laptops, and mobile devices.  We provide all of the monitoring, patching, and security tools for your systems, plus full access to our help desk services 24/7/365.
EstesCloud ClientCare will ensure your valuable data is secure whenever and wherever it is needed.

Take control of your systems today.


ComplianceCare: Are you a medical provider under HIPAA or HITECH regulatory compliance? Are government auditors keeping you up at night? Our HIPPA IT Management Service will ensure you are HIPPA compliant.

For the health of your IT Enterprise.

Take the first step to reduce cost and increase the productivity of your business. Give us a call at 888.300.2340, and