User passwords will be managed as follows;
- Users must apply Sm8rtHealth’s password policy regarding password usage and management.
- Initial temporary passwords must be conveyed in a secure manner.
- When Sm8rtHealth’s standard encryption algorithm option is available, initial temporary passwords shall be conveyed via e-mail.
- Users must change their temporary password upon first login.
- In the event of forgotten passwords, temporary passwords will only be issued following positive identification of the user.
- All passwords relating to a System Administrator that has left the employ of Sm8rtHealth or its service provider will be immediately changed.
- Users may not store passwords on a computer or in any place with public access.
Passwords must be changed at least every 6 months
| Details | Users and Administrator | Super Admin |
| Password Strength for new passwords | Password must be at least eight characters in length, containing at least one number and at least one non-alphanumeric character. | Password must be at least eight characters in length, containing at least one number and at least one nonalphanumeric character. |
| Password attempts before account is locked | 3 attempt(s) | 3 attempt(s) |
| Validity of a Password before it expires | 90 day(s) | unlimited |
| New password cannot repeat any of the previous X number of passwords | 10 previous password(s) | 10 previous password(s) |
| After a password has been changed, a user cannot change password until X days have elapsed | 1 day(s) | 1 day(s) |
| An account that is inactive for X minutes will auto log-out | 15 Minutes | 15 Minutes |
| An account which has not been used for X number of days will be inactivated | 30 day(s) | Not applicable |
User responsibilities regarding passwords and unattended equipment
User responsibilities for managing passwords and unattended equipment are as follows; • Users must abide by the password management policy set out above.
- Users must enable password-protected screen savers on desktops, portable computers/laptops, and servers.
- Users should set their device timer to enable the screen saver after no more than 15 minutes of inactivity.
- Users must terminate active sessions when activities are finished.
- For AWS connection, users must log off after completion of their tasks.
