3.4.2 Network Access and Password Requirements

Title: Network Access and Password Requirements Doc Type: PR Doc Number: 3.4.2 Issuing COE/Unit: Finance: Information Technology Issuing Department: IT Service Desk Approved by: CIO Original Date of Issue: 05/14/10 Revised/Reviewed: 8/14/17 Version #: 11.0 Page:

1 of 6

1.0 PURPOSE The purpose for the document is to describe Information Technology's (IT's) High Level Security strategy, methods for handling Access Requests and user passwords. A. Access Requests - All network and applications user requests are authorized and meet Di's security and compliance requirements to ensure secure and reliable operation of Di's information systems. B. User Passwords - All users of information systems and applications on the Di's network (including contractors, and approved vendors with access to DI Systems) are responsible for taking the appropriate steps, as outlined below, to select and secure their passwords.

2.0 APPLICABILITY This procedure is applicable to DynCorp International (DI) LLC, and its majority owned subsidiaries.

3.0 CORE PROCESS This categorization identifies the owning Core Process, as previously identified by the Enterprise Performance Excellence Quality Systems (QS) Team for review. Go to the GEM for a list of all of the Core Processes & Definitions. 3.1 Information Technology (IT)

4.0 SCOPE The specific intended audience for this procedure are all DI employees or those working with DI personnel who require access to DI’s Network, systems, or applications.

© 2017 DynCorp International (DI). All rights reserved. Uncontrolled if printed. Before using this document, the reader is responsible in ensuring that it is the most current version available by comparing it with the online (master) version. Information contained herein is proprietary to DI. Title: Network Access and Password Requirements Doc Type: PR Doc Number: 3.4.2 Issuing COE/Unit: Finance: Information Technology Issuing Department: IT Service Desk Approved by: CIO Original Date of Issue: 05/14/10 Revised/Reviewed: 8/14/17 Version #: 11.0 Page:

2 of 6

5.0 ROLES & RESPONSIBILITIES 5.1 IT Security and Conpliance: responsible for implementing this procedure 5.2 IT Service Desk: responsible for supporting with network and access requests as needed 5.3 Employee: If utilizing VPN must not leave DI information on non-DI machines.

6.0 DEFINITIONS 6.1 None

7.0 PROCEDURE Procedure Visual Overview N/A Procedure Description 7.1 Access Requests follow these requirements: 7.1.1 Access to Di's network, systems, and applications must be granted through the appropriate, approved request form. Approvers must only approve access for legitimate, authorized business reasons. 7.1.2 The designated system owner works in conjunction with the IT Security group to determine the appropriate signature authority for access to any particular application. 7.1.3 All Users who access Di's information systems must complete an access packet, available through the IT Service Desk, prior to issuance of a user ID. A signature on these statements indicates

3 of 6

the user understands and agrees to abide by these DynCorp International LLC policies and procedures. 7.1.4 Accounts are disabled after significant changes in end-users' duties or employment status. Transfers between DI and DI subsidiaries are not considered employment status changes for the purpose of network access. Network and application access may be terminated prior to enabling the transferred user's new accounts. 7.1.5 User accounts are uniquely assigned to a specific individual. 7.1.6 Roles will be defined and utilized for assignment of access privileges when supported and available. These roles will be documented, as appropriate, on user access forms. 7.1.6.1 Rights, above and beyond assigned roles, may be granted using the appropriate, approved, access form. 7.2 Passwords must follow appropriate parameters: 7.2.1 To protect DI Systems from intrusion, user authentication mechanisms will include passwords to meet the following criteria: 7.2.1.1 Credentials, such as passwords or username/password combinations, are not to be shared. 7.2.1.2 Password entry must be masked. 7.2.1.3 All passwords must be changed every 90 days. 7.2.1.4 Passwords must meet the following criteria: 7.2.1.4.1 Minimum 8 characters in length. 7.2.1.4.2 Include upper and lower case letters. 7.2.1.4.3 Include at least one number.

4 of 6

7.2.1.4.4 Include at least one special character. 7.2.1.4.5 Cannot be repeat of previously used passwords 7.2.1.5 Corporate IT may provide a one time password information for support purposes. 7.2.1.6 The same password cannot be used by IT personnel for all new users. 7.2.1.7 The same password cannot be used by IT personnel when performing password 7.2.1.8 resets. 7.2.1.9 The user, HR or someone in the user's supervisory chain are the only appropriate recipients of the user's initial password. 7.2.1.10 Passwords may be stored electronically in an encrypted format only. 7.2.1.11 Common administrative accounts have their password changed upon departure of any individual with access to such an account. 7.3 To the extent each system allows, each system must: 7.3.1 Be configured to enforce this procedure. 7.3.2 Force a password change after initial login. 7.3.3 Disable user accounts after 5 fai led logon attempts. 7.3.4 Set password re-use to 5 or greater. 7.3.5 Force a password reset upon initial login. 7.3.6 Applications and systems shall be configured with an automatic lock timeout. 7.3.7 Applications utilizing a separate access service shall use an automatic lock timeout on the access service.

5 of 6

7.4 In order to request an exception to this procedure for large groups, the requestor must submit a Service Desk ticket, explaining the following: 7.4.1 The Business Case for granting an exception to the documented and established procedure. 7.4.2 A Business Executive's acceptance of all business risks related to the granting of the exception. 7.4.3 A Business Executive Sign-off that their department, or program is requesting the exception. 7.4.4 Level of access required and number of users. 7.4.5 CIO approval that IT will grant the exception. 7.4.6 If the exception is approved it will be deemed either a permanent or a temporary exception. If the exception is temporary, a date will be noted to indicate how long the exception is granted.

8.0 DOCUMENTS REFERENCED WITHIN 8.1 Form(s) (FO) 8.1.1 3.4.2-1 Network Access Form (NAF) and User Agreement (UA)

9.0 ATTACHMENTS / EXHIBITS 9.1 None

6 of 6

10.0 REVISION HISTORY **All prior versions of the document will be found within the Version History of the GEM. To obtain prior versions, email [email protected]. Version # Date Revised / Reviewed Summary of Change 10.0 06/19/17 Re-activated document from previously archive/inactive status; revised to current format/template; made minor document edits to make document current. 11.0 8/14/17 Annual Review, Header to read as issuing COE/Unit to read Finance: Information Technology