Aetna's Information Security Policy and Standards apply to all existing and future company locations, departments and
divisions, together with all employees, temporary or contractual, business partners, agents, vendors, customers, consultants,
suppliers and other third-parties who use or otherwise have access to information. The Information Security Policy and
Standards encompass all information technology resources for which Aetna has administrative responsibility or third-party
interest or affiliation. Aetna's goal is to ensure that all employees, consultants, and temporary and part-time personnel work together to ensure that Aetna's
information assets are used only in proper pursuit of the company's business; information is not improperly disclosed, modified,
or endangered; and access to company information is not made available to any unauthorized person.
Access to Aetna resources is on an individual basis. Each individual uses a pre-determined, unique identifier
(userid). The userid is solely identified with that individual and is used in each system or environment to which
that individual has been granted access.
Verification of the userid is by personal password. The use of non-expiring passwords as an exception to policy has
been allowed in the past in order not to impede business deliverables. Aetna's policy, however, states that systems
providing access to our affiliate users
will be set to automatically force the changing of a password once every 90 days. In fact, users with special
privileges, e.g., system developers or administrators, must change their passwords at least every 30 days.
Our 90-day reset policy, confirmed by IDC, META Group, PWC and Gartner, is based upon the industry standard for password
lifetime which is between 30-90 days for computer systems which possess information of a personal and sensitive nature and
which rely on passwords to provide personal identification. Extending password lifetime beyond 90 days is uniformly
considered to be outside the box and could potentially raise a red flag to auditors and state insurance examiners. Extending
the password lifetime beyond 90 days also does not meet external and the National Association of Insurance Commissioners audit
and security standards that require password changes at least quarterly. Regularly changing passwords is considered
a fundamental element to establishing a 'trusted' system by regulatory standards.
The following additional password standards apply to all Aetna system users.
- Passwords must meet the following requirements:
- minimum of six alpha/numeric characters;
- does not contain the individual's userid;
- is not equal or similar to the five most recently used passwords.
Individuals will create their own unique passwords and these passwords will not contain:
- identifiable personal data such as children's names, hobbies, favorite sports teams;
- words found in a dictionary;
- repeat characters, e.g., aabb1122;
- part of the user's name in the first four characters; and
- profanities or the following prefixes or abbreviations restricted by our mainframe security product: AETNA, JAN,
FEB, MAR, APR, MAY, JUN, JUL, AUG, SEPT, OCT, NOV, DEC, MON, TUE, WED, THU, FRI, SAT, SUN, WINTER, SPRING, SUMMER, FALL,
NORTH, SOUTH, EAST, WEST, APPL, ASDF, BABY, BASIC, BEAR, CADAM, CAT, COLD, COW, DEMO, DOG, FOCUS, GAME, GIANTS, HEART,
HELP, LOG, LOVE, NET, NEW, NOPW, PART, PASS, QWERT, REDSOX, ROS, SIGN, SNOW, STAR, TEST, TIMBER, TSO, TWIN, VALID, VIK,
VTAM, WOLVES, XMAS, XXX, 1234.
- Passwords will be set to expire upon initial login and individuals will, at that time, change the password to a unique
one of their own choosing.
- Compromised passwords must be immediately changed.
- Systems will suspend users after five unsuccessful access attempts.
Aetna is committed to protecting its and your information and the associated computing and communications
infrastructure. Working together we can, and will, achieve our information security goals. We thank you for
helping to make it happen.