Password policy
Password policy
Purpose
The purpose of this Password Policy is to establish a standard for creating, managing, and protecting passwords within the organisation. This policy aims to safeguard company systems and data by enforcing strong password practices for all employees, contractors, and third-party users.
Scope
This policy applies to all users who access company systems, networks, or data, including but not limited to employees, contractors, consultants, and temporary staff.
Policy
Password and PIN creation guidelines
Password guidelines
- Length: Passwords must be at least 12 characters long.
- Complexity: Passwords must include a combination of:
- Uppercase letters (A-Z)
- Lowercase letters (a-z)
- Numbers (0-9)
- Special characters (e.g., !, @, #, $, %)
- Prohibited Elements:
- Avoid using common words, phrases, or easily guessable information (e.g., "password," "123456," your name, or birthdate).
- Do not use any part of your username or email address in your password.
- Password Reuse: Passwords must not be reused across multiple systems or accounts. New passwords must differ from the last five passwords used.
Pin guidelines
- Length: PINs must be at least 6 digits long.
- Complexity: PINs should avoid predictable sequences (e.g., "123456," "000000") and repetitive digits (e.g., "111111").
- PIN Reuse: Users must not reuse their PINs across different devices or systems. New PINs must differ from the last three used.
- Avoid Personal Information: PINs must not include easily guessable information such as birthdays, anniversaries, or portions of a phone number.
Password change requirements
- Immediate Change: Users must change their password immediately if they suspect it has been compromised or after any security incident.
- Temporary Passwords: Temporary passwords issued by the company must be changed upon first login.
Multi-factor authentication (MFA) or Two-factor authentication (TFA)
- Requirement: Where available, multi-factor authentication (MFA) must be enabled on all accounts with access to sensitive data or critical systems.
- Methods: MFA may include a combination of something you know (password), something you have (token, mobile device), or something you are (biometrics).
Password storage
- Encryption: Passwords must be stored using industry-standard encryption methods.
- Prohibited Storage: Do not store passwords in plain text, in email, or in easily accessible documents.
Password management tools
- Recommendation: Users are encouraged to use company-approved password management tools to generate and store strong, unique passwords.
- Prohibited Tools: Use of unapproved password management tools or methods (e.g., writing passwords down on paper) is prohibited.
User responsiblities
- Confidentiality: Users must keep their passwords confidential and must not share them with others.
- Reporting: Users must report any suspected security breaches or password compromises to the Tech Circle immediately.
Procedure for Compromised Password or PIN
In the event that a password or PIN is suspected or confirmed to be compromised, the following steps must be followed:
Immediate Actions
- Report the Incident: Users must immediately report the suspected or confirmed compromise to the Tech Circle. This can be done via phone, email, or direct message.
- Change the Password/PIN: Users must change the compromised password or PIN as soon as possible using the standard password/PIN change process. If the user is unable to do so, they must request assistance from the Tech Circle.
- Logout from All Sessions: Users should log out from all active sessions on all devices, including computers, mobile devices, and any other systems where the compromised credentials may have been used.
Tech Circle Actions
- Account Lockdown: The Tech Circle will temporarily lock the compromised account(s) to prevent unauthorised access until the issue is resolved.
- Investigation: The Tech Circle will conduct an investigation to determine the scope of the compromise, including:
- Identifying how the credentials were compromised.
- Checking for any unauthorised access or changes made to the account.
- Determining if other accounts or systems were affected.
- Reset Access: After the user has changed the password/PIN, the Tech Circle will assist in resetting access to any affected systems and ensure that the user's credentials are updated and secure.
Monitoring
- Increased Monitoring: The Tech Circle will implement increased monitoring on the compromised account(s) for any suspicious activity for a defined period, typically 30 days.
- Review Logs: The Tech Circle will review system logs to identify any unauthorised access attempts or unusual behaviour that occurred before and after the compromise.
Communication
- Notify Affected Parties: If the compromise affects other users, systems, or third parties, the Tech Circle will coordinate with the appropriate teams to notify those affected and provide instructions for mitigating any potential risks.
- Incident Report: A formal incident report will be created documenting the details of the compromise, the actions taken, and any lessons learned.
Post-Incident Review
- Review and Update Security Measures: After resolving the incident, the Tech Circle and security teams will review the existing security measures and policies. If necessary, they will implement updates to prevent similar incidents in the future.
- User Training: If the compromise was due to user error or a phishing attack, additional training may be provided to the affected user(s) and, if necessary, to the broader organisation.
Member and employee responsibilities
- Compliance: Members and employees are responsible for adhering to this policy at all times. Non-compliance may result in disciplinary action.
Exceptions
Any exceptions to this policy must be approved in writing by the Tech Circle or a designated authority.
Monitoring and review
- Policy Review: This policy will be reviewed annually and updated as necessary to address new security threats or changes in technology.
- Audit and Monitoring: The Tech circle will audit and monitor compliance with this policy.
Last updated: