Security & Compliance
< Back to Article ListIS-04 Password Policy
Last updated: 24 October 2024 at 11:43:47 UTC by Russell Briggs
Password Policy
Document Ref No |
IS-04 |
Version No |
V1 |
Last review date |
14/10/2021 |
Approved by |
Dom Tyler |
Next review |
14/10/2022 |
Contents
1.Purpose, scope and users 3
2.User obligations 3
3.Two Factor Authentication 3
4.User password management 3
5.Document management 4
6.Version history 4
1. Purpose, scope and users
The purpose of this document is to prescribe rules to ensure secure password management and secure use of passwords.
This document is applied to the entire Information Security Management System (ISMS) scope, i.e. to all systems located within the ISMS scope.
Users of this document are all employees of Recycly
2. User obligations
Users must apply good security practices when selecting and using passwords:
● Passwords must not be disclosed to other persons, including management and system administrators unless authorised.
● Passwords must not be written down unless a secure method has been approved by the IT department.
● User-generated passwords must only be distributed using a secure shared vault on LastPass; passwords must be changed if there are indications that passwords or the system might be compromised – in that case a security incident must be reported
● Password management software should be used where available
● Strong passwords must be selected and must be no less than 12 characters.
● Password must be changed upon suspicion of compromised or vulnerable credentials
● Passwords must be unique per service/account
● Password must be changed at first log-on to a system
● Passwords used for private purposes must not be used for business purposes
● Where password management software is unavailable a strong passphrase of at least 15 characters must be used
3. Two Factor Authentication
● Where two-factor-authentication is available it must be enabled
● Where two-factor authentication is used an 8 character password is acceptable
4. User password management
When allocating and using user passwords, the following rules must be followed:
● By agreeing to abide by company policies, users also accept the obligation to keep passwords confidential, as prescribed by this document
● Each user may use only their own uniquely allocated username
● Each user must have the option to choose their own password, where applicable
● The temporary password used for first system log-on must be unique and strong, as prescribed above
● Temporary passwords must be communicated to the user in a secure manner, and user’s identity must be previously checked
● The password management system must require the user to change the temporary password at first log-on to the system
● The password management system must require the user to select strong passwords, where possible.
● Users must change their passwords upon suspicion of compromised or vulnerable credentials
● If the user requests a new password a password reset link will be sent to the user's registered email address.
● The password must not be visible on the screen during log-on
● If a user enters an incorrect password three consecutive times, the system must block the user account in question
● Passwords created by the software or hardware manufacturer must be changed during initial installation
● Files containing passwords must be stored separately from the application's system data
5. Document management
This policy shall be available to all Recycly Employees and any Third Parties where required. The policy must be reviewed and, if necessary, updated at least once a year. Notice of significant revisions shall be provided to Recycly Employees via email.
6. Version history
Summary of Change |
Date of Change |
Author |
Version No |
First Draft |
14/10/2021 |
Dom Tyler |
1 |
|
|
|
|
|
|
|
|