Security & Compliance

< Back to Article List

IS-04 Password Policy

Last updated: 24 October 2024 at 11:43:47 UTC by Russell Briggs

Password Policy

 

 

 

Document Ref No

IS-04

Version No

V1

Last review date

14/10/2021

Approved by

Dom Tyler

Next review

14/10/2022

 

 

 


 

Contents

1.Purpose, scope and users                                                                                                               3

2.User obligations                                                                                                                                3

3.Two Factor Authentication                                                                                                           3

4.User password management                                                                                                          3

5.Document management                                                                                                                     4

6.Version history                                                                                                                                   4

 

 

 

 


1.    Purpose, scope and users

The purpose of this document is to prescribe rules to ensure secure password management and secure use of passwords.

This document is applied to the entire Information Security Management System (ISMS) scope, i.e. to all systems located within the ISMS scope.

Users of this document are all employees of Recycly 

 

 

2.    User obligations

Users must apply good security practices when selecting and using passwords:

       Passwords must not be disclosed to other persons, including management and system administrators unless authorised.

       Passwords must not be written down unless a secure method has been approved by the IT department.

       User-generated passwords must only be distributed using a secure shared vault on LastPass; passwords must be changed if there are indications that passwords or the system might be compromised – in that case a security incident must be reported

       Password management software should be used where available

       Strong passwords must be selected and must be no less than 12 characters.

       Password must be changed upon suspicion of compromised or vulnerable credentials

       Passwords must be unique per service/account

       Password must be changed at first log-on to a system

       Passwords used for private purposes must not be used for business purposes

       Where password management software is unavailable a strong passphrase of at least 15 characters must be used

 

 

3.    Two Factor Authentication

       Where two-factor-authentication is available it must be enabled

       Where two-factor authentication is used an 8 character password is acceptable

 

 

 

4.    User password management

When allocating and using user passwords, the following rules must be followed:

       By agreeing to abide by company policies, users also accept the obligation to keep passwords confidential, as prescribed by this document

       Each user may use only their own uniquely allocated username

       Each user must have the option to choose their own password, where applicable

       The temporary password used for first system log-on must be unique and strong, as prescribed above

       Temporary passwords must be communicated to the user in a secure manner, and user’s identity must be previously checked

       The password management system must require the user to change the temporary password at first log-on to the system

       The password management system must require the user to select strong passwords, where possible.

       Users must change their passwords upon suspicion of compromised or vulnerable credentials

       If the user requests a new password a password reset link will be sent to the user's registered email address.

       The password must not be visible on the screen during log-on

       If a user enters an incorrect password three consecutive times, the system must block the user account in question

       Passwords created by the software or hardware manufacturer must be changed during initial installation

       Files containing passwords must be stored separately from the application's system data

 

 

5.    Document management

This policy shall be available to all Recycly Employees and any Third Parties where required. The policy must be reviewed and, if necessary, updated at least once a year. Notice of significant revisions shall be provided to Recycly Employees via email.

6.    Version history

Summary of Change

Date of Change

Author

Version No

First Draft

14/10/2021

Dom Tyler

1