Authentication and Password Security Policy

      1. Selection of Strong Authentication Factors

      1.1. Purpose: The purpose of this policy is to ensure that this system and data are protected by strong authentication measures.

      1.2. Guidelines:

      • Utilizing multi-factor authentication (MFA) is recommended and for some users required.

      • Select hard-to-guess passwords that do not contain dictionary words or information about the user, such as the user ID, names of family members, date of birth, etc.

      2. Protection of Authentication Factors

      2.1. Purpose: To safeguard authentication factors from unauthorized access and use.

      2.2. Guidelines:

      • Authentication factors (e.g., passwords, tokens) must not be shared or disclosed to anyone, including colleagues.

      • Users must not write down authentication factors in a manner that compromises security (e.g., on sticky notes) or store them in insecure files.

      • Users must be alert to malicious individuals who may try to exploit their passwords (for example, by calling and asking for their password so the caller can “troubleshoot a problem”).

      • Passwords must not be inserted in external e-mail messages or other forms of electronic communication. 

      • Passwords must not be revealed over the phone to anyone. 

      • Passwords must not be revealed on questionnaires or security forms.

      3. Password/Passphrase Management

      3.1. Purpose: To prevent unauthorized access to company systems and data through secure management of passwords/passphrases.

      3.2. Guidelines:

      • Users must not reuse previously used passwords/passphrases across different systems.

      • Passwords/passphrases must meet minimum complexity requirements, including length and character diversity.

      • Passwords/passphrases should be changed immediately if there is any suspicion or knowledge that they have been compromised.

      • If a password/phrase is suspected compromised, report it immediately via a support request.

      4. Incident Reporting

      4.1. Purpose: To ensure prompt handling and resolution of security incidents related to authentication factors.

      4.2. Guidelines:

      • Users who suspect their authentication factors have been compromised must report the incident immediately via a support request.

      • The report should include details such as when the incident occurred, how it was detected, and any potential impact.

      • Upon receiving a report, an investigation will be initiated and appropriate action to mitigate any potential threats taken.

      5. Compliance and Enforcement

      5.1. Compliance: All users accessing this system and data must comply with this policy.

      5.2. Enforcement: Non-compliance with this policy may result in disciplinary action, up to and including termination of the contract.

      6. Review and Updates

      6.1. Policy Review: This policy shall be reviewed annually or as necessary to ensure it remains current and effective.

      6.2. Policy Updates: Updates to this policy may be initiated as required to address new security threats or technological advancements.

      7. Policy Acknowledgement

      7.1. Acknowledgement: By using company systems and data, users acknowledge that they have read, understood, and agree to comply with this Authentication and Password Security Policy.