Purpose
The purpose of this policy is to establish strong password requirements and procedures to protect the confidentiality, integrity and availability of information systems and data.
Scope
This policy applies to all employees, contractors and third-party users who access information systems and data owned or operated by Bitz ‘n’ PC’z Ltd (the company).
Policy
- All users must create and use strong passwords for all accounts. A strong password is at least 8 characters long and includes a mix of upper and lowercase letters, numbers and symbols. To create a simple but secure password following the NCSC guidance of using three random words, visit: https://bitznpcz.com/passgen/
- Users must not reuse passwords across multiple systems or accounts. Any passwords used at home for social media, shopping etc should not be used at work.
- Passwords must be changed every 365 days.
- MFA nust be used on all ‘Cloud’ services such as M365, Google Workspace etc
- Passwords must be checked against the Have I Been Pwned database to ensure they have not been compromised in a data breach. See https://bitznpcz.com/password-tools/
- All mobile devices must have a 6-digit pin or use biometrics (face, fingerprint etc)
- If a password is believed to be compromised, it must be changed immediately.
- All administrative access must be authorised by a director of the company.
- Administrators must not use their administrative accounts for day-to-day activities such as emails and web-browsing.
- All administrative access will be monitored to identify unauthorised activity.
Implementation
The company will implement the following procedures to implement this policy:
- The company will provide users with training on how to create and use strong passwords.
- The company will use a password management tool to help users create and store strong passwords.
- The company will implement a password policy enforcement tool to ensure that users comply with the policy.
- The company will monitor user activity to identify unauthorised access attempts.
Compliance
The company will conduct regular audits to ensure compliance with this policy. Any employee who violates this policy may be subject to disciplinary action, up to and including termination of employment.
Definitions
- Password: A string of characters that is used to authenticate a user to a system or account.
- Strong password: A password that is at least 8 characters long and includes a mix of upper and lowercase letters, numbers, and symbols.
- Password reuse: The use of the same password for multiple systems or accounts.
- Data breach: An incident in which sensitive information is accessed or disclosed without authorisation.
- Have I Been Pwned Database: A database that contains information about data breaches that have occurred.
- Administrative access: Access to systems and data that is used to manage or maintain the system or data.
- Unauthorised access: Access to systems or data that is not authorized by the owner or administrator of the system or data.