Password and Access Control Policy Overview

Password and Access Control Policy Document Control Summary

• The Password and Access Control Policy sets out specific responsibilities, conditions, and practices to minimize risks and protect physical assets and sensitive information.
• The policy applies to all systems and assets owned, managed, or operated by the company.
• The HR role/line manager is responsible for informing IT of new employees, changes to access rights, and leavers.
• The Information Security Manager approves access requests and audits user and access lists on a quarterly basis.
• Systems Administrators must adhere to the policy when making changes to access privileges and ensure systems enforce the configurations in the policy.
• User authentication is based on job classification and function, with the principle of least privilege and need-to-know basis.
• Non-authenticated and shared/group user IDs are prohibited, and every user must have a unique user ID and personal secret password.
• Different authentication mechanisms are required for user, operating system, web, voice, email, fax, white mail, remote access, and network device authentication.
• Passwords must not be shared, must be at least 8 characters with a mix of upper and lower case letters, numbers, and special characters.
• Password history is maintained, password lockout and duration are set, and remote access should utilize two-factor authentication.
• Vendor remote access accounts should be monitored, passwords changed regularly, and unused accounts deactivated.
• Violations of the policy may result in disciplinary action, and deviations require a valid business case reviewed and approved by the Security Management Team and/or Legal Counsel.