Password and Access Control Policy Summary

Password and Access Control Policy Document Control Summary

• The Password and Access Control Policy sets out specific responsibilities, conditions, and practices to minimize risks and protect physical assets and sensitive information.
• The policy applies to all systems and assets owned, managed, or operated by the organization.
• The HR role/line manager is responsible for informing IT of new employees, changes to access rights, and leavers.
• The Information Security Manager reviews and approves access requests and audits user and access lists quarterly.
• Systems administrators must adhere to the policy when making changes to access privileges and ensure systems enforce the policy configurations.
• User authentication is based on business needs, with access granted based on job classification and function.
• Non-authenticated or shared user IDs are prohibited, and every user must have a unique user ID and personal secret password.
• Authentication mechanisms must be suited for the delivery channel and implemented with appropriate strength.
• Secure authentication mechanisms must be implemented for operating system access, web applications, voice inquiries, email, fax, white mail, remote access, and network devices.
• Access control configurations include unique IDs, unique passwords, password changes, password history, password lockouts, and two-factor authentication for remote access.
• Passwords must not be shared, stored in the clear, or reused. Password lockout duration is set to 30 minutes.
• Violating the policy may result in disciplinary action, and deviations are permitted only with approval from the Security Management Team and/or Legal Counsel.