Policy template for reference. This contains some specific additions that strengthens the password policy. For a robust and generic password policy, do get in touch.
1. <Document classification> <Version History>
<Company Name><Business Unit> - Password Policy
1. Overview
All IT systems of <Company Name> and managed by <business unit> are protected with a username and
password for authorized and protected usage.This policy is owned by <team name> reporting into <business
unit> or the board of <company name>.Any queries, questions or assistance to this policy has to be
communicated to <email link of info sec lead or team mailing group>.
2. Purpose
The purpose of this policy is to establish a standard for the management of password for <business unit>
approved IT systems. This policy defines the password construction requirement, its usage, data classification
for the password, complexity, end user responsibility, system owner responsibility, incident reporting and review
mechanism.
3. Scope
This policy is in scope for any application, server, network device or other electronic equipment owned or
sanctioned by the <IT lead of Company Name> as approved for business use of <Company Name>, connected
to the <Company Name> network or electronic locations where <Company Name> business information is
stored.
4. Policy
All passwords must be changed on or before <n> number of days.
All passwords for systems defined as critical systems must be changed every <m> number of days.
IT systems implemented for <Company Name> should have passwords that expire in <x> number of
days.
The user account for the IT system should be locked after <h> number of invalid attempts.This number
should be derived based on the information risk management process <link to information risk
management process>.
User accounts or system accounts for which the password is not changed before the due date must be
monitored and sufficient level of non-usage of the system with that account should be set.
Passwords should not be shared with untrusted persons using any method of communication.
5. Password Management
5.1.a Password Construct – User responsibility
To ensure confidentality and a strong defense, the password chosen by you should meet the following
requirements:
The length of the password should be more than eight characters.
The password that you chose should not be easily predictable or guessable.
The password should contain alphabets, numbers and special characters <specify permissible
characters here>
5.1.b Password Construct – System owner responsibility
The IT system owner is accountable for implementing the standards defined in this policy
Though there is no specific guidelines on how it should be implemented, it is expected that clearly defined
processes, steps or secure automation be in place for the password policy to be operational and effective. The
system owners can consult, review and have the methods evaluated with the information security team prior to
its implementation.
2. <Document classification> <Version History>
For a system that is classified as critical, the system owner must have the user account management
implementation reviewed by <info sec team name> and approved by <info sec lead position>, <technology lead
position> and/or <business continuity lead>.
5.2 Password data classification
Passwords are classified as <data classification label> in <Company Name>.The details of this classification is
provided in <link to information security policy>.In compliance to this data classification, the protection standards
are provided in section 5.3
5.3 Password Protection Standards
The password is provided as a first time use to an authorized employee after identifying and validating the
employee.The secure method of providing the password to the user account owner is the responsibility of the IT
system owner.The IT system must enforce a password change on first time logon.
To ensure that the password is not compromised, the following guidelines are set:
Do not store <Company Name> account passwords on personal electronic devices or <Company
Name> owned IT assets in plain text.
Passwords can be stored in encrypted format that comply with the encryption standards that are defined
in the document <link to encryption policy or standard>
Any other non-compliant method of storing the password needs to be reviewed and approved by the
<info sec team name>
An IT system should not cache or store <x> number of previously used password for a specific account.
A secure method of transmission has to be implemented by the IT system owner for transmitting the
password.
5.4 Policy compliance
The password policy compliance is regularly monitored by the <info sec team>.Any type of exceptions will need
to be reviewed by <info sec team> and approved by the respective authority based on the exception.The
exception can be based on, but not limited to - employee (HR lead title), definition of the system (IT lead title),
business (business lead title), legal requirement (legal lead title), financial or regulatory (finance lead title).
Non-compliance would be logged and reviewed further and corrective action would be prescribed and
communicated by the <info sec team>.
6. Incident reporting
It is the responsibility of the employee to report any type of misplaced,unwarranted or misuse of the password of
any of the IT systems. This would include but not limited to:
a. Forgotten password
b. Password compromise in any manner
c. System password store hack
For a and b, the authorized user can utilize the IT incident reporting. In the case of c, the IT system owner, <IT
lead title>, <Info Sec lead title>, <business continuity lead title> have to be informed immediately.
7. Roles and Responsibilities
The RACI matrix in this section specifies the activities involved in the password management.
3. <Document classification> <Version History>
<ITleadtitle>
<InfoSeclead
title>
<SystemOwner>
<InfoSecteam>
<Authorizeduser>
Password Policy definition R A C R I
Selection of password A
System implementation of password R R A C I
Policy compliance monitoring I A I R
Incident reporting (Type a and b) A
Incident reporting (Type c) A
Policy review A A A R
R - Responsible; A - Accountable
C- Consulted;I - Informed
8. Policy Review
This policy is subject to the audit requirements specified by <audit team name>. Any changes to this policy will
comply with the change management process as set by <link to business or IT change management process>.
This policy is maintained in compliance with <link to version control management system>
8.1 Policy review history
Review Date Reviewed By Description of change