APP Wholesale Ltd Password Management Policy
Purpose
The purpose of this password policy is to ensure the security and integrity of APP Wholesale Ltd's IT hardware, systems, software and networks in compliance with ISO27001 standards. It outlines the guidelines and best practices for creating and managing passwords to prevent unauthorised access, data breaches, and other security incidents.
Password Complexity
All passwords must adhere to the following guidelines.
- Passwords must be unique for each enterprise asset.
- Passwords must be a minimum of 8 characters for accounts using Multi-Factor Authentication (MFA).
- Passwords must be a minimum of 14 characters for accounts not using MFA.
- Passwords must include a combination of uppercase and lowercase letters, numbers, and special characters. (e.g., !, @, #, $, %).
- Passwords should not be based on easily accessible personal information such as names, birthdays, or common words.
- You will be prompted to change your passwords no less than every 180 days, but it is recommended to change them more
frequently.
Multi-Factor Authentication (MFA)
Multi-factor authentication (MFA) must be enabled for all accounts where technically feasible. MFA adds an extra layer of security by requiring users to provide two or more forms of identification before accessing devices, systems or software.
Password Storage and Transmission
- Passwords must be stored securely using industry-standard encryption algorithms.
- Passwords must not be transmitted over unencrypted channels (e.g., email, instant messaging).
- Microsoft Edge is the preferred browser issued to APP Wholesale Ltd devices, and the Edge password manager will enable Password generation and encrypted storage.
<span class="fr-mk" style="display: none;">&nbsp;</span>
Password Management
- Employees must not share their passwords with anyone, including colleagues or IT support staff.
- If an employee suspects that their password has been compromised, they must report it to the IT department immediately.
- IT administrators must have a secure process for resetting passwords for employees who forget their passwords.
Employee Training
All employees must receive regular training on password security best practices and the importance of safeguarding their
passwords. Currently, this training is provided as part of the Knowb4 modules.
Compliance and Enforcement
Non-compliance with this policy may result in disciplinary action. Regular audits and security assessments are conducted to ensure compliance with this policy, non-compliant accounts may result in a suspension of user accounts.
Review and Revision
This password policy will be reviewed annually and updated as necessary to address emerging security threats and technological changes. By adhering to this password policy, we can enhance the security posture of our organisation and protect our valuable hardware, systems and software from unauthorised access and cyber threats.