1. Document Control

• Document Title: Password Policy

• Document Identifier: POL-SEC-004

• Version Number: v1.0

• Approval Date: <23 June 2025>

• Effective Date: <23 June 2025>

• Review Date: <23 June 2026>

• Document Owner: <Chief Information Security Officer>

• Approved By: <Information Security Governance Committee>

2. Purpose

The purpose of this Password Policy is to establish a robust framework for the creation, management, and use of passwords across all systems and platforms at . Passwords are a fundamental component of information security, serving as a primary method for protecting user accounts, systems, and data against unauthorized access. This policy aims to reduce the risk of breaches due to weak, stolen, or compromised passwords by defining clear standards for password complexity, lifecycle, storage, and user responsibilities.

This policy supports 's compliance efforts with SOC 2 Trust Services Criteria CC6.1 and CC6.2, which emphasize the need for logical access controls and identity verification. It also ensures alignment with ISO/IEC 27001:2022 control A.5.17, which mandates proper allocation and management of authentication information. Effective implementation of this policy contributes to the overall information security posture by enforcing access protections that are critical to confidentiality, integrity, and availability.

3. Scope

This policy applies to all individuals who access 's systems, networks, or applications, including full-time employees, contractors, consultants, vendors, and third-party users. It encompasses all password usage within the corporate environment, including but not limited to domain accounts, application-specific credentials, service accounts, administrative accounts, and passwords used for remote access tools.

The policy applies across all geographic locations and business units. It covers systems hosted on-premise and in the cloud. While systems utilizing passwordless authentication (e.g., biometric or certificate-based) may have their own security controls, those systems must also comply with this policy where fallback password authentication exists.

4. Policy Statement

mandates strong and secure password practices for all users and systems. All passwords must:

• Be at least 12 characters in length and include a combination of uppercase letters, lowercase letters, numbers, and special characters.

• Avoid the use of easily guessed elements such as names, birthdays, or dictionary words.

• Be unique per system—password reuse across different systems is prohibited.

• Be changed at least every 180 days, or immediately if a compromise is suspected.

• Be stored using secure hashing algorithms (e.g., bcrypt, Argon2) and never stored in plaintext.

For privileged accounts:

• Passwords must be at least 16 characters, changed every 90 days, and stored in a secure password vault.

Default credentials must be changed upon initial use. Passwords must not be shared or written down. Any exceptions must be formally documented and approved.

5. Safeguards

To implement and enforce this policy, will:

• Require password changes via centralized identity management systems integrated with MFA.

• Monitor for password reuse and dictionary-based passwords using real-time authentication checks.

• Enforce lockout policies after 5 failed login attempts.

• Require password expiration alerts and self-service reset capabilities with identity verification.

• Maintain audit logs of all password-related events (e.g., resets, lockouts, expiration).

• Use enterprise password managers for storing and managing shared credentials securely.

• Regularly audit credentials and ensure that inactive accounts are deactivated within 30 days.

Table: Password Requirements

6. Roles and Responsibilities

• Chief Information Security Officer (CISO): Overall accountability for policy enforcement, compliance reporting, and audit readiness.

• IT Operations: Enforce password settings via system configurations and directory policies.

• HR: Notify IT of employee onboarding/offboarding events to ensure timely provisioning and deprovisioning of credentials.

• All Users: Responsible for creating secure passwords and maintaining their confidentiality.

Line managers must ensure that employees within their teams understand and comply with this policy.

7. Compliance and Exceptions

Compliance will be verified through:

• Automated technical controls (e.g., group policy enforcement)

• Periodic audits of password hygiene across systems

• Spot checks during access reviews

Exceptions may be requested by submitting a formal risk acceptance document to the Information Security Governance Committee. All exceptions must be justified, time-bound, and reviewed semi-annually.

8. Enforcement

Violations of this policy may result in disciplinary actions, including:

• Verbal or written warnings

• Mandatory security training

• Suspension of access privileges

• Termination of employment or contracts for repeat or high-risk violations

Where violations result in or contribute to a security breach, legal consequences or law enforcement notification may apply. Enforcement decisions will be documented and handled in coordination with HR and legal teams, ensuring consistency and fairness.

9. Related Policies/Documents

• POL-ALL-003: Access Control Policy

• POL-ALL-002: Acceptable Use Policy

• PRC-IT-002: Multi-Factor Authentication Implementation Procedure

• ISO/IEC 27001:2022 Control A.5.17 – Authentication Information

• SOC 2 Criteria: CC6.1 – Logical Access Controls

10. Review and Maintenance

This policy shall be reviewed at least annually by the Information Security team. All revisions must follow the standard change control process and be approved by the Information Security Governance Committee. The current policy version shall be published in the company’s central policy repository.