(Aligned with ISO 27001 & NIST SP 800-63B Standards)
1. Purpose
The purpose of this policy is to establish secure standards for the creation, management, and protection of usernames and passwords to safeguard M&K Data Consult’s information assets. This ensures compliance with recognized security frameworks such as ISO 27001:2022 and NIST SP 800-63B.
2. Scope
This policy applies to:
- All employees, contractors, consultants, interns, and third parties who access M&K Data Consult’s systems or networks.
- All devices, systems, databases, and applications owned, managed, or operated by M&K Data Consult.
3. Policy Objectives
- To ensure user accounts are uniquely identifiable and traceable.
- To enforce strong password practices that minimize unauthorized access.
- To align authentication controls with ISO and NIST best practices.
4. Username Standards
- Each user shall be assigned or choose a unique username for system identification and audit tracking.
- Usernames should follow a consistent naming format such as firstname.lastname or firstinitial.lastname with special characters.
- Shared or generic accounts are prohibited, except in exceptional cases approved by Security Management.
- System or service accounts must be clearly identifiable and managed under IT supervision.
5. Password Creation Requirements
Passwords must comply with the following minimum standards:
- Length: At least 12 characters (preferably 14 or more).
- Complexity: Must include at least:
- One uppercase letter (A–Z)
- One lowercase letter (a–z)
- One numeric digit (0–9)
- One special character (e.g., !@#$%^&*?)
- Restrictions:
- Must not contain the username, first name, or company name.
- Must not reuse any of the last 5 passwords.
- Must not include easily guessable terms such as “password”, “1234”, or “admin”.
- Recommendation: Use a passphrase combining random words, e.g., BlueRiver!Travel2025.
6. Password Management and Storage
- Passwords must never be written down, emailed, or shared.
- Passwords must be stored only in approved password managers that use AES-256-bit encryption.
- All passwords transmitted over the network must be encrypted using SSL/TLS or stronger protocols.
- IT administrators must not view or disclose user passwords under any circumstance.
7. Password Expiration and Change
- Passwords must be changed every 90 days.
- Temporary passwords must be changed upon first login.
- Users must change passwords immediately if:
- They suspect compromise or phishing activity.
- They detect unauthorized access to their account.
8. Multi-Factor Authentication (MFA)
- MFA is mandatory for all privileged accounts (e.g., administrators, managers, and financial users).
- MFA should be enabled for cloud services, email, and remote access systems.
- Acceptable MFA methods include:
- One-time passwords (OTP) via authenticator apps
- Hardware tokens or smart cards
- Biometric authentication
9. Default and Vendor Passwords
- All default passwords provided by vendors or manufacturers must be changed immediately before systems go live.
- Systems with unchanged default passwords will be disabled until corrected.
10. Account Lockout and Recovery
- Accounts shall lock after five (5) failed login attempts.
- Locked accounts can only be reactivated by authorized IT personnel.
- Password recovery or reset must require identity verification through approved security procedures.
11. Monitoring and Audit
- The IT Department will regularly monitor password compliance through automated tools and audits.
- Any detected policy violations or suspicious activities must be reported immediately to the Information Security Officer.
12. Enforcement
Non-compliance with this policy may result in disciplinary action, including suspension of system access, formal warnings, or termination, depending on the severity of the violation.
13. Policy Review
This policy shall be reviewed annually or following significant organizational, regulatory, or technological changes.
Approved by:
[Your Name]
[Position] M&K Data Consult
Date: […../…../…..]