12. Password Management Procedure and Policy

Summary

In today’s digital age, safeguarding sensitive information is paramount to maintaining the integrity and security of our company’s operations. Passwords play a critical role in protecting our systems, data, and user accounts from unauthorized access.  

To ensure that we maintain the highest standards of security, our company has implemented a comprehensive password policy. This policy outlines the necessary guidelines and best practices for creating, managing, and maintaining secure passwords.  

By adhering to these standards, we can collectively mitigate risks and contribute to a safer digital environment for our organization. 

Scope

This procedure applies to all WBN Staff, contractors, and third-party users with access to WorkBetterNow’s systems and confidential information. It also applies to all company and personal devices used for work. 

1. Password Management

1.1 Office 365 Account 

  • The IT team will create an account with a one-time-use password for any WBN staff, contractor, or third party. All users are requested to change the password upon first login and set up multi-factor authentication for the account using the Microsoft Authenticator App as the Primary method and a phone number as the secondary method. 
  • When existing users need to reset their password, they need to raise a ticket, and the IT team will help the user reset the password. 

1.2 HubSpot 

All users with access to HubSpot must use Single Sign-On. This means they can log in using their Office 365 credentials without the need to create another password. 

1.3 Password  1Password provides a robust and user-friendly platform for storing and organizing passwords, ensuring that all access credentials are encrypted and protected.   

This tool enables our employees to generate strong, unique passwords for each application and service, significantly reducing the risk of unauthorized access.   

By adopting 1Password, we are committed to maintaining the highest standards of cybersecurity and protecting the sensitive information that is vital to our operations.  

  • All users are provided with a 1Password account to automate password generation during their training and ensure they can create auto-generated unique passwords every time. 
  • 1Password creates complex passwords with the right combination of uppercase, lowercase, special characters, numbers, and the correct length. 
  • All users must use 1Password to generate, store, and share passwords for all WBN systems and applications they access for work purposes. 
  • All users must install the 1Password browser extension to facilitate the above-mentioned process. 
  • The IT team monitors 1Password users’ account usage and can contact users directly to enforce this policy. 
  • If a session has been idle for more than 15 minutes, the user shall re-authenticate by providing the 1Password password to reaccess the application. 

3. Password Controls

  • WorkBetterNow does not allow the use of third parties or unprotected (clear text) electronic mail messages to disseminate passwords. 
  • For multi-factor authentication in specific devices, the IT Team ensures that settings are made for the following two factors: MS Authenticator App and Phone Number. 
    • Critical IT infrastructure and application passwords shall be changed immediately in the following scenario: 
    • Change of Role / Responsibilities leading to change in login credentials 
    • Disclosure of password as a result of troubleshooting 
    • Password leaked or compromised. 
    • When the user leaves the organization, all passwords under his access shall be changed. 
  • Users shall refrain from using the same passwords for business and non-business purposes. 
  • Passwords must not be displayed when being entered in the input box. 
  • Users must not share authentication credentials with anyone and must not write them anywhere in an insecure way to avoid misuse by malicious users. 
  • Users must not reuse previously used passwords. 
  • The IT Team shall apply a proper user authentication and password management procedure for all and administrators on all system components, which will include:   
    • Control addition, removal / disable, and modification of user IDs, credentials, and other identifier objects. 
    • Control addition, removal / disable, and modification of user IDs, credentials, and other identifier objects. 
    • Verify user identity before performing password resets.
    • Set first-time passwords to a unique value for each user and change immediately after the first use.
    • Immediately revoke access for any terminated users.
    • Remove/disable inactive user accounts at least every 90 days.
    • Enable accounts used by vendors for remote maintenance only for the required period of time.
    • Change user passwords at least every 180 days for all O365 accounts.
    • Password complexity requirements must be enforced through OnePassword. 
    • Set the account lockout duration to a minimum of 30 minutes or until the administrator enables the user ID.
    • Authenticate all access to any database containing customer data. This includes access by applications, administrators, and all other users.
    • Passwords must be changed if there is any suspicion that the password could be compromised. The user must get in touch with the IT helpdesk to explain the situation and get the password changed.
    • Provide proper user awareness training to all the users (including third-party vendor employees, contract employees, and the people who have access to customer data) to ensure that all users follow password procedures and policies.  

4. Electronic Signatures

For the employees who are authorized to use electronic signatures:

  • A service ticket is raised with the IT Team, along with approval from the department head to create an electronic signature. 
  • In the IT service ticket, the user and approval of the manager act as an identity verification for the individual user prior to establishing, assigning, or certifying an individual’s electronic signature or any element of such signature. 
  • The IT Team creates the signature and provides it to the respective user with instructions on how to use it, or the IT team will add the signature to PandaDoc our electronic signature application. 
  • The IT Team maintains a digital record of the electronic signatures and handwritten signatures executed to electronic records linked to their respective electronic records in PandaDoc, our electronic signature application, and our Legal SharePoint site with limited access. 
  • Signed electronic records contain the following information associated with the signing and electronic signature in a human-readable format: 
  • printed name of the signer 
  • the date and time when the signature was executed 
  • the meaning of the signature (e.g., review, approval, responsibility, authorship). 

Under no circumstance can a user use or create an electronic signature without the appropriate authorization of the IT team and/or the signature owner. 

The Director of Technology is the owner of this document and is responsible for ensuring that this policy document is reviewed in line with the review requirements stated above. 
 
A current version of this document is available to all staff members under the policies content section in Trainual. 

Before we get started, we want to make sure:

Are you looking to apply for a job with us?