Password Policy

2025.1

Reviewed: 12/2/2024
Updated: 12/2/2024

Purpose and Scope:

1. The Password Policy describes the procedure to select and securely manage passwords.
2. This policy applies to all employees, contractors, and any other personnel who have an account on any system that resides at any company facility or has access to the company network.

Controls and Procedures

Password Policy

1. Creation requirements
   a. Create passwords with at least 8 characters, both lowercase and capitalized, including at least one special character, one number, and spaces where supported by underlying application capability.
2. Rotation requirements
   a. All system-level passwords should be rotated on at least a quarterly basis. All employee passwords at the user-level should be rotated at least every six months.
   b. If a credential is suspected of being compromised, the password in question should be rotated immediately and the Infrastructure team should be notified.
3. Password protection
   a. All passwords are treated as confidential information and should not be shared with anyone. If you receive a request to share a password, deny the request and contact the system owner for assistance in provisioning an individual user account.
   b. Do not write down passwords, store them in emails, electronic notes, or mobile devices, or share them over the phone. It is required of all IMPLAN employees to store all credentials for work purposes within IMPLAN's approved password manager. If you must share a password, do so through the designated password manager.
   c. Do not use the "Remember Password" feature of applications and web browsers.
   d. If you suspect a password has been compromised, rotate the password immediately and notify Doug Kolpien, Director of Infrastructure and Technology.
4. Enforcement
   a. An employee or contractor found to have violated this policy may be subject to disciplinary action.