1.1 This policy defines the Organization's requirements for the creation, management, protection, and periodic review of passwords and authentication credentials used to access all information systems, applications, networks, and services. The policy is aligned with NIST SP 800-63B Digital Identity Guidelines, ISO 27001 access control requirements, and industry best practices for identity and access management. The objective is to ensure that authentication mechanisms provide an appropriate level of assurance that only authorised individuals can access the Organization's information assets, commensurate with the sensitivity and criticality of the systems and data being protected.

1.2 This policy applies to all employees, contractors, consultants, temporary workers, interns, and third-party users who authenticate to any of the Organization's information systems, applications, networks, or services, whether using passwords, passphrases, PINs, multi-factor authentication tokens, biometric identifiers, single sign-on credentials, or any other credential-based authentication mechanism. The policy covers authentication to on-premise systems, cloud-hosted services, remote access environments, mobile applications, and any third-party services integrated with the Organization's identity management infrastructure. Compliance with this policy is mandatory and is a condition of access to the Organization's information resources.

1.3 The Chief Information Security Officer shall be responsible for defining authentication standards, evaluating and approving authentication technologies, monitoring compliance with this policy, and ensuring that authentication controls are proportionate to the risk profile of each system and data classification level. The CISO shall delegate day-to-day management of authentication infrastructure to the Identity and Access Management team within the IT department. The IAM team shall administer the Organization's identity provider, directory services, multi-factor authentication platform, and privileged access management solution. The CISO shall review authentication-related security incidents, compliance metrics, and technology developments on a quarterly basis and shall recommend updates to this policy where necessary.

2.1 Passwords for all standard user accounts shall be a minimum of 14 characters in length and shall incorporate characters from at least three of the following four categories: uppercase letters, lowercase letters, numbers, and special characters. Passwords for privileged accounts, including system administrator, root, and service accounts, shall be a minimum of 20 characters. In accordance with NIST SP 800-63B guidelines, passwords shall be screened against a list of commonly used passwords, dictionary words, repetitive or sequential character strings, context-specific words such as the Organization's name or the user's name, and passwords known to have been compromised in previous data breaches. The IT department shall implement automated password screening at the point of creation and reset to enforce these requirements and shall update the breached password database at least quarterly.

2.2 Users shall not reuse any of their previous 12 passwords when creating a new password. The Organization shall enforce password history through technical controls in the identity management system. In alignment with current NIST guidance, the Organization shall not impose arbitrary periodic password rotation requirements for standard accounts unless there is evidence or suspicion of credential compromise. However, passwords for privileged accounts shall be rotated at least every 90 days. Passwords shall be changed immediately upon any suspicion of compromise, notification from the IT department, or following a security incident that may have exposed credentials. Users shall not share, disclose, or lend their passwords to any other person, whether inside or outside the Organization, including IT support personnel. IT support staff shall never request a user's password; password resets shall be performed through the Organization's self-service password reset portal or through a verified identity process at the IT Help Desk.

2.3 Passwords shall not be stored in plain text in any form, including written notes, sticky notes, unencrypted digital files, spreadsheets, email messages, or browser auto-fill features unless protected by an Organization-approved password manager. Users who require a password management tool to manage multiple credentials shall use only the Organization-approved enterprise password manager, which encrypts all stored credentials using AES-256 or equivalent encryption and requires multi-factor authentication for access. The IT department shall deploy and support the approved password manager across all Organization-managed devices. System and application passwords shall be stored in the Organization's privileged access management vault, which provides encrypted storage, automated rotation, session recording, and audit logging for all privileged credential usage.

3.1 Multi-factor authentication shall be mandatory for access to all Organization systems, applications, and services that contain, process, or transmit Confidential or Restricted data as defined in the Organization's Data Management Policy. MFA shall also be required for all remote access connections including VPN, remote desktop, and cloud service access from outside the Organization's managed network, all privileged account access including system administrator, root, and database administrator accounts, all access to the Organization's email system, all access to the Organization's cloud infrastructure management consoles, and any system or application designated as critical in the Organization's business impact assessment. The Organization's MFA implementation shall support multiple authentication factors and shall not rely on SMS-based one-time passwords as a primary second factor due to known vulnerabilities in the SMS channel.

3.2 The Organization shall support the following approved multi-factor authentication methods, listed in order of security assurance from highest to lowest: FIDO2/WebAuthn-compliant hardware security keys, which shall be the preferred method for privileged accounts and high-security environments; authenticator applications generating time-based one-time passwords compliant with RFC 6238, deployed through the Organization's approved authentication application; push notifications through the Organization's approved mobile authentication application with number matching or contextual verification; and biometric authentication where supported by the device hardware and the application, in combination with a knowledge or possession factor. SMS-based one-time passwords shall be used only as a fallback method where no other option is available and shall be phased out as alternative methods are deployed. The IT department shall provide all employees with at least one hardware security key and shall ensure the Organization's MFA platform supports backup and recovery mechanisms for lost or damaged authentication devices.

3.3 Users shall register at least two distinct authentication factors during initial MFA enrolment to ensure continued access in the event of loss, damage, or failure of a primary authentication device. Backup authentication factors shall be stored securely and shall not both rely on the same physical device. Recovery codes, where generated, shall be stored in the Organization's approved password manager and not in plain text. In the event that a user loses access to all registered authentication factors, account recovery shall require identity verification by the IT Help Desk through a multi-step verification process that includes at least two forms of identity confirmation, such as manager verification, government-issued photo identification, or answers to pre-registered security questions. The IT department shall log all MFA recovery events and shall report unusual patterns to the CISO for investigation.

4.1 All privileged accounts, including system administrator accounts, root accounts, database administrator accounts, network device administrator accounts, cloud infrastructure accounts, and service accounts, shall be managed exclusively through the Organization's privileged access management solution. The PAM solution shall enforce encrypted password vaulting with automatic rotation, just-in-time access provisioning where users check out privileged credentials for time-limited sessions, full session recording and keystroke logging for all privileged sessions, multi-factor authentication before any privileged credential checkout, and automated alerts for anomalous privileged account activity. Standing privileged access shall be eliminated wherever technically feasible, and all privileged access shall be provisioned on a just-in-time, least-privilege basis with defined time limits and automatic revocation.

4.2 Service accounts and application credentials used for system-to-system authentication shall be configured with strong, unique passwords of at least 30 characters, generated by the privileged access management solution and rotated automatically at least every 90 days. Service accounts shall be scoped to the minimum permissions required for their designated function and shall not be granted interactive login capability. Each service account shall have a designated owner within the IT department or the responsible business application team, and the owner shall certify the continued need for the account and the appropriateness of its permissions at least semi-annually. Unused or orphaned service accounts shall be identified through quarterly audits and disabled within 30 days of identification. The IT department shall maintain a complete inventory of all service accounts, their associated applications, and their designated owners.

4.3 All privileged access events, including credential checkouts, session initiations, commands executed during privileged sessions, and credential returns, shall be logged in tamper-resistant audit logs and monitored by the Information Security team through the Organization's SIEM platform. Automated alerts shall be configured for anomalous privileged access patterns, including access outside normal business hours, access from unusual locations or devices, excessive failed authentication attempts, and attempts to access systems outside the user's designated scope. The Information Security team shall investigate all triggered alerts within 4 hours and shall escalate confirmed or suspected incidents to the CISO. A monthly privileged access review report shall be prepared and presented to the CISO, covering privileged account usage statistics, anomaly investigations, access certification status, and any identified policy violations.

5.1 The IT department, in coordination with the Information Security team, shall conduct quarterly audits of password and authentication compliance across all Organization systems and user accounts. Audit scope shall include password strength and complexity compliance rates, MFA enrolment and usage rates across all required systems, privileged access management compliance including session recording coverage and just-in-time provisioning adoption, service account inventory accuracy and rotation compliance, and authentication-related security incident metrics. Audit results shall be compiled into a formal report and presented to the CISO and the IT Department Head. Departments or systems with compliance rates below 95% shall be required to implement remediation plans within 30 days.

5.2 Any violation of this policy, including but not limited to sharing or disclosing passwords, disabling or bypassing multi-factor authentication, misusing privileged access credentials, storing passwords in plain text, or failing to report suspected credential compromise, shall be subject to disciplinary action proportionate to the nature, severity, and impact of the violation. Disciplinary measures may include mandatory security retraining, temporary suspension of access privileges pending investigation, formal written warning, suspension from employment, or termination of employment. In cases where a violation results in a data breach or unauthorised access to critical systems, the Organization may pursue legal remedies. All disciplinary proceedings shall be coordinated between the IT department, the Information Security team, and Human Resources.

5.3 This policy shall be reviewed comprehensively at least once every 12 months by the CISO, in consultation with the IT department, the Identity and Access Management team, and Legal Counsel. Reviews shall assess the policy's alignment with current NIST SP 800-63 guidance, ISO 27001 requirements, and industry best practices, as well as the effectiveness of current authentication controls in the context of the evolving threat landscape. Interim reviews shall be triggered by significant authentication-related security incidents, the deployment of new authentication technologies, changes in regulatory requirements, or updates to referenced standards. Approved amendments shall be communicated to all users at least 14 calendar days before the effective date, and all users shall complete updated authentication training within 30 days of material policy changes.