---

Password and Authentication Policy

Policy Status: Active

This policy is currently active.

Purpose

To enforce strong authentication practices, safeguarding access to Acme Corp's systems and data through secure password management and multi-factor authentication.

Scope

This policy applies to all accounts and systems within Acme Corp's technology environment, including all employees, contractors, and third-party users.

Policy Statement

Primary Authentication - Google Workspace SSO

Standard Access Method: - Google Workspace Single Sign-On (SSO) is the primary authentication mechanism for all approved applications - Two-factor authentication (2FA) required for all Google Workspace accounts - SSO provides centralized authentication with enhanced security and audit capabilities - All new applications must integrate with Google Workspace SSO where technically feasible - Context-aware access policies enforce device compliance requirements

Password Requirements for Non-SSO Systems

Scope: The following password requirements apply to systems that cannot yet integrate with Google SSO, including legacy applications and shadow IT tools discovered during normal operations.

Password Complexity:

All passwords must meet the following requirements:

• Contain a mix of uppercase letters, lowercase letters, numbers, and special characters
• Not contain dictionary words, company name, or personal information
• Not reuse previous passwords (last 5 passwords)
• Be unique across different systems (no password reuse)

Password Length:

Passwords must have a minimum length of 12 characters for standard accounts and 16 characters for administrative or privileged accounts.

Two-Factor Authentication (2FA):

Two-factor authentication is required for:

• All Google Workspace accounts (primary)
• Administrative accounts on non-SSO systems
• Any system containing sensitive or protected health information (PHI)
• Systems identified as business-critical

Password Expiration:

• Google Workspace passwords: Managed by Google Workspace security policies
• Non-SSO system passwords: Updated every 90 days for standard accounts, 60 days for administrative accounts

Shadow IT and Unapproved Applications

Discovery and Reporting: - Employees must report any non-SSO tools or applications to IT when discovered - IT maintains an inventory of non-SSO systems with migration or exception status - Regular reviews conducted to identify and address shadow IT usage - Migration to SSO-approved alternatives prioritized based on risk and business impact

Secure Storage

• Passwords must not be written down or shared with others
• Passwords must not be stored in plain text files or unencrypted documents
• Approved password managers may be used with IT approval
• Password managers must use strong master passwords and 2FA

Roles and Responsibilities

Role	Responsibility
IT Team	Enforce password complexity and rotation requirements, implement 2FA systems, monitor authentication logs
Employees	Follow secure password practices, report lost or compromised credentials immediately
Managers	Ensure team compliance, approve password manager usage requests
Security Team	Conduct password audits, identify weak passwords, review authentication failures

Procedures

1. Google Workspace Account Setup

1. IT provisions Google Workspace account for new employees
2. User receives invitation to set up account
3. User enrolls in 2FA during initial Google Workspace setup
4. SSO access automatically granted to approved applications

2. Password Reset (Google Workspace)

1. Use Google account recovery process for self-service reset
2. Contact IT helpdesk if additional assistance needed
3. Verify identity through secondary authentication method
4. 2FA remains active throughout reset process

3. Non-SSO System Access

1. Request submitted through IT ticketing system
2. Approval required with business justification
3. IT provisions access with temporary password
4. User must change password on first login
5. Shadow IT tools reported during access request process

4. Compromised Credentials

1. Report immediately to IT security team
2. IT forces immediate password reset (Google Workspace or specific system)
3. Review account activity for unauthorized access across all systems
4. Document incident and remediation actions
5. Update shadow IT inventory if applicable

5. Password Manager Approval

1. Submit request to IT with specific tool name
2. IT evaluates security features and Google Workspace integration
3. Approval granted for enterprise-grade tools only
4. Training provided on secure usage

Exceptions

Exception requests must include: - Specific technical limitation preventing compliance - Business justification - Compensating security controls - Approval from IT leadership and CISO - Regular review schedule (minimum quarterly)

Service accounts and system accounts may use long-term passwords if: - Stored in enterprise password vault - Access to vault is logged and audited - Passwords are 24+ characters - Changed annually or when personnel changes occur

Compliance and Enforcement

• Monitoring: IT conducts quarterly password audits using automated tools
• Weak Passwords: Users with weak passwords are notified and must change within 24 hours
• Expired Passwords: Accounts with expired passwords are locked until reset
• Multiple Failed Attempts: Accounts lock after 5 failed login attempts within 15 minutes
• Violations: Failure to comply may result in account suspension and disciplinary action
• Shared Credentials: Sharing passwords results in immediate account suspension and formal warning

References

• NIST SP 800-63B: Digital Identity Guidelines
• HIPAA Security Rule - Access Control (§164.312(a))
• SOC 2 Trust Service Criteria - Logical Access Controls
• CIS Controls v8 - Control 6: Access Control Management

Revision History

Version	Date	Author	Changes
1.0	2025-11-08	IT Security Team	Initial version migrated from Notion

---

Document Control - Classification: Internal - Distribution: All system users - Storage: GitHub repository - policy-repository