Password Policy
Purpose
ACS Technologies Group, Inc. ("ACST") employees are given a required password manager (1Password) to use that helps to manage passwords and keep them private. The password manager can suggest strong passwords and help you to change them periodically. As methods used by malicious parties grow in sophistication, system passwords are the first line of defense.
The IT department does not have a way of knowing passwords.
Typically, a Systems Admin can reset your password, but they cannot retrieve your forgotten password. If you suspect that a password has been compromised, report the incident to the 1-843-413-8200 hotline and change it immediately.
Scope and Applicability
This policy applies to all ACST systems.
Policy
Password Expiration, Length, and Complexity
User account passwords must be changed at least every 90 days and must be a minimum of 10 alphanumeric characters.
System account passwords must be changed at least once per year, and must be a minimum of 20 alphanumeric characters.
Passwords cannot be any of the previous (8) passwords
Passwords cannot contain (3) or more sequential characters from the subjects username, full name, or email address
Passwords must also contain three of the four following characteristics:
an upper case character
a lower case character
a number
a symbol (special character)
Disabling
Passwords should only be disabled under direct written approval of the Chief Ventures Officer.
Sharing
Passwords must not be disclosed to anyone, with the exception of IT Staff when setting up new logins/machines. When a password is known by IT Staff, the password must be changed immediately.
In the event that an ACST employee or contractor believes their password has been compromised, they must immediately change their password.
No shared or group account which contains confidential data or is classified as a critical business asset for any ACST system is permitted. In cases where multiple people need access to the same system, each individual must have a unique username and password. If exceptions must be made, a risk assessment is performed and written approval from the Chief Ventures Officer is required prior to the exception being implemented. Those individuals with access to shared accounts will have limited access on a "need to know" basis. All use of such accounts must be logged and subject to an annual audit.
In the event that an employee left ACST and had access to a shared account or a shared vault of passwords, those passwords must be changed immediately.
Passwords are prohibited from being written down or stored electronically, unless in an encrypted form that is approved by the Chief Ventures Officer.
Assignment and Reset
Passwords are assigned only to users authorized to use specific systems.
Users requesting a password reset by phone, email or web must first verify their identity.
Privileged Access Accounts
Elevated privileges must never be associated with daily use accounts. Accounts granting elevated or administrator level access must be separate accounts, used only when necessary to perform system administration or higher-access tasks. When finished, users must log out of these accounts and resume using daily-use accounts for normal access.
Enforcement
Any employee found to be in violation of this policy may be subject to corrective action, up to and including termination of employment. Service Providers found to be in violation of this policy may be subject to penalties, up to and including termination of contract.
Variance Process
The Chief Ventures Officer is responsible for the review, documentation, and management of any and all exceptions to this policy.