[Icemaster]

Does your company have an Acceptable Use policy? That will give you latitude to address things like the password behavior, what they're allowed to use company owned devices for, what they're allowed to do on the company network etc. Guidance is for them to be part of any new hire on-boarding documentation, review them annually and get them re-signed if there's updates made to them.

Security standards are where the specifics on password complexity should be housed, it sounds like you've got that covered pretty well, but your creating a bit of a hybrid policy combined with a procedure. Doable, but sometimes gets complicated.

Acceptable Use Policy is your best friend. Feel free to PM me if you want, cyber and security audit compliance is my day job.