Quote:
Originally Posted by flipper35
I guess what I meant was an HR policy.
We are already 16 char complex, 90 days, no less than the last 10, can't reuse within 30 days to eliminate password recycling, we use Duo and MSAuthenticator for MFA.
What we want is a written policy that they will use MFA and use a password manager to create passwords for each site they go to. Specifically a policy in HR where there are consequences for not following the policy - for example password files or handwritten passwords to keep track.
At the moment, we can only tell people to not do bad things.
My previous place where I was director of IT it was a no questions asked termination of you wrote your password down at your desk. That was in healthcare.
|
I've not seen this on an HR Policy/Employee Handbook. They simply reference a Security Policy. E.g. "All ACME employees are expected to follow the policies outlined in the Acme Data Privacy and Security Policy. Violations of this policy can result in disciplinary action and/or termination of employment." And then in that linked security policy document, you outline the ones you mentioned.