1. Introduction & Purpose

This Password & Authentication Policy (the "Policy") establishes the standards and guidelines for creating, managing, and protecting user credentials, including passwords, multi-factor authentication (MFA) methods, and other authentication mechanisms used to access Nexly Corporation's ("Nexly" or the "Company") information systems, data, and resources. Located at 701 South Street Suite 100, Mountain Home, AR 72653, Nexly recognizes that strong authentication is critical to protecting its valuable assets and data from unauthorized access and cyber threats. This Policy is designed to:

• Protect Access to Systems and Data: Ensure that only authorized individuals can access Company systems and data.
• Minimize the Risk of Unauthorized Access: Reduce the risk of unauthorized access and data breaches resulting from weak or compromised credentials.
• Comply with Applicable Laws and Regulations: Comply with all applicable laws, regulations, and industry standards related to authentication and credential management.
• Promote Strong Authentication Practices: Promote the use of strong passwords, multi-factor authentication (MFA), and other secure authentication methods.
• Establish Clear Responsibilities: Define the roles and responsibilities of all Nexly employees, contractors, and other users regarding password and authentication management.
• Provide Guidelines and Procedures: Provide clear guidelines and procedures for creating, managing, and protecting user credentials.
• Foster Security Awareness: Educate users on the importance of strong authentication practices and the risks associated with weak or compromised credentials.

This Policy applies to all Nexly employees, contractors, vendors, and other individuals who access Company systems and data, including those using Company-owned devices and personal devices (BYOD). This Policy is to be read in conjunction with other Company policies, including, but not limited to, the Information Security Policy, the Data Privacy Policy, the Acceptable Use Policy, and the Mobile Device & BYOD Policy.

2. Definitions

For the purposes of this Policy, the following definitions apply:

• Credential: Information used to verify the identity of a user, such as a username, password, PIN, or biometric data.
• Password: A secret word, phrase, or sequence of characters used to authenticate a user.
• Multi-Factor Authentication (MFA): A security process requiring users to provide two or more means of identification.
• Authentication Factor: A method used to verify a user’s identity, which may include something the user knows (e.g., a password), something the user has (e.g., a security token), or something the user is (e.g., biometric data).
• Account Lockout: A security measure that temporarily disables a user account after a specified number of failed login attempts.
• Compromised Credential: A user credential that has been stolen, disclosed, or otherwise accessed by an unauthorized party.
• Unique Identifier: The identifier for each employee, used to access systems.

3. Password Strength Requirements

Nexly Corporation requires all users to create and maintain strong passwords.

• 3.1. Password Complexity: All passwords must meet the following complexity requirements:
  • Length: Minimum of [Specify Number, e.g., 12] characters.
  • Character Types: Must include characters from at least [Specify Number, e.g., three] of the following four categories:
    • Uppercase letters (A-Z).
    • Lowercase letters (a-z).
    • Numbers (0-9).
    • Special characters (e.g., !, @, #, $, %, ^, &, *).
  • Prohibited Passwords: Avoid using easily guessable passwords, such as personal information (e.g., birthdates, names of family members or pets), dictionary words, or common phrases. Do not use sequential characters.
  • Password Managers: Nexly encourages the use of a password manager to securely generate, store, and manage passwords.
• 3.2. Password Changes:
  • Mandatory Changes: All passwords for systems and applications that handle sensitive data or offer privileged access must be changed at least every [Specify Timeframe, e.g., 90 days].
  • Password Reset: Reset passwords whenever a password may be compromised or when directed by the IT Department.
• 3.3. Password Storage:
  • Do Not Share: Do not share passwords with anyone, including colleagues, supervisors, or IT support personnel.
  • Do Not Write Down: Do not write down passwords or store them in an unencrypted format. If you must record a password, store it securely and out of view.
  • Password Reuse: Do not reuse passwords across multiple accounts.
• 3.4. Password Resets: The company will, at the user’s request, or upon determination by the company, reset a user’s password.

4. Multi-Factor Authentication (MFA)

Nexly Corporation requires the use of multi-factor authentication (MFA) for all systems and applications that access sensitive data or offer privileged access.

• 4.1. MFA Implementation: MFA will be implemented using a variety of methods:
  • Two-Factor Authentication: Authenticate using two separate factors, which can include but are not limited to: something you know (password), something you have (e.g., a security token or mobile device), or something you are (e.g., biometric data).
  • Authentication Apps: Utilizing authentication apps (e.g., Google Authenticator, Microsoft Authenticator) to generate time-based one-time passwords (TOTP).
  • Hardware Tokens: Using hardware tokens, such as physical security keys or smart cards.
• 4.2. MFA Enrollment: All users must enroll in MFA for all required systems and applications. The IT Department will provide instructions.
• 4.3. Security Best Practices:
  • Prompt Use: Always use MFA when prompted.
  • Protect Device: Secure your mobile device.
  • Report Issues: Report any issues to IT.

5. Account Management

Nexly Corporation will implement procedures for managing user accounts to ensure secure access.

• 5.1. Account Creation:
  • Approval: User accounts will be created only after proper authorization from the appropriate manager or department head.
  • Account Provisioning: Accounts will be provisioned promptly and securely.
  • Unique Identifiers: Each employee will have a unique identifier.
• 5.2. Account Access:
  • Least Privilege: Users will be granted only the minimum necessary access to systems and data.
  • Role-Based Access Control: Access rights will be assigned based on job roles and responsibilities.
• 5.3. Account Termination:
  • Timely Termination: User accounts will be disabled or deleted promptly upon termination of employment or a change in job responsibilities.
  • Account Review: User account access privileges will be reviewed regularly to ensure they are appropriate.
  • Change Management: Access should reflect changes in access and responsibility requirements.
• 5.4. Account Lockout:
  • Failed Login Attempts: Account lockout will be implemented to prevent unauthorized access through brute-force attacks. Accounts will be locked after [Specify Number, e.g., 5] failed login attempts.
  • Password Reset: Users can reset their password or have their account unlocked after being locked out, following the Company's password reset procedures.

6. Security Best Practices

All users must follow the following security best practices:

• 6.1. Protecting Credentials: Keep your credentials confidential and protect them from unauthorized access.
• 6.2. Phishing Awareness: Be vigilant against phishing attacks. Do not click on suspicious links or open attachments from unknown senders. Report suspicious emails to the IT Department.
• 6.3. Device Security: Secure all devices that are used to access Company systems and data. Follow the requirements in the Mobile Device & BYOD Policy. [Link to Mobile Device and BYOD Policy].
• 6.4. Public Access: Avoid entering passwords, using your unique ID, or accessing secure information on public computers or networks, unless you can ensure a secure session.
• 6.5. Reporting Suspicious Activity: Report any suspected security incidents, including compromised credentials, immediately to the IT Department.

7. Policy Compliance and Enforcement

Compliance with this Password & Authentication Policy is mandatory for all users of Nexly Corporation systems and data.

• 7.1. Employee Responsibilities: All users are responsible for:
  • Complying with the requirements of this Policy.
  • Taking steps to protect their credentials.
  • Reporting any security incidents.
• 7.2. Consequences of Non-Compliance: Failure to comply with this Policy may result in disciplinary action, up to and including termination of employment or contract.

8. Policy Review & Amendments

This Password & Authentication Policy will be reviewed and updated regularly to ensure its continued effectiveness.

• Review Frequency: This Policy will be reviewed at least [Specify Frequency, e.g., annually] or more frequently as needed, such as in response to changes in technology, the threat landscape, or industry best practices.
• Review Process: The review process will involve:
  • Input from Stakeholders: Seeking input from relevant stakeholders, including the Information Security Department, IT Department, and other key personnel.
  • Assessment of Effectiveness: Assessing the effectiveness of the Policy and its implementation.
  • Industry Trends and Compliance: Analyzing and implementing industry standards and legal requirements.
• Policy Amendments and Communication: Any amendments to this Policy will be approved by [Specify Approving Authority, e.g., the Board of Directors or the Executive Leadership Team] and communicated to all users through [Specify Communication Channels, e.g., company-wide email, intranet posting, training sessions].
• Policy Ownership: The Information Security Department, with support from the IT Department, is responsible for maintaining and updating this Policy.

**Acknowledgement:** By accessing and using any Nexly Corporation systems and data, all employees, contractors, and other users are deemed to acknowledge that they have read, understood, and agree to abide by the terms and conditions outlined in this Password & Authentication Policy.