[{"data":1,"prerenderedAt":481},["ShallowReactive",2],{"document-password-policy-D13563":3},{"document":4,"label":23,"preview":11,"thumb":24,"thumb600":25,"description":5,"descriptionCustom":6,"apiDescription":5,"pages":8,"extension":10,"parents":26,"breadcrumb":30,"related":38,"customDescModule":171,"customdescription":6,"mdFm":172,"mdProseHtml":480},{"description":5,"descriptionCustom":6,"label":7,"pages":8,"size":9,"extension":10,"preview":11,"thumb":12,"svgFrame":13,"seoMetadata":14,"parents":16,"keywords":15},"PASSWORD POLICY EFFECTIVE DATE: [DATE] PURPOSE The purpose of this Password Policy is to establish guidelines for creating strong, secure passwords and to ensure the confidentiality, integrity, and availability of [COMPANY NAME]'s information systems and data. SCOPE This Policy applies to all employees, contractors, vendors, and third-party entities granted access to [COMPANY NAME]'s information systems, networks, applications, and data. PASSWORD CREATION Complexity: Passwords must meet the following complexity requirements: Minimum length of [NUMBER] characters. Use of a combination of upper-case letters, lower-case letters, numbers, and special characters. Avoid Common Words: Passwords must not include easily guessable information such as names, birthdates, words found in dictionaries, or simple sequences (e.g., \"123456\" or \"qwerty\"). PASSWORD SECURITY Uniqueness: Each account must have a unique password. Password reuse across multiple systems or accounts is not allowed. Frequency of Change: Passwords must be changed at least every [NUMBER] days. Avoid Sharing: Passwords must not be shared with others, including colleagues, friends, or family members. No Writing Down: Passwords must not be written down or stored in plain text form. MULTI-FACTOR AUTHENTICATION (MFA) ",null,"Password Policy","2",513,"doc","https://templates.business-in-a-box.com/imgs/1000px/password-policy-D13563.png","https://templates.business-in-a-box.com/imgs/250px/13563.png","https://templates.business-in-a-box.com/svgs/docviewerWebApp1.html?v6#13563.xml",{"title":15,"description":6},"password policy",[17,20],{"label":18,"url":19},"Human Resources","/templates/human-resources/",{"label":21,"url":22},"Company Policies","/templates/company-policies/","Password Policy Template","https://templates.business-in-a-box.com/imgs/400px/13563.png","https://templates.business-in-a-box.com/imgs/600px/13563.png",[27,17,20],{"label":28,"url":29},"Templates","/templates/",[31,32,35],{"label":28,"url":29},{"label":33,"url":34},"Software & Technology","/templates/software-technology/",{"label":36,"url":37},"Cybersecurity Policies","/templates/cybersecurity-policies/",[39,43,47,51,55,59,63,67,71,75,79,83,87,102,119,133,146,158],{"label":40,"url":41,"thumb":42,"extension":10},"AI Policy","/template/ai-policy-D13598","https://templates.business-in-a-box.com/imgs/250px/13598.png",{"label":44,"url":45,"thumb":46,"extension":10},"Application Policy","/template/application-policy-D13439","https://templates.business-in-a-box.com/imgs/250px/13439.png",{"label":48,"url":49,"thumb":50,"extension":10},"Attendance Policy","/template/attendance-policy-D12625","https://templates.business-in-a-box.com/imgs/250px/12625.png",{"label":52,"url":53,"thumb":54,"extension":10},"Backup Policy","/template/backup-policy-D13249","https://templates.business-in-a-box.com/imgs/250px/13249.png",{"label":56,"url":57,"thumb":58,"extension":10},"Billing Policy","/template/billing-policy-D13603","https://templates.business-in-a-box.com/imgs/250px/13603.png",{"label":60,"url":61,"thumb":62,"extension":10},"Branding Policy","/template/branding-policy-D13606","https://templates.business-in-a-box.com/imgs/250px/13606.png",{"label":64,"url":65,"thumb":66,"extension":10},"Cancellation Policy","/template/cancellation-policy-D12627","https://templates.business-in-a-box.com/imgs/250px/12627.png",{"label":68,"url":69,"thumb":70,"extension":10},"Complaint Policy","/template/complaint-policy-D12631","https://templates.business-in-a-box.com/imgs/250px/12631.png",{"label":72,"url":73,"thumb":74,"extension":10},"Cookie Policy","/template/cookie-policy-D13174","https://templates.business-in-a-box.com/imgs/250px/13174.png",{"label":76,"url":77,"thumb":78,"extension":10},"Credit Policy","/template/credit-policy-D12633","https://templates.business-in-a-box.com/imgs/250px/12633.png",{"label":80,"url":81,"thumb":82,"extension":10},"Disability Policy","/template/disability-policy-D12635","https://templates.business-in-a-box.com/imgs/250px/12635.png",{"label":84,"url":85,"thumb":86,"extension":10},"Diversity Policy","/template/diversity-policy-D12636","https://templates.business-in-a-box.com/imgs/250px/12636.png",{"description":88,"descriptionCustom":6,"label":89,"pages":90,"size":9,"extension":10,"preview":91,"thumb":92,"svgFrame":93,"seoMetadata":94,"parents":96,"keywords":95,"url":101},"ACCEPTABLE USE POLICY OVERVIEW This Acceptable Use Policy governs the use and security of all information and computer equipment from [COMPANY NAME]. It also covers the use of email, the internet, voice and mobile computing equipment. This policy applies to all information, in any form, relating to the business activities of [COMPANY NAME] worldwide, and to all information processed by [COMPANY NAME] about other organizations with which it deals. This policy also covers all IT and information communication facilities operated by or on behalf of [COMPANY NAME]. Internet/Intranet/Extranet-related systems, including but not limited to computer equipment, software, operating systems, storage media, network accounts providing electronic mail, WWW browsing, and FTP, are the property of [COMPANY NAME]. These systems are to be used for business purposes in serving the interests of the company, and of our clients and customers in the course of normal operations. [COMPANY NAME] is committed to protecting his employees, partners and the company from illegal or damaging actions by individuals, either knowingly or unknowingly. It is the responsibility of every [COMPANY NAME] computer user to know these guidelines, and to conduct their activities accordingly. PURPOSE The purpose of this policy is to outline the acceptable use of computer equipment at [COMPANY NAME]. These rules are in place to protect the employee and [COMPANY NAME]. Inappropriate use exposes [COMPANY NAME] to risks including virus attacks, compromise of network systems and services, and legal issues. SCOPE This policy applies to employees, contractors, consultants, temporary workers and other workers of [COMPANY NAME], including all personnel affiliated with third parties. This policy applies to all equipment owned or leased by [COMPANY NAME]. It also applies to the use of information, electronic and computer equipment and network resources to conduct business activities or interact with internal networks and business systems, whether owned or leased by [COMPANY NAME], the employee or a third party. All employees, contractors, consultants, temps and other workers of [COMPANY NAME] and its subsidiaries are responsible for exercising judgment with respect to the appropriate use of information, electronic devices and network resources in accordance with [COMPANY NAME] policies and standards and local laws and regulations. INDIVIDUAL'S RESPONSIBILITY Access to the [COMPANY NAME] IT systems is controlled by the use of User IDs, passwords and/or tokens. All User IDs and passwords are to be uniquely assigned to named individuals and consequently, individuals are accountable for all actions on the [COMPANY NAME] IT systems. Individuals must not: Allow anyone else to use their user ID/token and password on any [COMPANY NAME] IT system. Leave their user accounts logged in at an unattended and unlocked computer. Use someone else's user ID and password to access [COMPANY NAME]'s IT systems. Leave their password unprotected (for example writing it down). Perform any unauthorised changes to [COMPANY NAME]'s IT systems or information. Attempt to access data that they are not authorised to use or access. Exceed the limits of their authorisation or specific business need to interrogate the system or data. Connect any non-([COMPANY NAME] authorised device to the [COMPANY NAME] network or IT systems. Store [COMPANY NAME] data on any non-authorized [COMPANY NAME] equipment. Give or transfer [COMPANY NAME] data or software to any person or organisation. outside [COMPANY NAME] without the authority of [COMPANY NAME]. Line managers must ensure that individuals receive clear directives on the extent and limits of their authority over computer systems and data. INTERNET AND EMAIL The use of the internet and email of [COMPANY NAME] is intended for professional purposes. Personal use is permitted when it does not affect the individual's professional performance, does not in any way harm [COMPANY NAME], does not violate any terms and conditions of employment and does not place the individual or [COMPANY NAME] in violation of legal or other obligations. All individuals are therefore responsible for their actions on the internet as well as when using email systems. Individuals must not: Use the internet or email for harassment or abuse. Use blasphemies, obscenities or disrespectful remarks in communications. Access, upload, send or receive data (including images) that [COMPANY NAME] considers offensive in any way, including sexually explicit, discriminatory, defamatory or libelous material. Use the internet or email to make personal gains or run a personal business. Use the internet or email to play. Use email systems in a way that could affect their reliability or efficiency, for example by distributing chain letters or spam. Place on the internet any information relating to [COMPANY NAME], modify any information concerning it or express any opinion on [COMPANY NAME], unless they are expressly authorized to do so. Send sensitive or confidential information that is not protected to the outside world. Use of unsolicited email originating from within [COMPANY NAME] 's networks of other Internet/Intranet/Extranet service providers on behalf of, or to advertise, any service hosted by [COMPANY NAME] or connected via 's network. Forward business email to personal email accounts (for example, Gmail account). Make official commitments by internet or email on behalf of [COMPANY NAME], unless authorized to do so. Download copyrighted material such as music media files (MP3), films and videos (non-exhaustive list) without appropriate approval. In any way, violate copyright, database rights, trademarks or other intellectual property rights. Download any software from the internet without the prior consent of the IT department. Connect [COMPANY NAME] devices to the internet using non-standard connections. GENERAL USE OWNERSHIP [COMPANY NAME] proprietary information stored on electronic and computing devices whether owned or leased by [COMPANY NAME], remains the sole property of [COMPANY NAME]. You must ensure through legal or technical means that proprietary information is protected in accordance with the data protection standards. You have a responsibility to promptly report the theft, loss or unauthorized disclosure of [COMPANY NAME] proprietary information. You may access, use or share [COMPANY NAME] proprietary information only to the extent it is authorized and necessary to perform the tasks assigned to you. ","Acceptable Use Policy","7","https://templates.business-in-a-box.com/imgs/1000px/acceptable-use-policy-D12622.png","https://templates.business-in-a-box.com/imgs/250px/12622.png","https://templates.business-in-a-box.com/svgs/docviewerWebApp1.html?v6#12622.xml",{"title":95,"description":6},"acceptable use policy",[97,99],{"label":18,"url":98},"human-resources",{"label":21,"url":100},"company-policies","/template/acceptable-use-policy-D12622",{"description":103,"descriptionCustom":6,"label":104,"pages":105,"size":9,"extension":10,"preview":106,"thumb":107,"svgFrame":108,"seoMetadata":109,"parents":111,"keywords":110,"url":118},"NON-DISCLOSURE AGREEMENT (NDA) This Non-Disclosure Agreement (the \"Agreement\") is made and effective [DATE], BETWEEN: [YOUR COMPANY NAME] (the \"Disclosing Party\"), a corporation organized and existing under the laws of the [State/Province] of [STATE/PROVINCE], with its head office located at: [YOUR COMPLETE ADDRESS] AND: [RECEIVING PARTY NAME] (the \"Receiving Party\"), an individual with his main address located at OR a corporation organized and existing under the laws of the [State/Province] of [STATE/PROVINCE], with its head office located at: [COMPLETE ADDRESS] WHEREAS, Receiving Party has been or will be engaged in the performance of work on [DESCRIBE]; and in connection therewith will be given access to certain confidential and proprietary information; and WHEREAS, Receiving Party and Disclosing Party wish to evidence by this Agreement the manner in which said confidential and proprietary material will be treated. NOW, THEREFORE, it is agreed as follows: NON-DISCLOSURE OF CONFIDENTIAL INFORMATION Both Parties understand and agree that each Party may have access to the confidential information of the other party. For the purposes of this Agreement, \"Confidential Information\" means proprietary and confidential information about the Disclosing Party's (or it's suppliers') business or activities. Such information includes all business, financial, technical, and other information marked or designated by such Party as \"confidential\" or \"proprietary.\" Confidential Information also includes information which, by the nature of the circumstances surrounding the disclosure, ought in good faith to be treated as confidential. For the purposes of this Agreement, Confidential Information does not include: Information that is currently in the public domain or that enters the public domain after the signing of this Agreement. Information a Party lawfully receives from a third Party without restriction on disclosure and without breach of a non-disclosure obligation. Information that the Receiving Party knew prior to receiving any Confidential Information from the Disclosing Party. Information that the Receiving Party independently develops without reliance on any Confidential Information from the Disclosing Party. Each Party agrees that it will not disclose to any third Party or use any Confidential Information disclosed to it by the other Party except when expressly permitted in writing by the other Party. Each Party also agrees that it will take all reasonable measures to maintain the confidentiality of all Confidential Information of the other Party in its possession or control. TERM The term of this Agreement is [number] of [years/months] from the date of execution by both Parties. TITLE The Receiving Party agrees that all Confidential Information furnished by the Disclosing Party shall remain the sole property of the Disclosing Party. DISCLAIMER","Non Disclosure Agreement Nda","3","https://templates.business-in-a-box.com/imgs/1000px/non-disclosure-agreement-nda-D12692.png","https://templates.business-in-a-box.com/imgs/250px/12692.png","https://templates.business-in-a-box.com/svgs/docviewerWebApp1.html?v6#12692.xml",{"title":110,"description":6},"non disclosure agreement nda",[112,115],{"label":113,"url":114},"Legal Agreements","business-legal-agreements",{"label":116,"url":117},"Confidentiality Agreements","confidentiality-agreement","/template/non-disclosure-agreement-nda-D12692",{"description":120,"descriptionCustom":6,"label":121,"pages":122,"size":123,"extension":10,"preview":124,"thumb":125,"svgFrame":126,"seoMetadata":127,"parents":128,"keywords":131,"url":132},"Employee Handbook Understanding employment at [YOUR COMPANY NAME] Revised on [DATE] Prepared By: [YOUR NAME] [YOUR JOB TITLE] Phone 555.555.5555 Email info@yourbusiness.com www.yourbusiness.com Table of Content Table of Content 2 Welcome to [YOUR COMPANY NAME]! 5 1. Organization Description 6 1.1 Introductory Statement 6 1.2 Customer Relations 6 1.3 Products and Services Provided 7 1.4 Facilities and Location(s) 7 1.5 The History of [YOUR COMPANY NAME] 7 1.6 Management Philosophy 7 1.7 Goals 8 2. The Employment 9 2.1 Nature of Employment 9 2.2 Employee Relations 9 2.3 Equal Employment Opportunity 10 2.4 Diversity 10 2.5 Business Ethics and Conduct 12 2.6 Personal Relationships in the Workplace 13 2.7 Conflicts of Interest 13 2.8 Outside Employment 14 2.9 Non-Disclosure 15 2.10 Disability Accommodation 16 2.11 Job Posting and Employee Referrals 17 2.12 Whistleblower Policy 18 2.13 Accident and First Aid 20 3. Employment Status and Records 21 3.1 Employment Categories 21 3.2 Access to Personnel Files 22 3.3 Personnel Data Changes 23 3.4 Probation Period 23 3.5 Employment Applications 24 3.6 Performance Evaluation 24 3.7 Job Descriptions 25 3.8 Salary Administration 25 3.9 Professional Development 26 4. Employee Benefit Programs 27 4.1 Employee Benefits 27 4.2 Vacation Benefits 27 4.3 Military Service Leave 29 4.4 Religious Observance 29 4.5 Holidays 29 4.6 Workers Insurance 30 4.7 Sick Leave Benefits 31 4.8 Bereavement Leave 32 4.9 Relocation Benefits 33 4.10 Educational Assistance 33 4.11 Health Insurance 34 4.12 Life Insurance 35 4.13 Long Term Disability 35 4.14 Marriage, Maternity and Parental Leave 36 5. Timekeeping / Payroll 40 5.1 Timekeeping 40 5.2 Paydays 40 5.3 Employment Termination 41 5.4 Administrative Pay Corrections 42 6. Work Conditions and Hours 43 6.1 Work Schedules 43 6.2 Absences 43 6.3 Jury Duty 45 6.4 Use of Phone and Mail Systems 45 6.5 Smoking 46 6.6 Meal Periods 46 6.7 Overtime 46 6.8 Use of Equipment 47 6.9 Telecommuting 47 6.10 Emergency Closing 48 6.11 Business Travel Expenses 49 6.12 Visitors in the Workplace 51 6.13 Computer and Email Usage 51 6.14 Internet Usage 52 6.15 Workplace Monitoring 54 6.16 Workplace Violence Prevention 55 7. Employee Conduct & Disciplinary Action 57 7.1 Employee Conduct and Work Rules 57 7.2 Sexual and Other Unlawful Harassment 58 7.3 Attendance and Punctuality 60 7.4 Personal Appearance 60 7.5 Return of Property 61 7.6 Resignation and Retirement 61 7.7 Security Inspections 62 7.8 Progressive Discipline 62 7.9 Problem Resolution 64 7.10 Workplace Etiquette 65 7.11 Suggestion Program 67 Acknowledgement of Receipt 68 Welcome to [YOUR COMPANY NAME]! On behalf of your colleagues, we welcome you to [YOUR COMPANY NAME] and wish you every success here. At [YOUR COMPANY NAME], we believe that each employee contributes directly to the growth and success of the company, and we hope you will take pride in being a member of our team. This handbook was developed to describe some of the expectations of our employees and to outline the policies, programs, and benefits available to eligible employees. Employees should become familiar with the contents of the employee handbook as soon as possible, for it will answer many questions about employment with [YOUR COMPANY NAME]. We believe that professional relationships are easier when all employees are aware of the culture and values of the organization. This guide will help you to better understand our vision for the future of our business and the challenges that are ahead. We hope that your experience here will be challenging, enjoyable, and rewarding. Again, welcome! [PRESIDENT NAME] President & CEO 1. Organization Description 1.1 Introductory Statement This handbook is designed to acquaint you with [YOUR COMPANY NAME] and provide you with information about working conditions, employee benefits, and some of the policies affecting your employment. You should read, understand, and comply with all provisions of the handbook. It describes many of your responsibilities as an employee and outlines the programs developed by [YOUR COMPANY NAME] to benefit employees. One of our objectives is to provide a work environment that is conducive to both personal and professional growth. No employee handbook can anticipate every circumstance or question about policy. As [YOUR COMPANY NAME] continues to grow, the need may arise and [YOUR COMPANY NAME] reserves the right to revise, supplement, or rescind any policies or portion of the handbook from time to time as it deems appropriate, in its sole and absolute discretion. Employees will be notified of such changes to the handbook as they occur. 1.2 Customer Relations Customers are among our organization's most valuable assets. Every employee represents [YOUR COMPANY NAME] to our customers and the public. The way we do our jobs presents an image of our entire organization. Customers judge all of us by how they are treated with each employee contact. Therefore, one of our first business priorities is to assist any customer or potential customer. Nothing is more important than being courteous, friendly, helpful, and prompt in the attention you give to customers. [YOUR COMPANY NAME] will provide customer relations and services training to all employees with extensive customer contact. Customers who wish to lodge specific comments or complaints should be directed to the [TITLE AND NAME OF THE PERSON RESPONSIBLE] for appropriate action. Our personal contact with the public, our manners on the telephone, and the communications we send to customers are a reflection not only of ourselves, but also of the professionalism of [YOUR COMPANY NAME]. Positive customer relations not only enhance the public's perception or image of [YOUR COMPANY NAME], but also pay off in greater customer loyalty and increased sales and profit. 1.3 Products and Services Provided You will find more information about our products and services by reading the [YOUR COMPANY NAME] Corporate Brochures. 1.4 Facilities and Location(s) Head Office: [ADDRESS] [CITY], [STATE] [ZIP/POSTAL CODE] [COUNTRY] 1.5 The History of [YOUR COMPANY NAME] [DESCRIBE THE HISTORY OF YOUR COMPANY HERE] 1.6 Management Philosophy [YOUR COMPANY NAME] management philosophy is based on responsibility and mutual respect. Our wishes are to maintain a work environment that fosters on personal and professional growth for all employees. Maintaining such an environment is the responsibility of every staff person. Because of their role, managers and supervisors have the additional responsibility to lead in a manner which fosters an environment of respect for each person. People who come to [YOUR COMPANY NAME] want to work here because we have created an environment that encourages creativity and achievement. [YOUR COMPANY NAME] aims to become a leader in [DESCRIBE YOUR COMPANY'S FIELD OF EXPERTISE]. The mainstay of our strategy will be to offer a level of client focus that is superior to that offered by our competitors. To help achieve this objective, [YOUR COMPANY NAME] seeks to attract highly motivated individuals that want to work as a team and share in the commitment, responsibility, risk taking, and discipline required to achieve our vision. Part of attracting these special individuals will be to build a culture that promotes both uniqueness and a bias for action. While we will be realistic in setting goals and expectations, [YOUR COMPANY NAME] will also be aggressive in reaching its objectives. This success will in turn enable [YOUR COMPANY NAME] to give its employees above average compensation and innovative benefits or rewards, key elements in helping us maintain our leadership position in the worldwide marketplace. 1.7 Goals [DESCRIBE YOUR COMPANY'S GOALS HERE] 2. The Employment 2","Employee Handbook","34",280,"https://templates.business-in-a-box.com/imgs/1000px/employee-handbook-D712.png","https://templates.business-in-a-box.com/imgs/250px/712.png","https://templates.business-in-a-box.com/svgs/docviewerWebApp1.html?v6#712.xml",{"title":6,"description":6},[129,130],{"label":18,"url":98},{"label":21,"url":100},"employee handbook","/template/employee-handbook-D712",{"description":134,"descriptionCustom":6,"label":135,"pages":136,"size":9,"extension":10,"preview":137,"thumb":138,"svgFrame":139,"seoMetadata":140,"parents":142,"keywords":141,"url":145},"REMOTE WORK AGREEMENT This Remote Work Agreement (the \"Agreement\") is effective [DATE], BETWEEN: [NAME OF THE EMPLOYER], (the \"Employer\" or \"Company\"), a Company organized and existing under the laws of the [State/Province] of [STATE/PROVINCE], with its head office located at: [COMPLETE ADDRESS] AND: [NAME OF THE EMPLOYEE], (the \"Employee\"), an individual with their main address located at: [COMPLETE ADDRESS] Collectively, the Employer and the Employee shall be referred to as the \"Parties.\" WHEREAS, the Company has made an offer to the Employee to work remotely in the capacity of [JOB TITLE] at the Company; NOW THEREFORE in consideration and as a condition of the Parties entering into this Agreement and other valuable considerations, the receipt and sufficiency of which consideration is acknowledged, the Parties agree as follows: APPOINTMENT The Company hereby offers the Employee appointment, and the Employee agrees to serve the Company to work remotely in the capacity of [JOB TITLE] as of [DATE] (the \"Effective Date\"). PROBATION PERIOD The Employee will be on a Probation Period for a period of [MONTHS/DAYS]. The Employee's confirmation as a permanent employee is subject to the Employee making a positive contribution to the Company and is further subject to meeting certain standards and qualifying criteria during the Probation Period. PLACE OF WORK The Employee shall perform their duties at the location of their choice. The Employee will report to the [SPECIFY THE DESIGNATION] on a needs basis in the following manner: [SPECIFY THE MANNER OF COMMUNICATION]. REMOTE WORK While working remotely, the Employee will remain accessible during the remote work. The Employee will check in with the supervisor to discuss status and open issues and be available for video/teleconferences, scheduled on an as-needed basis. The Employee will take rest and meal breaks while working remotely in full compliance with all applicable policies or collective bargaining agreements, and request supervisor approval to use vacation or sick leave. To ensure that the Employee's performance will not suffer in a remote work arrangement, the Employee is advised to choose a quiet and distraction-free working space, have an internet connection that is adequate for their job and dedicate their full attention to their job duties during working hours. Equipment. The Company will provide the Employee with equipment that is essential to their job duties, like laptops and headsets. The Employee will install VPN and company-required software when the Employee receives their equipment. The Employee must keep their equipment password protected, follow all data encryption, protection standards and settings, and refrain from downloading suspicious, unauthorized or illegal software. NOTICE PERIOD During the Probation Period, if the Employee's performance is found to be unsatisfactory or if it does not meet the prescribed criteria, the Employee's employment can be terminated by the Company with [NUMBER OF DAYS] day's notice or salary thereof. The Employee will be required to give [NUMBER OF MONTHS] months' notice or salary thereof in case the Employee decides to leave the Company. DUTIES The Employee shall perform all such duties as may be delegated by the Company and comply with all such directions as the Managing Director and/or his/her nominated deputies may from time to time assign or give to the Employee. [SPECIFY DUTIES] WORKING HOURS The total working hours will be [SPECIFY HOURS] hours on Mondays to Saturdays. It is expected that the Employee will be flexible with the working hours and work such additional hours as might be necessary to efficiently perform duties under this Agreement. The Company reserves the right to change the working days and the working hours. The Employee shall be entitled to leave and holidays as per the Leave Policy of the Company. In the event the Employee is absent from work and unable to perform duties satisfactorily by reason of any injury, illness or other reason acceptable to the Company, the Employee will be entitled to receive salary and other benefits for up to [NUMBER OF DAYS] consecutive working days during any such absence, within a period of 12 consecutive months. REMUNERATION The Employee's starting total monthly gross salary and during the Probation Period will be as per details in the annexure, hereinafter known as Exhibit A. Any bonus is subject to review in accordance with the Company's practice and policies from time to time, however, there shall be no obligation on the Company to increase the salary or award bonuses at any point of time, save and except at its sole discretion. The Company shall pay or refund or procure to be paid or refunded all reasonable travelling and other similar out of pocket expenses necessarily and incurred by the Employee wholly in the proper performance of duties, subject to production by the Employee of such evidence of the expenses as the Company may reasonably require. The Employee will be required to fill in the claims forms in which the Employee shall provide the correct information of the expenses incurred. CONFIDENTIALITY AND INTELLECTUAL PROPERTY If at any time during the Employee's employment under this Agreement, the Employee participates in the making or discovery of any Intellectual Property directly or indirectly relating to or capable of being used by the Company, full details of the Intellectual Property shall immediately be disclosed in writing by the Employee to the Company and the Intellectual Property shall be the absolute property of the Company. At the request and expense of the Company, the Employee shall give and supply all such information, data, drawings, and assistance as may be necessary or in the opinion of the Company desirable to enable the Company to exploit the Intellectual Property to the best advantage as decided by the Company. The Employee shall execute all documents and do all things which may, in the opinion of the Company, be necessary or desirable for obtaining copyright, design or other protection for the Intellectual Property and for vesting the same in the Company, as the Company may direct. As Confidential Information will from time to time become known to the Employee, the Company considers and the Employee agrees that the restraints set forth in this Agreement are necessary for the reasonable protection by the Company of its business or the business of the Group, the clients thereof or their respective affairs. The Employee shall not at any time, either during the continuance of or after the termination of Employment with the Company, use, disclose or communicate to any person whatsoever any Confidential Information which the Employee has or of which he may have become possessed during employment with the Company nor shall he supply the names or addresses of any clients, customers, vendors or agents of the Company or any company of the Group to any person except as authorised by the Company or as ordered by a court of competent jurisdiction. The Employee consents to the Company holding and processing, both electronically and manually, the data it collects relating to the Employee in the course of employment, for the purpose of the Company's administration and management of its employees, its business and to comply with applicable procedures, laws and regulations. ","Remote Work Agreement","8","https://templates.business-in-a-box.com/imgs/1000px/remote-work-agreement-D13282.png","https://templates.business-in-a-box.com/imgs/250px/13282.png","https://templates.business-in-a-box.com/svgs/docviewerWebApp1.html?v6#13282.xml",{"title":141,"description":6},"remote work agreement",[143,144],{"label":18,"url":98},{"label":21,"url":100},"/template/remote-work-agreement-D13282",{"description":147,"descriptionCustom":6,"label":148,"pages":105,"size":9,"extension":10,"preview":149,"thumb":150,"svgFrame":151,"seoMetadata":152,"parents":154,"keywords":153,"url":157},"TECHNOLOGY POLICY INTENT The primary intent of this Policy is to increase protection of Technology Resources to assure the usability and availability of those resources to all users at [COMPANY NAME] (the \"Company\"). The Policy also addresses privacy and usage guidelines for those who access the Company's Technology Resources. SCOPE The Company recognizes the vital role technology plays in effecting Company business as well as the importance of protecting information in all forms. As more information is being used and shared in digital format by authorized users, the need for an increased effort to protect the information and the Technology Resources that support it, is felt by the Company, and hence this Policy. Since a limited amount of personal use of these facilities is permitted by the Company for users, including computers, printers, email, software and Internet access, therefore, it is essential that these facilities are used responsibly by users, as any abuse has the potential to disrupt Company business and interfere with the work and/or rights of other users. It is therefore expected of all users to exercise responsible and ethical behavior while using the Company's technology facilities. DEFINITION Information Technology. Information Technology Resources for the purposes of this Policy include but are not limited to the Company's owned or those used under license or contract, or those devices not owned by the Company but intentionally connected to the Company's owned Technology Resources such as computer hardware, printers, fax machines, voicemail, software, email and Internet and intranet access. User. Anyone who has access to Company's Technology Resources, including but not limited to, all employees, temporary employees, probationers, contractors, vendors, and suppliers. ACCESS CONTROL All the Company's computers that are either permanently or temporarily connected to the internal computer networks must have a password-based access control system. Regardless of the network connections, all computers handling confidential information must also employ appropriate password-based access control systems. All in-bound connections to the Company's computers from external networks must be protected with an approved password or ID access control system. Modems may only be used after receiving the written approval of the IT Head and must be turned off when not in use. All access control systems must utilize user-IDs, passwords, and privilege restrictions unique to each user. Users are prohibited from logging into any Company's system anonymously. To prevent unauthorized access, all vendor-supplied default passwords must be changed before use. Access to the server room is restricted with an RFID lock and only recognized IT staff or someone with due authorization from the IT Head is permitted to enter the room. Users shall not make copies of system configuration files (e.g., passwords) for their own, unauthorized personal use or to provide to other users for unauthorized uses.","Technology Policy","https://templates.business-in-a-box.com/imgs/1000px/technology-policy-D13285.png","https://templates.business-in-a-box.com/imgs/250px/13285.png","https://templates.business-in-a-box.com/svgs/docviewerWebApp1.html?v6#13285.xml",{"title":153,"description":6},"technology policy",[155,156],{"label":113,"url":114},{"label":113,"url":114},"/template/technology-policy-D13285",{"description":159,"descriptionCustom":6,"label":160,"pages":105,"size":9,"extension":10,"preview":161,"thumb":162,"svgFrame":163,"seoMetadata":164,"parents":166,"keywords":169,"url":170},"DATA BREACH RESPONSE & NOTIFICATION POLICY INTRODUCTION The Data Breach Response and Notification Policy of [COMPANY NAME] outlines the procedures and responsibilities for responding to data breaches and ensuring that affected individuals and regulatory authorities are promptly and accurately informed. This Policy is designed to minimize the impact of data breaches, protect sensitive information, and comply with applicable data protection laws and regulations. PURPOSE The purpose of this Policy is to: Establish a framework for detecting, assessing, and responding to data breaches. Define the process for notifying affected individuals, regulatory authorities, and other relevant parties. Ensure that data breaches are managed in a transparent, responsible, and compliant manner. DEFINITIONS Data Breach: The unauthorized access, acquisition, use, disclosure, or destruction of personal or sensitive information that compromises its security, confidentiality, or integrity. DATA BREACH RESPONSE TEAM [COMPANY NAME] will establish a Data Breach Response Team (DBRT) consisting of designated individuals responsible for managing data breaches. The DBRT may include representatives from IT, Legal, HR, and other relevant departments. DETECTION AND ASSESSMENT The DBRT will promptly investigate and assess suspected or confirmed data breaches to determine their scope, impact, and severity. The assessment will include identifying the type of data involved, the number of affected individuals, potential risks, and applicable data protection regulations. CONTAINMENT AND MITIGATION ","Data Breach Response and Notification Policy","https://templates.business-in-a-box.com/imgs/1000px/data-breach-response-and-notification-policy-D13650.png","https://templates.business-in-a-box.com/imgs/250px/13650.png","https://templates.business-in-a-box.com/svgs/docviewerWebApp1.html?v6#13650.xml",{"title":165,"description":6},"data breach response and notification policy",[167,168],{"label":18,"url":98},{"label":21,"url":100},"data breach response notification policy","/template/data-breach-response-and-notification-policy-D13650",false,{"seo":173,"reviewer":185,"quick_facts":189,"at_a_glance":191,"personas":195,"variants":220,"glossary":247,"sections":278,"how_to_fill":329,"common_mistakes":365,"faqs":382,"industries":410,"comparisons":427,"diy_vs_pro":440,"educational_modules":453,"related_template_ids_curated":456,"schema":466,"classification":468},{"meta_title":174,"meta_description":175,"primary_keyword":176,"secondary_keywords":177},"Password Policy Template (Free Word)","Free password policy template for businesses. Covers password complexity, expiration, reuse rules, MFA, and enforcement. Used in 190+ countries. Free Word and PDF download.","password policy template",[178,179,180,181,182,183,184],"password policy example","company password policy","password policy for business","it security password policy template","password policy word template free","password management policy","information security password policy",{"name":186,"credential":187,"reviewed_date":188},"Bruno Goulet","CEO, Business in a Box","2026-05-02",{"difficulty":190,"legal_review_recommended":171,"signature_required":171},"medium",{"what_it_is":192,"when_you_need_it":193,"whats_inside":194},"A Password Policy is an internal governance document that sets the rules employees and systems must follow when creating, storing, sharing, and retiring passwords. This free Word download gives you a structured, ready-to-customize starting point covering complexity requirements, expiration schedules, multi-factor authentication, and enforcement procedures — editable online and exportable as PDF.\n","Use it when onboarding new employees, implementing an information security program, responding to a compliance audit (SOC 2, ISO 27001, HIPAA), or after a security incident that exposed credentials. Any organization that grants employees access to systems, applications, or data needs one in writing.\n","Purpose and scope, password complexity and length requirements, expiration and reuse rules, multi-factor authentication requirements, password storage and sharing prohibitions, procedures for compromised credentials, roles and responsibilities, and enforcement and disciplinary consequences.\n",[196,200,204,208,212,216],{"title":197,"use_case":198,"icon_asset_id":199},"IT managers and system administrators","Establishing enforceable technical standards for all user accounts","persona-it-manager",{"title":201,"use_case":202,"icon_asset_id":203},"Small business owners","Documenting security expectations before a compliance review or cyber insurance application","persona-small-business-owner",{"title":205,"use_case":206,"icon_asset_id":207},"HR managers","Incorporating password rules into onboarding documentation and employee handbooks","persona-hr-manager",{"title":209,"use_case":210,"icon_asset_id":211},"Compliance officers","Satisfying SOC 2, ISO 27001, HIPAA, or PCI-DSS password control requirements","persona-compliance-officer",{"title":213,"use_case":214,"icon_asset_id":215},"Startup founders","Establishing a security baseline before a Series A due-diligence review","persona-startup-founder",{"title":217,"use_case":218,"icon_asset_id":219},"Operations directors","Standardizing credential management across departments and third-party tools","persona-operations-director",[221,224,228,231,235,239,243],{"situation":222,"recommended_template":7,"slug":223},"General-purpose policy for a small to mid-size business","password-policy-D13563",{"situation":225,"recommended_template":226,"slug":227},"Covering the full scope of information security controls","Information Security Policy","information-security-policy-D13552",{"situation":229,"recommended_template":89,"slug":230},"Governing employee use of company devices and software","acceptable-use-policy-D12622",{"situation":232,"recommended_template":233,"slug":234},"Protecting sensitive data including access credentials","Data Protection Policy","customer-data-protection-policy-D13645",{"situation":236,"recommended_template":237,"slug":238},"Responding to a credential breach or cyber incident","Incident Response Plan","incident-response-plan-D13714",{"situation":240,"recommended_template":241,"slug":242},"Meeting SOC 2 Type II access-control requirements specifically","Access Control Policy","access-control-policy-D13534",{"situation":244,"recommended_template":245,"slug":246},"Onboarding and offboarding employee system access","IT Onboarding Checklist","checklist-customer-onboarding-D13615",[248,251,254,257,260,263,266,269,272,275],{"term":249,"definition":250},"Multi-Factor Authentication (MFA)","A login method that requires two or more verification factors — typically a password plus a one-time code — before granting access.",{"term":252,"definition":253},"Password Complexity","Rules requiring passwords to contain a minimum mix of uppercase letters, lowercase letters, numbers, and special characters.",{"term":255,"definition":256},"Password Expiration","A policy rule that forces users to change their password after a defined number of days — commonly 60, 90, or 180 days.",{"term":258,"definition":259},"Password Reuse Prohibition","A control that prevents users from setting a new password to one of their previous N passwords, typically the last 10–24.",{"term":261,"definition":262},"Credential Stuffing","An attack where stolen username-password pairs from one breach are automatically tested against other services to gain unauthorized access.",{"term":264,"definition":265},"Passphrase","A password made up of four or more random words (e.g., 'correct-horse-battery-staple') that is long enough to resist brute-force attacks while remaining memorable.",{"term":267,"definition":268},"Password Manager","A software application that generates, stores, and autofills strong unique passwords for each account, protected by a single master credential.",{"term":270,"definition":271},"Privileged Account","An account with elevated system rights — such as administrator or root access — that requires stricter password controls than standard user accounts.",{"term":273,"definition":274},"Single Sign-On (SSO)","An authentication method that lets users log in once to access multiple applications, reducing the number of passwords users must manage.",{"term":276,"definition":277},"Account Lockout Policy","A security control that disables an account after a defined number of failed login attempts, typically 5–10, to prevent brute-force attacks.",[279,284,289,294,299,304,309,314,319,324],{"name":280,"plain_english":281,"sample_language":282,"common_mistake":283},"Purpose and scope","Explains why the policy exists, which systems and data it protects, and which employees, contractors, and third parties it applies to.","This Password Policy applies to all employees, contractors, and vendors of [COMPANY NAME] who access any company system, application, or data. Its purpose is to protect the confidentiality and integrity of [COMPANY NAME]'s information assets by establishing minimum standards for credential creation and management.","Scoping the policy only to full-time employees. Contractors, vendors, and temporary staff with system access are equally high-risk and must be explicitly included.",{"name":285,"plain_english":286,"sample_language":287,"common_mistake":288},"Password creation requirements","Sets the minimum length, character-type mix, and prohibited patterns — such as the company name, dictionary words, or sequential numbers — for all user-created passwords.","All passwords must be at least [14] characters in length and include at least one uppercase letter, one lowercase letter, one number, and one special character. Passwords must not contain [COMPANY NAME], the user's name, or any sequence of three or more consecutive characters.","Setting a minimum length below 12 characters. NIST SP 800-63B guidance since 2017 recommends at least 8 characters at absolute minimum, but 14+ is the current industry standard for business accounts.",{"name":290,"plain_english":291,"sample_language":292,"common_mistake":293},"Password expiration and rotation","Defines how frequently passwords must be changed, whether expiration is role-based, and how the system notifies users before expiration.","Standard user passwords must be changed every [90] days. Privileged and administrator account passwords must be changed every [30] days. Users will receive a system notification [14] days before their password expires.","Mandating 30-day expiration for all accounts without exception. Overly frequent rotation encourages users to make minimal incremental changes (e.g., 'Password1' to 'Password2'), which is weaker than a longer rotation cycle with a stronger base password.",{"name":295,"plain_english":296,"sample_language":297,"common_mistake":298},"Password reuse and history","Prevents users from cycling back to a recently used password, specifying how many previous passwords the system will remember and block.","Users may not reuse any of their previous [12] passwords. The system will maintain a password history of [12] entries per account and will reject any password matching a stored entry.","Setting password history to fewer than 10 entries. With a 90-day rotation cycle and a history of only 5, a user can return to their original password within roughly 15 months.",{"name":300,"plain_english":301,"sample_language":302,"common_mistake":303},"Multi-factor authentication requirements","Specifies which account types and access scenarios require MFA, the accepted second-factor methods, and what happens when a user cannot complete MFA.","MFA is required for all remote access, all cloud-based applications, all privileged accounts, and any access to systems containing [CONFIDENTIAL / PII / FINANCIAL] data. Accepted second factors: authenticator app (preferred), hardware security key, or SMS one-time code (permitted where authenticator app is not available).","Making MFA optional rather than mandatory for remote access. A single compromised remote-access credential without MFA is among the most common entry points in ransomware incidents.",{"name":305,"plain_english":306,"sample_language":307,"common_mistake":308},"Password storage and sharing prohibitions","Prohibits writing passwords on paper, storing them in unencrypted files, and sharing them with colleagues — and requires use of an approved password manager.","Passwords must not be written on paper, stored in unencrypted files (including spreadsheets and email drafts), or shared with any other individual. All employees must use [APPROVED PASSWORD MANAGER] to store and generate passwords. Shared service account credentials must be managed through [VAULT / PAM TOOL].","Prohibiting password sharing without providing an approved alternative. Employees share credentials because they lack the tools not to — prohibiting sharing without mandating a password manager or PAM tool does not solve the problem.",{"name":310,"plain_english":311,"sample_language":312,"common_mistake":313},"Compromised credential procedures","Describes what to do when a user suspects their password has been exposed — who to notify, how quickly, and what immediate steps to take.","Any employee who suspects their password has been compromised must immediately notify [IT HELPDESK / SECURITY TEAM] at [CONTACT] and change the affected password within [2] hours. [COMPANY NAME] will review access logs for the affected account within [24] hours of notification.","Failing to specify a response time. A policy that says 'notify IT promptly' with no defined timeframe creates ambiguity about urgency — credential incidents must have hourly, not daily, response windows.",{"name":315,"plain_english":316,"sample_language":317,"common_mistake":318},"Roles and responsibilities","Assigns ownership of the policy — who enforces it, who audits compliance, who grants exceptions, and what obligations fall on individual users.","The IT Manager is responsible for technical enforcement and quarterly compliance audits. Department managers are responsible for ensuring all direct reports complete annual password security training. All users are responsible for maintaining the confidentiality of their credentials and complying with this policy.","Listing the IT department as solely responsible with no obligations placed on individual users. Employees who understand they are personally accountable are more likely to follow the policy.",{"name":320,"plain_english":321,"sample_language":322,"common_mistake":323},"Enforcement and disciplinary consequences","States what happens when the policy is violated — from first-offense warnings to termination for deliberate sharing or negligence — and references the company's broader disciplinary process.","Violations of this policy may result in disciplinary action up to and including termination of employment, in accordance with [COMPANY NAME]'s Employee Disciplinary Policy. Violations involving intentional sharing of credentials or deliberate circumvention of controls will be treated as a serious breach of security obligations.","Omitting consequences entirely and relying on vague language like 'non-compliance will be addressed.' Without stated consequences, the policy has no deterrent effect and is difficult to enforce consistently.",{"name":325,"plain_english":326,"sample_language":327,"common_mistake":328},"Policy review and update schedule","Defines how often the policy is reviewed, who owns the review, and under what circumstances an out-of-cycle update is triggered.","This policy will be reviewed annually by the IT Manager and [HR / Compliance Officer]. An out-of-cycle review will be triggered by any significant security incident, a change in applicable compliance requirements, or a material change in the company's technology environment.","Publishing the policy without a review date. A password policy without a review cycle becomes outdated as threat landscapes and compliance standards evolve — and an outdated policy can weaken a compliance defense.",[330,335,340,345,350,355,360],{"step":331,"title":332,"description":333,"tip":334},1,"Define the scope and list all in-scope systems","Enter the company name and explicitly list the categories of systems, applications, and data the policy covers. Include cloud tools, VPNs, email, and any third-party portals employees access with company credentials.","Conduct a quick system inventory before filling in the scope section — policies that vaguely reference 'all company systems' are harder to enforce and easier to argue around.",{"step":336,"title":337,"description":338,"tip":339},2,"Set password length and complexity requirements","Choose a minimum password length (14 characters is the current recommended baseline for business accounts) and specify required character types. List prohibited patterns explicitly — company name, username, sequential characters.","Consider allowing passphrases of 20+ characters as an alternative to complex shorter passwords. They are easier to remember and harder to crack.",{"step":341,"title":342,"description":343,"tip":344},3,"Choose expiration intervals by account type","Set different rotation schedules for standard users, privileged accounts, and service accounts. Privileged and admin accounts should rotate more frequently — every 30 days is common — while standard accounts at 90 days is widely accepted.","If you enforce MFA for all accounts, you can extend standard-user rotation to 180 days without meaningfully increasing risk — shorter cycles with weak password habits are worse than longer cycles with strong ones.",{"step":346,"title":347,"description":348,"tip":349},4,"Specify MFA requirements by access type","List every scenario that requires MFA: remote access, cloud applications, privileged accounts, and access to sensitive data categories. Name the approved second-factor methods and the fallback procedure when MFA fails.","Authenticator apps (Google Authenticator, Microsoft Authenticator) are more resistant to SIM-swapping attacks than SMS codes — list them as the preferred method.",{"step":351,"title":352,"description":353,"tip":354},5,"Name the approved password manager and vault tool","Insert the name of your organization's approved password manager for individual accounts and the privileged access management (PAM) tool for shared service accounts. Do not leave this section blank — employees will default to insecure alternatives if no approved tool is named.","If you have not yet selected a password manager, note that 1Password, Bitwarden, and Dashlane for Business are widely used business-grade options — pick one before publishing the policy.",{"step":356,"title":357,"description":358,"tip":359},6,"Set the compromised-credential response timeline","Enter specific hours — not 'promptly' or 'as soon as possible' — for how quickly users must report a suspected compromise and how quickly IT must respond. Two hours for user notification and 24 hours for IT log review are common benchmarks.","Reference your Incident Response Plan in this section so employees know how a password incident escalates into a broader security event if needed.",{"step":361,"title":362,"description":363,"tip":364},7,"Assign roles and sign off with the policy owner","Name the individual (by job title) responsible for policy enforcement, compliance audits, exception approvals, and annual review. Add the policy version number, effective date, and next review date in the document footer.","Version-number your policy (e.g., v1.0, v1.1) from the start — auditors and compliance reviewers expect to see a revision history, especially for SOC 2 or ISO 27001 evidence packages.",[366,370,374,378],{"mistake":367,"why_it_matters":368,"fix":369},"Setting password minimums below 12 characters","Passwords shorter than 12 characters can be cracked in hours using modern GPU-based tools, even when complexity rules are applied. A short policy provides a false sense of security.","Set a minimum of 14 characters for standard accounts and 20 for privileged accounts. Allow passphrases as an explicit alternative to meet the length threshold more easily.",{"mistake":371,"why_it_matters":372,"fix":373},"Mandating 30-day rotation for all accounts","Overly frequent rotation causes users to make predictable incremental changes — 'Summer2025!' becomes 'Fall2025!' — which is weaker than a strong password changed less often.","Follow NIST SP 800-63B guidance: require rotation only when there is evidence of compromise for standard accounts, or set 90-day cycles. Reserve 30-day rotation for privileged accounts.",{"mistake":375,"why_it_matters":376,"fix":377},"Making MFA optional for remote access","A single compromised remote-access credential without MFA is the entry point in a large share of ransomware and data breach incidents. 'Recommended' MFA is functionally no MFA.","Mandate MFA for all remote access, VPN, and cloud application logins with no opt-out. Provide approved second-factor methods and a clear enrollment deadline.",{"mistake":379,"why_it_matters":380,"fix":381},"Prohibiting password sharing without naming an approved alternative","Employees share credentials because they have no other way to access shared accounts or hand off work. Prohibition without an approved tool does not stop the behavior — it just makes it undocumented.","Name a specific approved password manager or PAM tool in the policy and make enrollment mandatory within a defined onboarding window.",[383,386,389,392,395,398,401,404,407],{"question":384,"answer":385},"What is a password policy?","A password policy is a written set of rules governing how employees create, manage, store, and retire passwords for company systems and applications. It specifies minimum length, complexity requirements, expiration schedules, reuse prohibitions, multi-factor authentication obligations, and the consequences for non-compliance. It forms a core component of any organization's information security program.\n",{"question":387,"answer":388},"What should a password policy include?","A complete password policy covers: scope (who and what it applies to), password creation requirements (length, complexity, prohibited patterns), expiration and rotation schedules by account type, reuse history limits, MFA requirements and accepted methods, storage and sharing prohibitions, compromised-credential response procedures, roles and responsibilities, and enforcement consequences. Missing any of these sections creates exploitable gaps.\n",{"question":390,"answer":391},"How long should passwords be according to current standards?","NIST SP 800-63B recommends a minimum of 8 characters as an absolute floor, but the current business standard is 12–16 characters for standard accounts and 20+ for privileged accounts. Longer passphrases — four or more random words — are explicitly endorsed by NIST as a strong alternative to shorter complex passwords. Many compliance frameworks now require at least 12 characters.\n",{"question":393,"answer":394},"How often should passwords expire?","NIST's 2017 guidance removed mandatory periodic rotation for standard accounts, recommending rotation only on evidence of compromise. In practice, most compliance frameworks (SOC 2, PCI-DSS, ISO 27001) still expect a defined rotation schedule. A 90-day cycle for standard accounts and 30-day cycle for privileged accounts is a widely accepted business baseline. Pair any rotation policy with MFA to reduce the risk that an expired-but-not-yet-rotated password is exploited.\n",{"question":396,"answer":397},"Is a password policy required for SOC 2 or ISO 27001 compliance?","Yes. SOC 2 Trust Services Criteria CC6.1 requires documented access control policies covering authentication standards. ISO 27001 Annex A control A.9.4 covers system and application access control, which auditors expect to see backed by a formal password policy. HIPAA's Technical Safeguard requirements and PCI-DSS Requirement 8 similarly mandate documented password standards. A well-maintained password policy is typically one of the first documents requested in any security audit.\n",{"question":399,"answer":400},"Should my password policy require multi-factor authentication?","Yes — for any access that can be reached remotely or that touches sensitive data. MFA reduces the risk of credential-based attacks by over 99% according to Microsoft and Google research. The policy should specify which account types and access scenarios require MFA, list approved second-factor methods, and set an enrollment deadline rather than leaving adoption voluntary.\n",{"question":402,"answer":403},"What is the difference between a password policy and an acceptable use policy?","A password policy focuses specifically on credential creation, storage, rotation, and authentication standards. An acceptable use policy (AUP) covers the broader set of rules governing how employees use company technology — devices, internet access, email, social media, and software. The two documents overlap on access control but serve different purposes. Organizations typically maintain both and cross-reference them.\n",{"question":405,"answer":406},"How do I enforce a password policy technically?","Most enforcement happens through Active Directory Group Policy Objects (GPOs) or cloud identity providers like Azure AD, Okta, or Google Workspace. These platforms can enforce minimum length, complexity, expiration, history, and MFA requirements automatically without relying on employee self-reporting. The written policy should name the enforcement mechanism so employees understand that compliance is monitored, not voluntary.\n",{"question":408,"answer":409},"How often should a password policy be reviewed?","At minimum, annually — and any time a significant security incident occurs, a compliance standard changes, or the organization adopts new systems or identity management tools. Policies that are more than 18 months old without review are likely misaligned with current NIST guidance and may not satisfy auditors looking for evidence of active security program management.\n",[411,415,419,423],{"industry":412,"icon_asset_id":413,"specifics":414},"Technology / SaaS","industry-saas","Privileged access to production environments, CI/CD pipelines, and cloud infrastructure requires stricter rotation cycles and mandatory hardware security keys for admin accounts.",{"industry":416,"icon_asset_id":417,"specifics":418},"Healthcare","industry-healthtech","HIPAA Technical Safeguard requirements mandate unique user IDs and automatic logoff; password policies must align with EHR system access controls and audit log requirements.",{"industry":420,"icon_asset_id":421,"specifics":422},"Financial Services","industry-fintech","PCI-DSS Requirement 8 mandates passwords of at least 12 characters, 90-day rotation, and history of at least 4 — policies must reference these minimums explicitly for card-data environments.",{"industry":424,"icon_asset_id":425,"specifics":426},"Professional Services","industry-professional-services","Client data access across multiple portals and VPNs makes SSO and MFA critical; policies should address how credentials for client-managed systems are handled by staff.",[428,431,434,437],{"vs":89,"vs_template_id":429,"summary":430},"acceptable-use-policy-D13564","An acceptable use policy governs how employees use company technology broadly — devices, internet, email, and software. A password policy focuses specifically on credential standards. Both are required for a complete security policy set; the acceptable use policy typically references the password policy for authentication-specific rules.",{"vs":226,"vs_template_id":432,"summary":433},"D{INFORMATION_SECURITY_POLICY_ID}","An information security policy is a high-level governance document covering the full scope of an organization's security program — risk management, asset classification, incident response, and access control. A password policy is one specific control document that sits beneath it. Organizations typically need both: the security policy sets the framework; the password policy sets the technical rules.",{"vs":241,"vs_template_id":435,"summary":436},"D{ACCESS_CONTROL_POLICY_ID}","An access control policy governs who can access which systems, data, and resources based on role and least-privilege principles. A password policy governs how those access credentials are created and maintained. They are complementary: the access control policy defines permissions; the password policy secures the authentication step that enforces them.",{"vs":233,"vs_template_id":438,"summary":439},"D{DATA_PROTECTION_POLICY_ID}","A data protection policy covers how sensitive data is classified, stored, transmitted, and disposed of. A password policy protects the credentials that control access to that data. Credential compromise is one of the primary causes of data breaches — the two policies address different layers of the same risk.",{"use_template":441,"template_plus_review":445,"custom_drafted":449},{"best_for":442,"cost":443,"time":444},"Small to mid-size businesses establishing a baseline security policy for general compliance or cyber insurance requirements","Free","1–2 hours",{"best_for":446,"cost":447,"time":448},"Organizations pursuing SOC 2, ISO 27001, HIPAA, or PCI-DSS certification where the policy must align with specific control language","$300–$800 for an IT security consultant or vCISO review","2–5 days",{"best_for":450,"cost":451,"time":452},"Enterprises with complex identity infrastructure, regulated environments, or policies that must integrate with Active Directory GPOs and PAM tooling","$1,500–$5,000+","1–3 weeks",[454,455],"nist-password-guidelines-explained","mfa-implementation-basics",[230,457,458,459,460,461,462,463,464,242,238,465],"non-disclosure-agreement-nda-D12692","employee-handbook-D712","remote-work-agreement-D13282","technology-policy-D13285","data-breach-response-and-notification-policy-D13650","cyber-security-policy-D12867","bring-your-own-device-policy-byod-D12626","disaster-recovery-plan-D12755","employee-non-disclosure-agreement-D538",{"emit_how_to":467,"emit_defined_term":467},true,{"primary_folder":469,"secondary_folder":470,"document_type":471,"industry":472,"business_stage":473,"tags":474,"confidence":479},"software-technology","cybersecurity-policies","policy","general","all-stages",[475,476,477,478,470],"data-protection","compliance","it","password-policy",0.95,"\u003Ch2>What is a Password Policy?\u003C/h2>\n\u003Cp>A \u003Cstrong>Password Policy\u003C/strong> is an internal governance document that establishes the rules employees, contractors, and systems must follow when creating, storing, sharing, and retiring passwords across all company accounts and applications. It specifies minimum length and complexity requirements, rotation schedules, multi-factor authentication obligations, and the consequences for non-compliance. Rather than leaving credential hygiene to individual judgment, the policy converts security best practices into consistent, enforceable organizational standards backed by documented procedures.\u003C/p>\n\u003Ch2>Why You Need This Document\u003C/h2>\n\u003Cp>Credential compromise — weak, reused, or stolen passwords — is the leading cause of unauthorized access in business data breaches. Without a written password policy, employees default to convenient habits: short passwords, reused across accounts, stored in browser autofill or a shared spreadsheet. When an incident occurs, the absence of a formal policy also weakens your position with insurers, auditors, and regulators, who expect documented controls as evidence of due diligence. A password policy is required documentation for SOC 2, ISO 27001, HIPAA, and PCI-DSS audits — and increasingly a prerequisite for cyber insurance underwriting. This template gives you a structured, audit-ready starting point you can tailor to your systems and team in under two hours.\u003C/p>\n",1781185980348]