At Humareso, we treat the data of every client as if it were our own.
By following this password policy, Humareso can ensure the confidentiality, integrity, and availability of its clients' data and minimize the risk of unauthorized access or data breaches. The use of Keeper ensures that passwords are securely stored and generated according to the password creation and complexity requirements. The prohibition on storing passwords in files or on paper prevents unauthorized access to passwords, while the prohibition on using personal password storage services ensures that the passwords are stored in a secure manner and remain company property. The use of multi-factor authentication on third-party systems provides an additional layer of security, while password monitoring and alerting ensure that any breaches or warnings are addressed promptly.
Password Policy for Humareso:
- Password Creation and Complexity Requirements:
- All passwords must be at least 12 characters long.
- Passwords must include a combination of
- upper and lower-case letters,
- numbers, and
- special characters.
- Passwords should be generated by Keeper whenever possible.
- Passwords should never contain references or initials of the client, project, year, or Humareso.
- Passwords should never be used more than once.
- Password Storage and Sharing:
- All company passwords must be stored securely in Keeper.
- Employees cannot store passwords in files, including Word Docs, digital Sticky notes, or other text-based documents on an Employee device.
- Employees cannot store passwords on external websites, including project management systems such as Asana or Atlassian or CRM systems such as HubpSot.
- Passwords should never be printed or written.
- Employees cannot share passwords externally.
- Employees cannot store passwords using other personal password storage services such as iCloud Keychain or LastPass unless prior approval is given, such as if a client shares their passwords with us.
- Multi-Factor Authentication:
- Multi-factor authentication must be enabled on any third-party system that supports it as a feature.
- Multi-factor authentication is mandatory if the system includes client confidential information.
- Authentication for MFA should be stored in Keeper where available through a Timed One Time Password (TOTP)
- Should TOTP not be available, Employee is to use either email-based authentications OR phone-based SMS with their Teams phone number.
- Exceptions can be made to use personal SMS authentication ONLY IF no other methods are available.
- Password Monitoring and Alerting:
- Users must monitor Keeper for breach alerts and warnings.
- Users must remediate any breach alerts and warnings within 5 business days.