Password Policy

Version: 1.3 approved

Download PDF Controlled copy — valid on date of download only

Internal Use

Password Policy

Dispel

Document Control

Item	Details
Version	1.3
Cadence	Annual
Policy Owner	Chief Information Security Officer
Approved By	Chief Executive Officer
DCF References	DCF-1, DCF-3, DCF-10, DCF-11, DCF-13, DCF-14, DCF-20, DCF-21, DCF-22, DCF-28, DCF-29, DCF-30, DCF-32, DCF-33, DCF-38, DCF-39, DCF-40, DCF-41, DCF-42, DCF-43, DCF-44, DCF-45, DCF-46, DCF-48, DCF-49, DCF-51, DCF-52, DCF-55, DCF-56, DCF-57, DCF-60, DCF-72, DCF-73, DCF-74, DCF-75, DCF-76, DCF-77, DCF-78, DCF-79, DCF-96

1. PURPOSE AND SCOPE

1.1 Purpose

The purpose of this policy is to establish mandatory rules for creating, using, protecting, and managing passwords and related authenticators (including those used for code signing) for Dispel systems and services.

1.2 Scope

This policy applies to:

All Dispel employees, contractors, and third parties with accounts on Dispel-managed systems or services.
All passwords and secret authenticators used to access Dispel corporate systems, the Dispel Zero Trust Engine, production infrastructure, and supporting services.
Passwords and private keys used for code signing or other security-sensitive operations.

1.3 Regulatory and Framework Alignment

#	Framework / Standard	Relevant Control IDs	Alignment Notes
1	SOC 2	CC6.1, CC6.2, CC6.6, CC7.2, CC8.1	Logical access, authentication mechanisms (including passwords and MFA), least privilege, monitoring, and change management.
2	ISO/IEC 27001	A.5.12, A.5.13, A.8.11	Policies for information security, access control, and protection of secret authentication information (including password management).
3	NIST SP 800-53	IA-2, IA-5, IA-6, AC-2	Identification and authentication using passwords, authenticator management, feedback, and account management.
4	IEC 62443	62443-3-3.SR1.1, 62443-3-3.SR1.2	Unique identification and authentication, and management of secret authentication information in industrial control contexts.
5	HIPAA	164.308(a)(3), 164.312(d)	Workforce security and person or entity authentication when PHI is in scope.

2. POLICY STATEMENTS

2.1 Management Commitment

Management Commitment Statement

Senior Management at Dispel is dedicated to the protection of our information assets, industrial control systems, and Protected Health Information (PHI). We assume full accountability for the effectiveness of our security program, ensuring it is integrated into all business processes and aligned with our strategic goals. To maintain compliance with ISO 27001, IEC 62443, HIPAA, and NIST 800-53, we formally commit to:

Resource Provisioning: Providing the necessary financial, technical, and human resources to sustain a robust security posture.
Risk-Based Governance: Approving security policies and overseeing a continuous risk management process that prioritizes both data privacy and operational safety.
Operational Resilience: Supporting the security of industrial automation and control systems (IACS) to ensure safety and reliability.
Continuous Oversight: Conducting regular management reviews to evaluate program performance, audit results, and opportunities for improvement.

2.2 Primary Policy Statement

Dispel SHALL ensure that passwords and related secret authenticators are created, used, stored, and managed in a manner that protects against unauthorized access, guessing, disclosure, or misuse.

2.3 Secondary Policy Statement

Passwords and secret authenticators SHALL be protected as confidential information and SHALL not be shared, reused across unrelated systems, or stored in insecure locations.
Approved password managers SHALL be used wherever technically feasible to generate and store strong, unique passwords.
Multi-Factor Authentication (MFA) requirements are governed by the Identification and Authentication Policy and Procedures (P-IdentificationandAuthenticationPolicyandProcedures).

3. REQUIREMENTS

3.1 Password Creation and Complexity

Objective: Ensure passwords are sufficiently strong to resist brute-force and guessing attacks.

Mandatory Activities:

Complex passwords SHALL be used wherever technically feasible.
Complex passwords SHOULD be at least 14 characters in length when managed via an approved password manager and SHOULD include a mix of upper-case, lower-case, numeric, and non-alphanumeric characters.
At minimum, passwords MUST have at least 8 characters on systems where longer passwords are not yet supported.
Passwords MUST NOT be based on easily guessable personal data (e.g., date of birth, addresses, names of family members, or other publicly available information).
Passwords MUST NOT be commonly used, expected, or found on known compromised-password lists.

Required Outputs:

Configured password policies on identity providers and critical systems reflecting the above requirements.

Security Controls: NIST SP 800-53 IA-5, IA-6.

3.2 Password Use and User Obligations

Objective: Ensure users handle passwords securely in daily operations.

Mandatory Activities:

Users MUST NOT disclose passwords to any unauthorized person, including management and system administrators who do not require the password for a legitimate operational reason.
Users MUST NOT write down passwords or store them in plaintext (e.g., email, chat, personal notes, or unencrypted files). If passwords must be stored, they SHALL be stored only in an approved password manager.
Users SHALL change passwords if there are indications that a password or system may be compromised and SHALL report a security incident according to the Incident Response Policy.
Passwords used for private (non-business) purposes SHALL NOT be reused for business systems.
Approved password managers SHALL be used where supported.

Required Outputs:

Evidence of user training or communication covering password obligations.

Security Controls: NIST SP 800-53 IA-5, IA-2, AC-2.

3.3 Shared Access and Credential Transmission

Objective: Minimize shared secrets and ensure secure credential handling.

Mandatory Activities:

Identity and Access Management (IAM) SHOULD be used to provision individual accounts so each user has their own credentialed access to each environment.
Where IAM is not available and passwords must be transmitted between workers:
- Strong encryption methods (e.g., public-key cryptography) or out-of-band channels SHALL be used.
- Encrypted credentials SHALL still be transmitted only over encrypted transport protocols.
Shared passwords SHALL be avoided; where unavoidable, shared credentials SHALL be managed through an approved password manager or SSO mechanism and SHALL be reviewed regularly.

Note: Multi-Factor Authentication (MFA) requirements are defined in the Identification and Authentication Policy and Procedures (P-IdentificationandAuthenticationPolicyandProcedures), which is the authoritative source for all authenticator types including MFA, FIDO2, PKI, and phishing-resistant mechanisms.

Security Controls: NIST SP 800-53 IA-5, AC-2.

3.4 Password Storage and Protection

Objective: Ensure passwords and secret authentication information are stored and handled securely.

Mandatory Activities:

All passwords SHALL be treated as confidential information and SHALL NOT be shared with anyone. Requests to share passwords SHALL be denied; instead, the system owner SHALL provision individual access.
Users who must maintain their own secret authentication information SHALL receive an initial, unique, and secure temporary password or secret by secure means and MUST change it on first use.
Passwords stored by systems SHALL:
- Be stored with a unique salt.
- Be stored only as one-way hashes using approved password hashing algorithms (e.g., PBKDF2, bcrypt, scrypt, or Argon2) with appropriate work factors.
Temporary passwords SHALL be communicated in a secure manner, and the user’s identity MUST be verified prior to issuance.
Password reset or recovery mechanisms SHALL verify user identity (e.g., via registered email or other approved methods) before issuing new secrets.
Default passwords provided by software or hardware manufacturers SHALL be changed during initial installation.
Approved password manager:
- Dispel’s approved password manager for workforce use is 1Password.

Security Controls: NIST SP 800-53 IA-5, IA-6.

4. ROLES AND RESPONSIBILITIES

4.1 Policy Owner

Responsibilities:

Owns this Password Policy and ensures it is reviewed at least annually.
Ensures password requirements are reflected in identity provider and critical system configurations.
Coordinates updates to this policy in response to changes in regulations, standards, or risk.

4.2 Security Officer

Responsibilities:

Defines technical implementation standards for password storage, hashing, and management.
Monitors for suspected password compromise and coordinates incident response when needed.
Provides guidance on proper use of password managers and MFA.

4.3 System Owners / Administrators

Responsibilities:

Configure systems to enforce password complexity, rotation, and lockout policies consistent with this policy.
Ensure default passwords are changed and shared credentials are minimized.
Ensure systems store passwords only using approved hashing and salting mechanisms.

4.4 Users (Covered Persons)

Responsibilities:

Comply with this policy when creating, using, and protecting passwords.
Use approved password managers where available.
Promptly report suspected password compromise or unusual account activity.

5. PROCEDURES

5.1 Password Lifecycle Management (High-Level)

Step	Action	Responsible Party	Timeframe
1	Define password and MFA requirements for systems and applications.	Policy Owner, Security Officer	During system design or significant change
2	Configure IdPs and systems to enforce password complexity, storage, and lockout requirements.	System Owners / Administrators	Before production use
3	Onboard users, including account creation, initial password or secret distribution, and MFA enrollment.	System Owners / Administrators	Prior to granting access
4	Monitor authentication events and respond to suspected compromise, including forced resets and incident handling.	Security Officer, System Owners	Ongoing
5	Periodically review password and MFA configurations and adjust based on emerging threats and guidance.	Policy Owner, Security Officer	At least annually

6. MONITORING AND COMPLIANCE

6.1 Compliance Monitoring

Compliance with this Password Policy SHALL be monitored through:

Technical monitoring of authentication events (e.g., failed logins, lockouts, password reset activity) on identity providers and critical systems.
Periodic access and configuration reviews to ensure password policies and MFA configurations are correctly enforced.
Internal or external audits that test password management controls.

6.2 Metrics and Reporting

The following metrics SHALL be tracked and, at minimum, reviewed annually by the Policy Owner and Security Officer:

Metric	Frequency	Owner
Number of failed authentication attempts and lockouts on key systems	Quarterly	Security Officer
Percentage of accounts with MFA enabled on systems that support it	Quarterly	Security Officer
Completion rate for annual policy review and acknowledgement by Covered Persons	Annual	Policy Owner

6.3 Non-Compliance Consequences

Failure to comply with this policy may result in:

Revocation or restriction of system access.
Disciplinary action for employees and contractors, consistent with Dispel HR policies and applicable law.
Contractual or access-related remedies for third parties.

7. EXCEPTIONS AND WAIVERS

7.1 Exception Process

Exceptions to this policy SHALL:

Be submitted in writing by the requesting party.
Include justification and business impact.
Describe compensating controls or mitigation measures.
Define exception duration and remediation plan.

7.2 Exception Approval Authority

Risk Level	Approval Authority
Low	Policy Owner
Medium	Policy Owner and Security Officer
High	Policy Owner, Security Officer, and Senior Management representative
Critical	Senior Management representative in consultation with Policy Owner and Security Officer

8. DEFINITIONS

Password: A secret value used to authenticate a user to a system.

Multi-Factor Authentication (MFA): An authentication mechanism that requires two or more independent factors (e.g., something you know, something you have, something you are).

Password Manager: An approved tool used to generate, store, and manage passwords securely.

Authenticator: Any secret (e.g., password, token, private key) used to verify identity for access to a system or service.

9. REFERENCES

9.1 Internal References

Information Security Policy and related standards.
System Access Control Policy.
Identification and Authentication Policy and Procedures.
Secrets Management Standard.

9.2 External References

NIST SP 800-63 Digital Identity Guidelines.
NIST SP 800-53 (IA and AC families).
ISO/IEC 27001 and ISO/IEC 27002 (access control and authentication-related controls).
IEC 62443 series (where applicable).

10. DOCUMENT HISTORY

Version	Date	Author	Changes
1.3	2026-03-31	Claude (Agent)	Moved MFA requirements to I&A Policy as single source of truth. Added cross-references.
1.2	Predates version control	Ethan Schmertzler	Aligned Password Policy to POLICY_TEMPLATE and updated control mappings.
1.1	Predates version control	Ethan Schmertzler	Annual review; no material changes.
1.0	Predates version control	Ethan Schmertzler	Initial Password Policy creation.

11. APPROVAL SIGNATURES

Role	Name	Signature	Date
Policy Owner
Security Officer
Senior Management Representative

APPENDICES

Appendix A: Supporting Password Procedures

This appendix may include:

Detailed onboarding and offboarding checklists related to account and password management.
Step-by-step procedures for password reset, recovery, and MFA enrollment.
Screenshots or configuration examples for IdPs and password manager settings.

Appendix B: Additional Guidance and Examples

This appendix may include:

Example strong password configurations and generator settings.
Sample user communications on password hygiene and MFA.
References to current industry guidance on password security.

Framework Coverage

SOC 2 CC6.1 CC6.2 CC6.6 CC7.2 CC8.1

ISO 27001 A.5.12 A.5.13 A.8.11

NIST 800-53 AC-2 IA-2 IA-5 IA-6

Last Modified	April 6, 2026 at 12:37 -0400
Author	unknown
Signature	Not signed
Commit	`547bdca` View on GitHub
File History	All changes