WM-IT-003 Password Management And Security Compliance Policy And Procedure – Docs

Revision Table

Release No.	Date	Revision Description
Rev. 0	27-FEB-2018	New Release
Rev. 1	26-SEP-2022	Amendment To Template Layout And Cover Page Amendment To Approval By Name And Position Revised, Restructure And Strengthen Existing Policy New Annual Review Section
Rev. 2	25-SEP-2023	Remove Revision & Date Revised From Page 1 to 5 On Header Section Remove Next Review On Page 2 Move Approval From Page 4 To Page 5
Rev. 3	21-NOV-2023	Remove Remarks On Page 2 3.0 Annual Review – Update Annual Review To Review 7.0 Password Policy – Enhance Existing Policy 9.0 Data Security Folder – New Section With Sub-Section
Rev. 4	19-DEC-2023	Change SOP Main Title Approval – Update New Layout And Move To Page 3 2.0 Review By – Move To Page 3 8.0 Password Guidline – Update on 8.2 User Devices (Desktop/Laptop) Clause (b) – Update on 8.3 Server Administrator Devices Clause (c) 9.0 Data Security Folder – Add 9.3 Management Review Acknowledgment 10.0 Computer Inactivity Lock Screen – New Section. 11.0 Password Inspection And Logging – Move From Chapter 10
Rev. 5	27-NOV-2024	Revised, Restructure And Strengthen Existing Policy
Rev. 6	07-JAN-2025	Move Entire Policy To Cloud For Easy Access From Anywhere. Revised Header And Sub-Header Numbering

1. INTRODUCTION

In today’s digital landscape, strong password security is essential for protecting an organisation’s IT systems, sensitive data, and overall business operations. Weak or compromised passwords pose a significant risk, potentially leading to unauthorised access, data breaches, and operational disruptions. To mitigate these risks, Widetech Manufacturing Sdn Bhd has established a Password Management and Security Compliance Policy, ensuring that all employees, contractors, vendors, and other authorised users adhere to stringent security standards.

This policy is designed to safeguard the integrity, confidentiality, and availability of Widetech Manufacturing Sdn Bhd’s IT infrastructure by enforcing best practices in password creation, confidentiality, renewal, and security enforcement. It aligns with Customs Trade Partnership Against Terrorism (CTPAT) requirements and industry best practices to strengthen the company’s cybersecurity resilience and regulatory compliance.

The document outlines clear guidelines on password management, including setup procedures, complexity requirements, regular updates, reporting of security incidents, and enforcement measures. Additionally, it defines the responsibilities of both users and the IT department to ensure consistent adherence to these policies.

By implementing these measures, Widetech Manufacturing Sdn Bhd reinforces its commitment to protecting corporate assets, minimising security risks, and fostering a culture of cybersecurity awareness among all employees and stakeholders. Compliance with this policy is mandatory for all system users, ensuring that password security remains a top priority within the organisation.

2. SCOPE

This policy is applicable to all employees, contractors, vendors, and any other individuals or entities granted access to the Information Technology systems, applications, and data of Widetech Manufacturing Sdn Bhd. It encompasses all users, regardless of role or level of access, who interact with the company’s technological infrastructure.

The policy applies universally to systems requiring password authentication. This includes, but is not limited to, network logins, email accounts, enterprise resource planning (ERP) systems, customer relationship management (CRM) platforms, databases, cloud-based applications, and any other software or hardware resources protected by password credentials.

Additionally, this policy extends to any personal devices authorised for company use under a Bring Your Own Device (BYOD) scheme, ensuring consistent application of security standards across all devices accessing company resources.

By defining this broad scope, the policy ensures that every individual and system involved in Widetech Manufacturing Sdn Bhd’s operations adheres to robust password management practices, thereby safeguarding the organisation’s Information Technology infrastructure and aligning with CTPAT compliance requirements.

3. POLICY STATEMENT

Widetech Manufacturing Sdn Bhd is fully committed to safeguarding its Information Technology systems and sensitive data by adopting and enforcing robust password management practices. Recognising that strong and secure password protocols are a cornerstone of effective cybersecurity, the company seeks to ensure that all users adhere to high standards in creating, maintaining, and managing their access credentials.

This commitment reflects Widetech Manufacturing Sdn Bhd’s dedication to mitigating the risks of unauthorised access, data breaches, and potential disruptions to business operations. The policy mandates the implementation of stringent password controls, comprehensive user education on password security, and continuous monitoring to maintain compliance with industry best practices and the requirements of the Customs Trade Partnership Against Terrorism (CTPAT).

Through this policy, Widetech Manufacturing Sdn Bhd aims to foster a culture of accountability and vigilance, ensuring that all employees, contractors, and stakeholders actively contribute to the protection of the company’s Information Technology assets and data. The policy serves as a key component of the organisation’s broader efforts to uphold the confidentiality, integrity, and availability of its systems, aligning with its strategic goals and regulatory obligations.

4. PASSWORD CREATION

To ensure the security and integrity of Widetech Manufacturing Sdn Bhd’s Information Technology systems and sensitive data, all passwords must adhere to the following stringent requirements for creation:

4.1 Length and Complexity

Passwords must be a minimum of 12 characters in length to provide sufficient protection against unauthorised access and brute force attacks. Each password must include:

Uppercase letters (e.g., A, B, C)
Lowercase letters (e.g., a, b, c)
Numbers (e.g., 1, 2, 3)
Special characters (e.g., @, #, $, %)

This combination ensures a high level of complexity, making passwords more resistant to potential hacking attempts.

4.2 Avoidance of Easily Guessed Words

Passwords must not contain easily guessed or predictable phrases, such as “password,” “123456,” or the user’s personal information (e.g., names, birth dates, or common words). Additionally, passwords should not include references to Widetech Manufacturing Sdn Bhd, such as the company name, product names, or abbreviations.

4.3 Changing Default System Passwords

All default passwords issued by the Information Technology Department (e.g., for new accounts, devices, or systems) must be changed immediately upon first login. Failure to do so leaves systems vulnerable to exploitation by individuals who may have knowledge of standard or manufacturer-provided credentials.

By adhering to these password creation standards, Widetech Manufacturing Sdn Bhd ensures a higher level of security, protecting its digital assets and aligning with the company’s commitment to compliance with CTPAT requirements and industry best practices. Regular training and audits will be conducted to ensure these guidelines are consistently followed.

5. PASSWORD CONFIDENTIALITY

To safeguard the security and integrity of Widetech Manufacturing Sdn Bhd’s Information Technology systems, strict confidentiality regarding passwords is essential. All users must adhere to the following guidelines to prevent unauthorised access and protect sensitive data:

5.1 No Password Sharing

Passwords are personal and must never be shared under any circumstances. This includes sharing with colleagues, supervisors, family members, or external parties. Allowing others access to your password compromises the security of the system and could lead to unauthorised access, data breaches, or other security risks.

5.2 Secure Storage of Passwords

Users must not write down passwords or store them in unsecured locations, such as notebooks, sticky notes, or text files on their computers. Such practices expose sensitive credentials to potential theft or misuse. Users are encouraged to memorise their passwords or utilise secure storage solutions approved by the Information Technology Department.

5.3 Accountability and Responsibility

Every user is responsible for maintaining the confidentiality of their passwords and must take all necessary precautions to ensure they are not disclosed or compromised. Any suspected compromise of a password must be reported immediately to the Information Technology for prompt resolution.

By upholding these standards for password confidentiality, Widetech Manufacturing Sdn Bhd reinforces its commitment to robust cybersecurity measures, aligning with industry best practices and meeting CTPAT requirements. Regular training and awareness campaigns will be conducted to educate users on the importance of maintaining password confidentiality.

6. PASSWORD EXPIRY AND RENEWAL

To ensure the ongoing security and resilience of Widetech Manufacturing Sdn Bhd’s Information Technology systems, all users are required to adhere to the following guidelines regarding password expiry and renewal. These measures help prevent unauthorised access and maintain compliance with cybersecurity best practices and CTPAT requirements:

6.1 Mandatory Password Renewal

Passwords must be updated regularly to minimise the risk of compromise. As a standard policy, users are required to change their passwords every 90 days. This ensures that even if a password is unknowingly compromised, the risk of prolonged access to sensitive systems and data is significantly reduced.

6.2 Prompted Updates

To facilitate compliance, users will receive automated reminders to update their passwords before they expire. These prompts will typically begin 14 days prior to the expiration date, providing ample time for users to create a new, secure password in line with the company’s complexity requirements. Failure to update the password within the stipulated timeframe will result in restricted access until the password is reset.

6.3 Password Reuse Restriction

For enhanced security, previously used passwords must not be reused for at least the last 2 password cycles. This policy ensures that users consistently create unique credentials, reducing the likelihood of a breach due to the recycling of old or previously compromised passwords.

6.4 Information Technology Department Oversight

The Information Technology Department will monitor password expiry and renewal compliance through automated systems, ensuring that all users follow the guidelines. Accounts found to be non-compliant will be flagged, and the respective users will be required to update their passwords immediately.

6.5 User Responsibility

Users must take full responsibility for adhering to password expiry notifications and updating their credentials promptly. Neglecting to do so may result in temporary suspension of access until compliance is restored.

By enforcing these password expiry and renewal policies, Widetech Manufacturing Sdn Bhd reinforces its commitment to maintaining a secure Information Technology environment, protecting critical systems and data from potential threats, and ensuring alignment with international security standards.

7. PASSWORD SECURITY PRACTICES

Widetech Manufacturing Sdn Bhd is dedicated to ensuring the highest levels of security for its Information Technology systems through the implementation of rigorous password security practices. These measures are designed to enhance protection against unauthorised access, safeguard sensitive data, and maintain compliance with CTPAT requirements. All users must adhere to the following practices:

7.1 Multi-Factor Authentication (MFA)

Where applicable, multi-factor authentication (MFA) is mandatory for accessing company systems and applications. MFA provides an additional layer of security by requiring users to verify their identity through two or more authentication factors, such as:

Something they know (e.g., a password).
Something they have (e.g., a smartphone or security token).
Something they are (e.g., fingerprint or facial recognition).

By implementing MFA, Widetech Manufacturing Sdn Bhd ensures that even if a password is compromised, unauthorised access remains significantly less likely.

7.2 Failed Login Attempts

To prevent unauthorised access through brute-force attacks, the number of consecutive failed login attempts is limited to 5. After the fifth unsuccessful attempt, the account will be temporarily locked.

Locked accounts can only be reactivated through a secure process handled by the Information Technology Department.
Users must contact the Information Technology to verify their identity and regain access.

This policy discourages malicious login attempts while protecting user accounts from unauthorised access.

7.3 Automatic Deactivation of Inactive Accounts

User accounts that remain inactive for a period of 60 days will be automatically disabled. This measure reduces the risk associated with dormant accounts, which could otherwise be exploited for unauthorised access.

The Information Technology Department will regularly audit account activity and deactivate accounts that meet this criterion.
Users requiring reactivation of a disabled account must submit a formal request to the Information Technology Department and provide justification for reinstatement.

7.4 Regular Monitoring to Compliance

The Information Technology Department will actively monitor adherence to these security practices and provide support where needed. Any breach of these practices may result in temporary suspension of access or further investigation to address potential risks.

By enforcing these password security practices, Widetech Manufacturing Sdn Bhd strengthens its overall cybersecurity framework, protecting its Information Technology infrastructure and sensitive data from emerging threats while ensuring compliance with industry standards and regulatory requirements.

8. INFORMATION DEPARTMENT RESPONSIBILITIES

The Information Technology Department of Widetech Manufacturing Sdn Bhd plays a critical role in upholding the company’s password security policies and ensuring compliance with CTPAT requirements. The following responsibilities outline the department’s duties in maintaining a secure and resilient Information Technology environment:

8.1 Monitoring and Enforcement of Password Policies

The Information Technology Department is responsible for monitoring and enforcing password security policies across all systems, applications, and devices. This includes:

Configuring systems to meet password complexity and expiry requirements.
Conducting regular audits to identify and address any non-compliance.
Ensuring all new accounts and devices adhere to password security standards before being deployed.

Proactive enforcement of these policies is vital to safeguarding the organisation’s digital assets against unauthorised access.

8.2 Providing Regular Training on Secure Password Practices

To promote awareness and best practices, the Information Technology Department will organise regular training sessions and workshops for all employees and stakeholders. These sessions will cover:

The importance of strong password security.
Steps to create, update, and manage passwords effectively.
The use of approved password management tools.
Recognising and avoiding common password-related threats, such as phishing attacks.

By equipping users with the knowledge and tools to maintain password security, the Information Technology Department helps to reduce human error and mitigate risks.

8.3 Reporting and Addressing Password-Related Security Incidents

The Information Technology Department is tasked with promptly identifying, reporting, and resolving any password-related security incidents. This involves:

Monitoring for unusual login patterns or unauthorised access attempts.
Investigating and mitigating incidents, such as suspected password compromises or system breaches.
Communicating with affected users and relevant departments to ensure swift resolution and prevention of further risks.
Documenting all incidents and implementing lessons learned to enhance future security measures.

8.4 Supporting System Users

The Information Technology Department will provide ongoing support to users, ensuring they can access resources securely while adhering to company policies. This includes assisting with password resets, troubleshooting access issues, and offering guidance on implementing best practices.

By fulfilling these responsibilities, the Information Technology Department ensures that Widetech Manufacturing Sdn Bhd maintains a secure Information Technology environment, upholds its commitment to CTPAT compliance, and mitigates the risks associated with password security vulnerabilities. Regular evaluations of these responsibilities will be conducted to adapt to evolving security challenges and technologies.

9. COMPLIANCE AND ENFORCEMENT

To maintain the security and integrity of Widetech Manufacturing Sdn Bhd’s Information Technology systems and ensure alignment with CTPAT requirements, strict compliance with the Password Management and Security Policy is mandatory for all users. The following measures outline the expectations and enforcement protocols.

9.1 Mandatory Compliance for All Users

All employees, contractors, vendors, and other authorised parties accessing the company’s Information Technology systems must adhere to the guidelines set out in this policy. This includes following the standards for password creation, confidentiality, expiry, and security practices:

Users are expected to actively participate in training sessions and remain informed about updates to password policies.
Any failure to comply with these requirements will be treated as a serious security breach.

9.2 Consequences of Non-Compliance

Non-compliance with this policy may result in disciplinary actions, up to and including:

Suspension of access privileges to Information Technology systems until the user complies with the policy requirements.
Formal disciplinary measures, as outlined in the company’s employee code of conduct.
Termination of employment or contract in cases of deliberate or repeated breaches that compromise the organisation’s security.

These measures ensure that users recognise the importance of adhering to password security standards and their role in protecting the organisation.

9.3 Regular Audits and Monitoring

The company will conduct regular audits to ensure adherence to password management requirements. These audits will include:

Verifying compliance with password creation and update standards.
Identifying and addressing inactive accounts or non-compliant users.
Reviewing security logs for suspicious activities or breaches related to passwords.

Audit findings will be documented, and corrective actions will be implemented promptly to address any gaps or vulnerabilities.

9.4 Enforcement Through Information Technology Department Oversight

The Information Technology Department will be responsible for enforcing this policy, including:

Monitoring compliance through automated systems and periodic checks.
Issuing reminders or warnings to users at risk of non-compliance.
Taking necessary actions to resolve non-compliance, including escalation to management when required.

9.5 Continuous Improvement and Updates

The company will regularly review and update this policy to address emerging security threats and technological advancements. Users will be notified of any changes and provided with the necessary support to ensure continued compliance.

By enforcing strict compliance and conducting regular audits, Widetech Manufacturing Sdn Bhd ensures the integrity and security of its Information Technology systems, reduces vulnerabilities, and demonstrates its unwavering commitment to cybersecurity and CTPAT requirements.

10. PASSWORD SETUP

Widetech Manufacturing Sdn Bhd ensures the security of its Information Technology systems and data by implementing a structured and secure password setup process for all users. The following procedures outline the steps taken during onboarding and the configuration of password policies:

10.1 Temporary Passwords for New Employees

As part of the onboarding process, new employees are issued temporary passwords to access company systems for the first time. These passwords are designed to provide initial access while maintaining security.

Temporary passwords are generated by the Information Technology Department and adhere to basic security standards.
Upon first login, users are required to change their temporary password to one that complies with the company’s password creation guidelines, including length, complexity, and confidentiality requirements.
Failure to update the password during the first login will result in restricted access until compliance is achieved.

This practice ensures that all user accounts are secured with unique and robust credentials from the outset, reducing the risk of unauthorised access.

10.2 Configuration of Password Complexity Requirements

The Information Technology Department is responsible for configuring and enforcing password complexity requirements across all systems. These configurations include:

Minimum length of 6 characters.
Mandatory inclusion of uppercase letters, lowercase letters, numbers, and special characters.
Prevention of the use of easily guessed or commonly used passwords.
Restriction on the reuse of recent passwords to ensure ongoing security.

These settings are applied consistently across all platforms, applications, and devices, ensuring uniform compliance with the organisation’s password policies.

10.3 Automation and Monitoring

Password policies are enforced through automated system configurations, reducing the risk of human error.
The Information Technology Department conducts regular checks to ensure that all systems are correctly configured and aligned with policy requirements.

10.4 Support for New Employees

The Information Technology Department provides guidance to new employees on how to create secure passwords and comply with company policies. This includes:

Instructions during onboarding sessions.
Access to training materials and resources on password best practices.
Support through the Information Technology for any password-related queries or issues.

By implementing a structured password setup process, Widetech Manufacturing Sdn Bhd ensures that all new user accounts are established with security as a priority, aligning with CTPAT requirements and the company’s commitment to safeguarding its Information Technology environment.

11. PASSWORD UPDATES

Widetech Manufacturing Sdn Bhd enforces regular password updates to ensure the ongoing security of its Information Technology systems and compliance with CTPAT requirements. The following procedures detail the process for managing password updates:

11.1 Timely Reminders for Password Expiry

To ensure that users are aware of upcoming password expirations, the Information Technology Department has implemented an automated email reminder system.

Users will receive desktop prompt notification 14 days before their password is due to expire.
Additional reminders may be sent at 5 days and 1 day prior to expiration to encourage timely updates.
The email will include clear instructions on how to update passwords and a link to the password management portal.

These reminders ensure that users have ample time to create a new, secure password without interrupting their access to critical systems.

11.2 Adherence to Password Complexity Guidelines

When updating a password, users must follow the complexity requirements outlined in this policy to maintain robust security. This includes:

A minimum of 6 characters.
A mix of uppercase and lowercase letters, numbers, and special characters.
Avoidance of easily guessed or previously used passwords (as defined by the company’s reuse policy).

The system will validate the new password against these guidelines to ensure compliance before accepting the update.

11.3 Seamless Update Process

The password update process has been designed to be user-friendly and efficient, minimising disruption to daily tasks:

Users can update their passwords via the company’s secure password management portal or directly through system prompts.
Support is available through the Information Technology for any technical issues or questions regarding the update process.

11.4 Enforcement and Monitoring

Passwords that are not updated by the expiration date will result in automatic account suspension until the password is successfully changed.
The Information Technology Department will monitor compliance with password update requirements and provide assistance to users as needed.

11.5 Employee Responsibility

All users are responsible for ensuring their passwords are updated promptly. Failure to update passwords within the specified timeframe may result in temporary loss of access and potential disciplinary action in cases of repeated negligence.

By enforcing timely password updates and providing clear guidelines, Widetech Manufacturing Sdn Bhd ensures the continued security of its Information Technology environment while minimising the risk of vulnerabilities arising from outdated or weak passwords. This process reflects the company’s commitment to cybersecurity best practices and regulatory compliance.

12. REPORTING INCIDENTS

Widetech Manufacturing Sdn Bhd prioritises the swift identification and resolution of password-related security incidents to safeguard its Information Technology systems and sensitive data. The following procedures ensure effective incident reporting, investigation, and resolution:

12.1 Immediate Reporting by Users

Users are required to report any suspected password compromise or unusual account activity immediately to the Information Technology. Examples of incidents to report include:

Suspicious login notifications.
Inability to access an account with a known password.
Notifications of unauthorised password changes.
Signs of unauthorised access to systems or data.

Reporting incidents promptly enables the Information Technology Department to respond effectively and minimise potential damage.

12.2 Contacting Information Technology Department

Users can report incidents through the company’s dedicated Information Technology via phone, email, or an online ticketing system.
All reports must include relevant details, such as the affected account, the nature of the issue, and any observed irregularities.

12.3 Investigation and Remediation by Information Technology Department

Upon receiving an incident report, the Information Technology Department will initiate an immediate investigation to determine the scope and cause of the issue. Key steps include:

Identifying the source of the compromise, such as phishing attacks or brute-force attempts.
Resetting affected accounts and issuing temporary credentials to impacted users.
Reviewing system logs and activity records to trace unauthorised access or suspicious behaviour.
Taking appropriate measures to prevent further incidents, such as strengthening security configurations or applying patches.

12.4 Notification of Relevant Stakeholders

Once the incident has been investigated, the Information Technology Department will notify relevant stakeholders, including:

The affected user(s), with guidance on next steps.
Department managers, if the incident impacts critical systems or data.
Senior management, if the incident poses significant risk to the company’s operations or reputation.

12.5 Incident Documentation and Follow-Up

All incidents must be thoroughly documented, including the nature of the incident, investigative findings, and remediation steps taken. This documentation will:

Serve as a reference for preventing similar incidents in the future.
Be included in reports for internal audits or regulatory compliance purposes, such as CTPAT reviews.

12.6 Employee Responsibility

All users are responsible for remaining vigilant and reporting any suspected compromises without delay. Failure to do so could result in further security breaches and disciplinary actions if negligence is found.

By establishing clear reporting procedures and ensuring rapid response to incidents, Widetech Manufacturing Sdn Bhd reinforces its commitment to maintaining a secure Information Technology environment and aligning with cybersecurity best practices and CTPAT requirements.

13. AUDIT AND REVIEW

Widetech Manufacturing Sdn Bhd conducts regular audits and reviews of its password management practices to ensure the ongoing security of its Information Technology systems, compliance with CTPAT requirements, and alignment with industry best practices. These processes are critical to identifying vulnerabilities, addressing risks, and maintaining a robust security framework

13.1 Monthly Password Reviews

The Information Technology Department will perform monthly reviews to identify and address any accounts with weak or default passwords. This process includes:

Scanning all systems for accounts using passwords that fail to meet the company’s complexity requirements.
Identifying accounts that have not updated their passwords within the required timeframe.
Reviewing newly created accounts to ensure that default system-generated passwords have been changed.

Accounts flagged during these reviews will be addressed promptly, with users required to update their passwords to meet security standards. The Information Technology Department will provide support and guidance where needed.

As part of Widetech Manufacturing Sdn Bhd’s commitment to CTPAT compliance, the Information Technology Department will prepare detailed annual reports outlining the company’s adherence to password management and security policies. These reports will include:

Results from monthly reviews and remediation efforts.
Records of any password-related incidents and the measures taken to address them.
Updates on training initiatives and improvements to password policies.

The compliance reports will be submitted to the appropriate internal and external stakeholders as part of the company’s broader security audit processes. This ensures transparency and demonstrates the organisation’s commitment to maintaining a secure and compliant Information Technology environment.

13.2 CTPAT Compliance Reporting

Results from monthly reviews and remediation efforts.
Records of any password-related incidents and the measures taken to address them.
Updates on training initiatives and improvements to password policies.

13.3 Continuous Improvement Through Audits

Regular audits provide opportunities to identify emerging threats, gaps in current practices, and areas for improvement.
Insights gained from these audits will be used to refine the company’s password policies, update security configurations, and enhance user training programmes.

13.4 Employee Awareness and Accountability

Employees will be informed of the importance of audits and their role in maintaining compliance.
Users who fail to comply with password policies identified during audits will be required to take corrective action immediately, with potential disciplinary measures for repeated non-compliance.

13.5 Documentation and Record-Keeping

The results of all monthly reviews and annual audits will be thoroughly documented, providing a clear record of the company’s proactive measures to protect its Information Technology systems. These records will serve as evidence for internal evaluations and external regulatory requirements, including CTPAT standards.

By conducting regular audits and reviews, Widetech Manufacturing Sdn Bhd ensures that its password management practices remain effective, up to date, and aligned with its commitment to robust cybersecurity and compliance. These efforts strengthen the organisation’s resilience against potential threats and reinforce its reputation for maintaining high-security standards.