Why a password and MFA policy matters
Weak or reused passwords are a primary cause of account compromise; MFA is the single most effective control for cloud and remote access. Insurers and auditors expect a written policy that is approved, communicated, and enforced. A one-pager supports board approval and staff training without overwhelming detail.
Policy summary: what to include
Passwords — Minimum length and complexity (e.g. 12+ characters, no predictable patterns); no reuse across work and personal; use an approved password manager where appropriate. Define who can approve exceptions and how often passwords are reviewed.
Multi-factor authentication (MFA) — Required for all cloud and remote access; preferred methods (e.g. app-based, FIDO2) and exceptions documented. "We don't use MFA for X" should be a deliberate, approved exception—not the default.
Review — Passwords must be changed if compromise is suspected; periodic review of access and MFA enrolment. Define how often (e.g. quarterly) and who owns it.
What good looks like vs common gaps
Good: Policy is short, clear, and approved; MFA enforced for all remote/cloud access; exceptions documented and time-limited; staff trained and reminded.
Common gaps: Policy is vague or not enforced; MFA only on "important" systems; no process for suspected compromise; no review of access or MFA enrolment.
Why a one-pager works
Boards and staff need a clear, brief policy they can understand and follow. A one-pager supports approval and training without overwhelming detail. Keep the full technical standard in a separate document if needed; the one-pager is the approved, communicated version.
Align your identity and access controls with our team—we help organisations implement and communicate password and MFA policies.