Password and Credential Policy

01Purpose and scope

This policy defines how passwords and other authentication credentials are created, stored, rotated, and protected by all personnel acting on behalf of North Star IT Services Ltd. It applies to every employee, contractor, vendor, and managed-service technician who accesses Northstar IT systems or any client tenant we administer.

The policy aligns with current guidance from the Canadian Centre for Cyber Security (ITSP.30.031 v3) and NIST SP 800-63B, and is written to satisfy common cyber insurance and CIS Controls v8 requirements.

02Password standards

We prefer long passphrases over short complex strings. Length defeats brute force; complexity rules drive predictable patterns that attackers already model.

Prohibited credentials

• Anything found in a known breach corpus (we check against Have I Been Pwned and our own dark-web monitoring feed).
• The user's name, the business name, the city, the year, or any sequential or keyboard-walk pattern.
• The same credential reused across two or more systems.

03Multi-factor authentication

MFA is mandatory for every account that touches email, finance, customer data, or administrative tooling. There are no exceptions for executives, owners, or contractors.

Accepted factors, in order of preference

1. Hardware security keys (FIDO2 / WebAuthn) such as YubiKey 5 Series. Required for global administrator and break-glass accounts.
2. Authenticator app with number matching (Microsoft Authenticator, Duo, or equivalent). Required for all administrator accounts.
3. Authenticator app with one-time code. Acceptable for standard users when number matching is not available.

Not accepted

• SMS or voice-call one-time codes (SIM-swap risk).
• Email-based one-time codes when the email mailbox is the account being protected.
• Security questions as a sole second factor.

Conditional Access in Microsoft Entra ID is configured to block legacy authentication, require compliant or hybrid-joined devices for administrators, and prompt for MFA on every risky sign-in.

04Password manager use

All passwords used for work, without exception, are stored in the approved password manager. Browser-saved passwords, plain-text notes, spreadsheets, sticky notes, and shared documents are not acceptable storage.

• Northstar IT uses an enterprise vault with audit logging and SCIM-based provisioning. Master access requires hardware key MFA.
• Personal vaults are separate from the work vault. Personal credentials are never stored in a work vault, and work credentials are never stored in a personal vault.
• Sharing of credentials happens inside the vault using shared collections, never by email, chat, ticket comments, or screenshots.
• Vault recovery is held in escrow by two named persons. Recovery cannot be initiated by a single individual.

05Privileged and shared credentials

Privileged accounts are the keys to the kingdom. They are isolated from daily work.

• Separate accounts. Administrators have a daily-driver account and a separate admin account. Email, browsing, and document editing never happen on the admin account.
• Just-in-time elevation. Privileged Identity Management (PIM) or equivalent is used to elevate to global admin only for the duration of the task, with approval and logging.
• Shared service credentials. Where a vendor only supports a single login (legacy SaaS, some banking portals), the credential lives in a shared vault collection. Access is audit-logged and reviewed quarterly.
• Break-glass. One cloud-only global admin per tenant, exempt from Conditional Access, MFA via hardware key only, monitored by an alert that fires on any sign-in.

06Account lifecycle

Onboarding

Each new user receives a unique, randomly generated initial password delivered through the vault, with forced rotation on first sign-in. MFA enrolment is completed before any production system is accessed.

Role change

Group memberships and privileged role assignments are reviewed within five business days of a role change. Access that is no longer required is removed.

Offboarding

• Sign-in is blocked and active sessions are revoked within one business hour of separation.
• The mailbox is converted to a shared mailbox for 90 days, then archived.
• Personal device tokens are revoked. Company-owned devices are wiped and re-imaged.
• Vault access is removed and any individually owned shared items are transferred to the owner of the relevant collection.

07Compromise and incident response

If a credential is suspected of being exposed, the action is immediate and the same regardless of who is affected.

1. Rotate the credential through the vault.
2. Revoke all active sessions and refresh tokens for the affected identity.
3. Review sign-in logs and audit logs for the prior 30 days. Capture findings in the ticket.
4. Notify the user and, if a client tenant is involved, the client primary contact within four business hours.
5. If unauthorised access is confirmed, escalate to incident response per the Northstar IT IR runbook and assess notification obligations under PIPEDA and provincial privacy laws.

08Training and acknowledgement

Every team member completes password and phishing training at hire and annually thereafter. Acknowledgement of this policy is recorded in the employee file and refreshed when the policy is revised.

09Enforcement

Violations are handled progressively: documented coaching for first instances, written warning for repeats, and termination for wilful or repeated breaches that put client data at risk. Contractors who breach this policy may have their engagement terminated immediately.

10Policy review

This policy is reviewed at least annually by the owner and after any material incident. Material changes increment the version number. Previous versions are archived in the policy repository.

Questions or proposed changes: keegan@northstarit.ca or 672-983-1174.