Password & authentication policy

1. Purpose

This document establishes mandatory requirements for HLD Group personnel, contractors, and third parties with access to HLD Group systems, facilities, or data. It supports our information security management system (ISMS), regulatory obligations, and customer contractual commitments.

Compliance with this policy is a condition of access to company resources. Exceptions require documented approval from the Chief Information Security Officer (CISO) or delegate and must include compensating controls.

2. Scope

This policy applies globally to all HLD Group employees, contractors, consultants, interns, and agency staff ("Personnel"). It covers all information assets owned, leased, or processed by HLD Group, including cloud services, customer environments under our management, development systems, corporate IT, and removable media.

Where a customer contract or applicable law imposes stricter requirements, the stricter requirement prevails. Customer-specific security addenda form part of the compliance baseline for assigned personnel.

• Corporate and production information systems
• Endpoints, mobile devices, and removable media used for company business
• Collaboration tools, email, and messaging platforms
• Source code repositories, CI/CD pipelines, and artefact stores
• Physical offices, co-working facilities, and data centre space under our control

3. Definitions

• Information asset — any data, system, application, or service that stores, processes, or transmits information
• Sensitive data — confidential, restricted, regulated, or customer data requiring heightened protection
• Privileged access — administrative or elevated rights that can alter security configuration or access unrelated data
• Security incident — a confirmed or suspected breach of policy, loss of confidentiality, integrity, or availability
• Compensating control — alternative safeguard that achieves equivalent risk reduction when a primary control cannot be met

4. Identity standards

Corporate identity is the primary authentication mechanism. Passwords are a secondary factor only where SSO cannot be used.

5. Password requirements (where passwords are permitted)

• Minimum 14 characters (or 12 with MFA and breach monitoring)
• Block commonly breached passwords and dictionary terms
• No password reuse across systems in the last 12 generations
• Password managers encouraged; sharing credentials prohibited

6. Multi-factor authentication (MFA)

MFA is mandatory for all personnel on email, VPN, IdP, cloud consoles, source control, and customer systems. Phishing-resistant factors (FIDO2, hardware keys) are required for administrators.

• SMS OTP only where no alternative exists, with risk acceptance
• MFA bypass codes stored securely and audited
• Re-registration of MFA devices requires identity verification

7. Service accounts and API keys

Service accounts use managed secrets in vaults with rotation at least every 90 days. API keys are scoped, named, and revoked on decommission.

8. Session management

Idle timeout of 15 minutes for administrative consoles; 8 hours maximum session for standard apps unless re-authenticated. Concurrent session limits apply to privileged tools.

9. Account lockout and monitoring

Failed authentication thresholds trigger lockout and alerting. Password spray and credential stuffing detections feed the SOC workflow.

Roles and responsibilities

Enforcement, exceptions, and review

Violations may result in access suspension, disciplinary action up to termination, contract remedies for third parties, and referral to law enforcement where appropriate.

Exception requests must be submitted in writing, include business justification, risk assessment, expiry date, and compensating controls. Exceptions are reviewed at least quarterly.

This policy is reviewed at least annually and upon significant regulatory, organisational, or technology changes. Version history is maintained in the compliance repository.