(continued...)

Passwords

Employees at Handcrafted Projects must access a variety of IT resources, including computers and other hardware devices, data storage systems, and other accounts. Passwords are an important part of our strategy to make sure only authorized people can access those resources and data.

An individual who has access to any of those resources is responsible for choosing strong passwords and protecting his or her login information from unauthorized use.

The purpose of this policy is to make sure all Handcrafted Projects' resources and data receive adequate password protection. It covers all employees who are responsible for one or more accounts or have access to any resource that requires a password.

Password creation

Passwords should be reasonably complex and difficult for unauthorised people to guess.

Passwords should be at least twelve characters long and contain a combination of upper- and lower-case letters, and numbers.

Employees should use common sense when choosing passwords to avoid using basic combinations that are easy to crack, such as passwords which use common phrases (e.g. “password,” “1password” and “Pa$$w0rd”). Further guidance on avoiding common passwords is available in the Further Resources section at the end of the policy.

It is recommended that employees use methods to create strong passwords such as:

Pick a phrase, take its initials, replace some of those letters with numbers and other characters, and mix up the capitalization. For example, the phrase “This may be one way to remember” can become “TmB0WTr!”.
Combining three random words and a number (e.g. ‘HeartTorchBrick538’)

Employees must choose unique passwords for all Handcrafted accounts and may not use a password that they are already using for a personal account.

Default passwords — such as those created for new employees when they start or those that protect new systems when they’re initially set up — must be changed as quickly as possible.

These requirements will be enforced with software where possible.

Protecting passwords

Employees may never share their passwords with anyone else in the charity, including co-workers, managers or administrative assistants. Everyone who needs access to a system must create his or her own unique password.

Employees may never share their passwords with any outside parties, including those claiming to be representatives of an organisation with a legitimate need to access a system.

Employees should take steps to avoid phishing scams and other attempts by hackers to steal passwords and other sensitive information. All employees will receive guidance on how to recognize these attacks.

Employees must refrain from writing passwords down and keeping them at their workstations. See above for advice on creating memorable but secure passwords.

Shared accounts should be avoided where possible. If a shared email account is needed, this should be set up by the Support Systems Officer using Gmail’s delegated access function, so that the login credentials can still be owned by a single employee and not shared.

If the security of a password is in doubt – for example, if it appears that an unauthorized person has logged in to the account – the password must be changed immediately.

Compromised Devices and Accounts

Employees should be vigilant for any possible compromise of their devices or accounts. This could take the form of a variety of different situations, including:

A device that accesses organisational data has been lost or stolen.
Emails not being sent or received correctly
A staff member gets notifications that someone has attempted to change one of their passwords
An account/device appears to have been hacked
A device has a virus or malware
Any other suspicious activity

Employees should report any possible device/account compromise to the Support Systems Officer and their line manager immediately upon noticing an issue, by phone where possible. The Support Systems Officer will help the employee to assess the cause of the issue and advise on any next steps.

Offboarding

Employees must surrender any Handcrafted-owned devices and account access to the organisation when they stop working for Handcrafted.

The Support Systems Officer will ensure that access to all accounts (e.g. Airtable, Gmail) has been revoked on the employee’s leaving date, and then delete accounts in a timely manner. Employees should make sure that they have copies of important documents such as payslips before their leaving date, and that they have set up email forwarding where appropriate.

Routers

Routers should have firewall turned on at all times.

Router admin passwords must be changed from the default password immediately upon setup.

Procurement/Setup

Purchase of new organisational devices should be approved via the normal finance process, with the model approved beforehand by the Support Systems Officer to make sure it is in line with any requirements for the job role for which it will be used.

The Support Systems Officer should log any new devices purchased in the IT inventory so that the organisation is able to keep track of devices.

The Support Systems Officer is responsible for initial setup and configuration of the device before it is used, and ensuring that setup is done in a timely manner.

Risks/Liabilities/Disclaimers

Employees must report lost or stolen devices to their line manager and the Social Impact and Support Systems Officer within 24 hours. Employees are responsible for notifying their mobile carrier immediately upon loss of a device.

The employee is expected to use his or her devices in an ethical manner at all times and adhere to the company’s acceptable use policy as outlined above.

The employee is personally liable for all costs associated with his or her device.

The employee assumes full liability for risks including, but not limited to, the partial or complete loss of company and personal data due to an operating system crash, errors, bugs, viruses, malware, and/or other software or hardware failures, or programming errors that render the device unusable.

Handcrafted Projects reserves the right to take appropriate disciplinary action up to and including termination for noncompliance with this policy.