DailyWF / Policies
Password and Authentication
Define authentication expectations, MFA use, password handling, and exceptions.
Policy intent
Access policy should make permissions intentional, reviewable, and removable. It should prevent accounts from surviving role changes simply because nobody owns the cleanup.
Minimum content
- Define who and what the policy covers, including systems, data, tools, users, vendors, and exceptions.
- Joiner, mover, and leaver handling.
- MFA and credential handling expectations.
- Privileged access approval and review.
- Exception expiration and removal evidence.
Expected output
A policy page that states expectations clearly enough to guide approval, exception, and review decisions.
Common failure mode
Leaving access active because ownership, expiration, or review evidence is unclear.
Use notes
| Authority | Identify who can approve, deny, and grant exceptions. |
|---|---|
| Exception handling | Give exceptions an owner, reason, expiration, and review date. |
| Review point | Review when law, tools, contracts, ownership, or operational risk changes. |
Related pages
- Access Review LogTrack access review findings, approvals, removals, and exceptions.
- Vendor Access ChecklistControl third-party access from request to removal.
- Access ReviewDefine how access is reviewed, changed, approved, and removed.
- Remote WorkSet expectations for access, devices, communication, security, and availability away from site.
- Retention ExceptionDefine when records may be kept longer or removed sooner than the standard rule.
Use this with a tool
Find related documents, copy a checklist, or request a missing workflow.