Bright World

System & Password Policy

Purpose

This policy outlines the requirements for secure access to Bright World Guardianships’ systems, including password creation, storage, and acceptable system usage.

Scope

This policy applies to all staff, contractors, partners, and anyone with access to company systems, devices, data, or networks.

Policy

2.1 General System Use

All systems may only be used for authorised business purposes.

Users must log out of devices or lock screens when leaving workstations unattended.

Only company-approved devices and software may be used to access internal systems.

USB storage devices are discouraged and must be encrypted if used.

2.2 Password Creation Requirements

  • Passwords must meet the following minimum standards:
  • At least 12 characters long
  • Must include upper- and lower-case letters, numbers, and symbols
  • Must not contain easily guessable information (name, birthday, company name, etc.)
  • Must be unique and not reused across other websites or services

2.3 Multi-Factor Authentication (MFA)

MFA is mandatory for Office 365 and all systems that support it.

Users must maintain access to their MFA device and report immediately if it is lost or compromised.

2.4 Password Management

  • Passwords must never be written down or stored in unencrypted documents.
  • Approved password managers (if used by the company) must be configured with a master password following this policy.
  • Passwords must not be shared with any other staff member or external individual.
  • If a password is suspected to be compromised, it must be changed immediately and the incident reported.

2.5 Password Change Frequency

Bright World Guardianships follows modern security guidance:

Passwords do not need to be changed on a fixed schedule

They must be changed whenever:

  • There is suspicion of compromise
  • A device used to access systems is lost or stolen
  • IT requests a reset due to a security event

2.6 Access Control

Access levels will be based on the principle of least privilege.

When an employee or contractor leaves the company, their system access will be removed immediately.

Shared accounts should be avoided; if necessary, they must be tightly controlled and monitored.

2.7 System Monitoring

Bright World Guardianships reserves the right to monitor system activity, login attempts, and usage logs for security and compliance.

2.8 Breaches & Incident Reporting

All suspected security incidents—including lost devices, compromised passwords, or unusual system behaviour—must be reported immediately to the IT lead and/or Data Protection Officer.

We are committed to reviewing our policy and good practice annually.

This policy was last reviewed on: 6th April 2025

Signed: Lana Foster, CEO, DSL

Feedback

Was this helpful?

Yes No
You indicated this topic was not helpful to you ...
Could you please leave a comment telling us why? Thank you!
Thanks for your feedback.

Post your comment on this topic.

Post Comment