Password Management SOP

# Password Management SOP

## Purpose
Implement across your organisation to reduce security risks from weak passwords, shared credentials, and inadequate access controls.

## When to Use
A procedure for creating, storing, sharing, and rotating passwords and access credentials with approved tools and security requirements.

## Instructions
1. Review the template below and familiarise yourself with the structure
2. Replace all [bracketed placeholders] with your business details
3. Customise the tone and formatting to match your brand
4. Save in your preferred tool (Slack or Notion)

---

## Password Management Standard Operating Procedure

### 1. Purpose and Scope
This SOP defines how the business creates, stores, shares, and rotates passwords and access credentials. Poor password practices are one of the most common causes of security breaches in mid-market businesses. This procedure applies to all team members and all business accounts, systems, and tools.

### 2. Roles and Responsibilities
- **IT Administrator (or Operations Manager):** Manages the password management tool, conducts quarterly access reviews, and handles credential-related incidents.
- **All Team Members:** Responsible for creating strong passwords, using the approved password manager, and reporting any suspected credential compromises immediately.
- **Director/Owner:** Approves access to sensitive systems and signs off on the annual access review.

### 3. Prerequisites
- Business password manager account provisioned (e.g., 1Password, LastPass Business, or Bitwarden)
- All team members have installed the password manager browser extension and mobile app
- Multi-factor authentication (MFA) enabled on the password manager itself

### 4. Procedure

**Step 1: Use the Approved Password Manager**
All business passwords must be stored in the approved password manager. Never store passwords in:
- Browser auto-fill (unless managed by the password manager extension)
- Spreadsheets, documents, or notes
- Sticky notes, notebooks, or whiteboards
- Email or chat messages (including Slack)

**Step 2: Create Strong Passwords**
Use the password manager's generator to create passwords for all new accounts. Minimum requirements:
- 16 characters minimum
- Mix of uppercase, lowercase, numbers, and symbols
- Unique for every account (never reuse passwords)
- No personal information (names, birthdays, pet names)

For passwords that must be memorised (e.g., the password manager master password), use a passphrase of 4+ random words, such as "correct-horse-battery-staple" with added complexity.

**Step 3: Enable Multi-Factor Authentication (MFA)**
Enable MFA on every system that supports it, prioritising:
1. Email accounts
2. Financial systems (Xero, banking)
3. CRM and client data systems
4. Cloud storage
5. Social media accounts

Use an authenticator app (not SMS) as the preferred MFA method. Store backup codes in the password manager.

**Step 4: Share Credentials Securely**
When a team member needs access to a shared account:
1. Use the password manager's secure sharing feature to grant access
2. Set the minimum access level required
3. Never share passwords via email, Slack, text message, or verbally
4. Record the access grant in the Access Register (Notion)
5. Remove access promptly when it is no longer needed

**Step 5: Rotate Passwords**
Rotate passwords on the following schedule:
- Critical systems (email, banking, admin accounts): Every 90 days
- Standard business systems: Every 180 days
- Shared accounts: Immediately when a team member with access leaves the business

The IT Administrator sends rotation reminders via Slack one week before each deadline.

**Step 6: Revoke Access When Team Members Leave**
On an employee's last working day (coordinated with the offboarding workflow):
1. Disable their password manager account
2. Change passwords on any shared accounts they accessed
3. Revoke their access to all business systems
4. Update the Access Register in Notion
5. Verify revocation is complete within 24 hours

**Step 7: Respond to Credential Compromise**
If a password may have been compromised (phishing attempt, data breach notification, suspicious activity):
1. Change the affected password immediately
2. Notify the IT Administrator via Slack (#it-alerts)
3. Check for unauthorised access in the system's login history
4. If client data may be affected, escalate to the Director and follow the Incident Response SOP
5. Change any other accounts where the same or similar password was used

### 5. Prohibited Practices
- Writing passwords on paper or sticky notes
- Sharing passwords via email, chat, or verbally
- Using the same password across multiple accounts
- Using personal passwords for business accounts
- Disabling or bypassing MFA without IT Administrator approval

### 6. Revision History
| Version | Date | Author | Changes |
|---------|------|--------|---------|
| 1.0 | [Date] | [Author] | Initial release |

### 7. Related Documents
- Access Register (Notion)
- Employee Offboarding Workflow
- Incident Response SOP
- Acceptable Use Policy

---

**Complexity:** simple | **Setup time:** 10 minutes | **Tools:** Slack, Notion