Run: Password and Multi-Factor Authentication Policy

This policy establishes minimum standards for password creation, password protection, multi-factor authentication (MFA), account recovery, and user responsibilities to reduce the risk of unauthorized access, data loss, payroll fraud, and business disruption. The policy is intended to support secure access to company systems while respecting employee rights and applicable legal requirements, including the ADA interactive process for accommodation requests, Title VII protections under the EEOC framework, FLSA timekeeping integrity, and NLRA Section 7 rights. Where state or local law provides additional requirements, the company will apply the stricter standard. California employees: privacy and notice obligations under the CCPA may apply to authentication and account recovery data. The company will not use this policy to interfere with protected concerted activity under the NLRA or to restrict lawful wage discussions, complaints, or other protected rights.

This policy applies to all employees, contractors, temporary workers, interns, and any other person granted access to company systems, including email, HRIS, payroll, finance, customer systems, cloud applications, and remote access tools. Applicable roles include employees with standard access, managers approving access changes, IT administrators performing resets or provisioning, and HR or payroll staff handling identity verification for account recovery. California employees: any collection, storage, or use of authentication-related personal information must be limited to legitimate business purposes and handled in accordance with applicable privacy law. New York, Illinois, Washington, and other state-specific employment or privacy rules will be followed where they impose additional obligations.

1. **Password standards** - Passwords must be unique for each system and must not be reused across company or personal accounts. - Passwords must be at least 14 characters unless a system has a longer minimum requirement. - Passwords must not include the employee's name, username, birth date, repeated patterns, common words, or easily guessed phrases. - Passwords must not be shared, written on visible notes, stored in unsecured files, or transmitted in plain text. - Password managers approved by IT may be used. 2. **MFA requirements** - MFA is required for all remote access, email, payroll, HR, finance, privileged/admin access, and any system designated by IT Security. - Approved MFA methods include authenticator apps, hardware security keys, and other company-approved phishing-resistant methods. - SMS-based MFA may be allowed only when no stronger method is available and must be approved by IT Security. - Users must not approve unexpected MFA prompts and must report suspicious prompts immediately. 3. **Account recovery controls** - Password resets and account recovery must follow documented identity verification steps before access is restored. - IT or HR may require verification through company records, manager confirmation, government-issued identification review, callback procedures, or other approved methods. - Recovery requests involving payroll, banking, or benefits systems require heightened verification and manager or HR approval where appropriate. - Shared accounts are prohibited unless specifically approved for a business need and controlled by IT. 4. **User responsibilities** - Users must protect credentials, lock devices when unattended, and log out of shared or public devices. - Users must immediately report suspected phishing, lost devices, unauthorized access, or accidental disclosure of credentials. - Users must complete required security training and MFA enrollment by the stated deadline. - Users must cooperate in good-faith with investigations, resets, and verification steps.

1. **Password creation and change process** - During account setup, users must create a unique password that meets the minimum length and complexity requirements. - IT systems should block commonly used or compromised passwords where technically feasible. - Passwords must be changed immediately if compromise is suspected or confirmed. 2. **MFA enrollment and use** - New users must enroll in MFA before receiving production access. - Existing users must enroll by the deadline communicated by IT Security. - If a user loses access to an MFA device, the user must notify IT immediately and complete the approved recovery process. 3. **Account recovery and reset** - The help desk or designated verifier must confirm identity using the approved verification checklist before resetting credentials. - High-risk accounts require step-up verification and may require manager, HR, or security approval. - Recovery records must be documented, including date, verifier, method used, and any exceptions approved. 4. **Accommodation requests** - Employees who need an alternative authentication method due to a disability or medical limitation may request a reasonable accommodation. - HR and IT will engage in the interactive process to determine whether an effective alternative control can be provided without creating undue hardship or unacceptable security risk. - Temporary accommodations may be used while the request is reviewed. 5. **Incident reporting** - Suspected phishing, credential theft, or unauthorized access must be reported immediately to IT Security and the employee's manager. - IT Security will assess whether account lockout, forced reset, device review, or broader incident response steps are required.

**Employees and contractors** - Create and protect strong passwords. - Use MFA as required. - Report suspected compromise immediately. - Complete training and follow recovery steps in good-faith. **Managers** - Ensure team members complete required enrollment and training. - Escalate access issues that may affect essential functions or business continuity. **IT Security / IT Administrators** - Configure password and MFA controls. - Maintain approved recovery procedures and logs. - Review exceptions and security incidents. - Implement technical controls to detect weak or compromised passwords where feasible. **HR / Payroll / Compliance** - Support identity verification for sensitive recovery requests. - Coordinate accommodation requests through the interactive process. - Preserve records consistent with retention and privacy requirements. **Policy holder** - Review the policy annually and approve updates based on legal, operational, or security changes.

Failure to comply with this policy may result in access suspension, mandatory retraining, documented warning, a performance improvement plan (PIP), or other corrective action up to and including termination, subject to applicable law and any collective bargaining agreement. Exceptions must be documented, time-limited, approved by IT Security and HR or Compliance, and reviewed for risk. Any exception for an ADA-related accommodation must be handled through the interactive process and documented separately from disciplinary matters. This policy will be applied in a manner consistent with the NLRA, including employees' rights to engage in protected concerted activity, and will not be used to discourage lawful wage discussions or workplace complaints. FLSA-related timekeeping, overtime, and classification issues must be escalated promptly if access controls affect work hours or off-the-clock activity. California employees: any disciplinary or access decision involving personal data or device access must be reviewed for CCPA and other applicable privacy obligations. Where state law provides greater protection, the company will follow the more protective rule.

This policy will be reviewed at least annually and updated as needed based on security incidents, audit findings, legal changes, or changes to business systems. The policy holder is responsible for maintaining the current version, documenting revisions, and communicating material changes to affected users. Version history, approval dates, and exception logs should be retained according to the company's record retention schedule and applicable legal requirements.