Request invite
  • Home
  • /
  • Password Management Policy

Password Management Policy

Last Updated: August 18, 2025

1. Purpose

This policy establishes standards and procedures for creating, managing, and protecting passwords used to access TheAgencyFounder’s platforms, applications, and databases. The goal is to safeguard confidential information, prevent unauthorized access, and maintain compliance with Meta’s Third Party Assessment (TPA) requirements.

2. Scope

This policy applies to:

  • All employees, contractors, partners, and third parties with access to TheAgencyFounder’s systems.
  • All systems, applications, and databases owned, leased, or operated by TheAgencyFounder.
  • Any third-party platforms integrated with TheAgencyFounder’s operations.

3. Roles and Responsibilities

  • System Administrators: Enforce password settings, monitor compliance, and perform regular security checks.
  • Employees & Contractors: Create and maintain secure passwords as per this policy.
  • Third-Party Vendors: Comply with the same password standards if granted system access.

4. Password Creation Guidelines

All passwords must:

  • Contain at least 12 characters.
  • Include upper and lower case letters, numbers, and special characters.
  • Avoid easily guessable information (e.g., names, birthdays, common words).
  • Be unique for each account/system.

5. Password Change Requirements

  • Change passwords every 90 days or sooner if a compromise is suspected.
  • Never reuse the last 5 passwords.
  • Change immediately after a role change, contract termination, or security incident.

6. Password Storage and Transmission

  • Passwords must never be stored in plain text.
  • Use only approved password managers (e.g., 1Password, LastPass Business).
  • Never share passwords via email, chat, or unsecured documents.
  • Transmission of passwords must be encrypted using TLS 1.2 or higher.

7. Multi-Factor Authentication (MFA)

  • MFA is mandatory for all critical systems and administrative accounts.
  • MFA methods may include mobile authenticator apps, hardware tokens, or SMS (where approved).

8. Monitoring and Compliance

  • Password usage will be audited quarterly.
  • Non-compliance will result in access revocation until corrective measures are taken.
  • Repeated violations may lead to disciplinary action.

9. Incident Response for Compromised Passwords

If a password compromise is suspected:

  1. Immediately notify the IT/Security team.
  2. Change the password for the affected account(s).
  3. Conduct a forensic review to assess impact and prevent recurrence.
  4. Follow Meta’s breach notification requirements if applicable.

10. Exceptions

Any exceptions to this policy must be documented, approved by the Security Manager, and reported in the Meta TPA documentation.

11. Review and Updates

This policy will be reviewed annually or whenever significant changes occur to systems, regulations, or Meta’s TPA requirements.