Introduction
anDREa is committed to protecting the security of its business information in the face of incidents and unwanted events and has implemented an Information Security Management System (ISMS) that is compliant with ISO/IEC/27001:2013, the international standard for information security.
The purpose of this document is to describe anDREa’s Log-On Policy in which the Password Policy is a subset.
This document will be updated at least annually and when significant change happens.
Log-On Policy
Scope
The scope of this policy applies to all personnel who have or are responsible for an account that has access to any service and system of anDREa. Notably this consists of accounts of anDREa personnel registered under the ‘andrea.org’ domain. This policy also applies to accounts from tenant domains where enforceable. Accounts of end-users are not included in this scope though their guest-account in the anDREa AAD is.
Password Policy
Multi-Factor Authentication Policy
- Usage of multi-factor authentication is required for all accounts
- CTO can make exceptions these are documented in Policy Exceptions
Access Policy
All traffic must use of encrypted access paths (TLS based network encryption)