User and device authentication to information systems is protected by passwords that meet IllumiDesk's password policy guidelines. For systems involved in payment card processing, IllumiDesk requires those systems and system users to change passwords quarterly.
By ensuring passwords are implemented when and where appropriate, sensitive and valuable data is protected from unauthorized access and use. Enforcing IllumiDesk's password complexity requirements further protects that data by reducing the risk of brute force and dictionary attacks that aim to guess user passwords.
This control applies to all systems within our production environment. The production environment includes all endpoints and cloud assets used in hosting IllumiDesk.com and its subdomains. This may include third-party systems that support the business of IllumiDesk.com.
Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the Password Authentication control issue.
Examples of evidence an auditor might request to satisfy this control:
Copy of IllumiDesk's password policy and the Okta/1Password handbook entries
Samples of service minimum password requirements, especially for Okta, which manages identify for many SaaS services used by IllumiDesk
Samples of service password change requirements and/or logs demonstrating passwords are changed on a quarterly basis