Karma Employee Password Policy

This document applies to the Karma username and password that is utilized to log into a Karma owned computer. This username and password will also be used for applications that are set up for Single-sign On (SSO). 

____________________________________________________________________________________________________________

Policy

Passwords are a vital part of data and systems security management and it is imperative all Karma employees use passwords responsibly. 

All employees who utilize desktops and laptops must use passwords to access resources on Karma’s network. All passwords will be controlled and changed on a regular basis. For purposes of this policy, "Employee" is defined as anyone who uses the Company network, including temporary employees or contractors.  

Karma has established the following policy and guidelines for creating and maintaining system passwords for all IT managed systems.  

Notification of Password Expiration

Karma Employees will receive an email notification prior to their log in password expiration:

Current Password Creation and Protection Requirements

Passwords are the front line of protection for user accounts. A poorly chosen password may result in the compromise of network resources. As such, users (including consultants and contractors with access to Karma systems) are responsible for taking the appropriate steps, as outlined below, to select and secure their passwords. 

• Users must choose passwords that are easy to remember, but not easily guessed, e.g., a unique song lyric or poem containing numbers with special characters inserted. 
• Make sure passwords are case sensitive and the username or login ID is not case sensitive. 

Avoid using the following: 

• Any single word found in the dictionary as a password (e.g. Password1, secret1). 
• Names of family, pets, friends, coworkers, etc. 
• Birthdays or other personal information, such as an address, a phone number, or social security numbers. 
• Easily guessed patterns such as 123321, aaabbb, qwerty, etc 
• The words "{Company Name}", "{Name}", or any other words directly related to the Company.  
• Users must not use the same password for Karma Automotive accounts as for other non-company accounts, e.g., personal bank accounts or personal email accounts. 
• User accounts that have system-level privileges granted through group memberships or programs, such as sudo, must have a unique password from all other accounts held by that user to access system-level privileges. 
• Passwords for an individual user account should not be shared with anyone, including administrative assistants, secretaries, managers, co-workers, or family members, at any time. All passwords are to be treated as sensitive, confidential Karma information. 
• Passwords must not be revealed by phone or by any readable form, such as on a screen, on paper, or any other form that would make them potentially accessible by unauthorized personnel.  
• Passwords should be memorized and not written down anywhere.  
• Passwords are not to be displayed on or near the monitor.  
• Do not use the "Remember Password" option on web pages, particularly for those that a are non-Karma web sites (e.g. ADP).  
• Users must not write down or otherwise store their password in an unprotected manner (e.g. unencrypted).  A file-level password (such as using the password function of Excel, Word, etc.) is NOT a secure way to protect confidential information and should NOT be used. 
• Users should be in the habit of not leaving their computers unlocked. For Windows users, they can press the CTRL-ALT-DEL keys and select "Lock Computer.” 
• Make sure passwords are case sensitive and the username or login ID is not case sensitive.
• Report an Issue.  If a user knows or suspects that their password has been shared or compromised, it must be changed immediately (for every account that uses the same password). The person must notify the Help Desk and System Administrator immediately for appropriate security measures to be taken.  

Your Windows log in password requires certain levels of complexity including the following:

1. seven (7) characters long, and  
2. Contain a combination from 3 of the following:  one upper, one lower-case letter, one (1) number,  one (1) special character. 
3. Cannot be the same as the previous 4 passwords used
4. Must be reset every 90 days
5. Must meet complexity requirement

In addition to the above policies, Microsoft has set in place its own complexity requirements that a password must adhere to. If your password does not meet the above listed requirements or Microsoft’s complexity requirements you will get the message below:

“Unable to update the password. The value provided for the new password does not meet the length, complexity, or history requirements of the domain”

Remote users under BYOD Policy

Employees and contractors who work remotely and provide their own laptop/desktop for work may be excepted from the 90 day password expiration policy. This is strictly due to limitations of accessing the company domain via VPN on an internet browser. Please contact Help Desk with any questions about this.

Remote users with Karma Owned hardware

Employees and contractors who work remotely on a Karma owned laptop or desktop will need to reset their password prior to the expiration by connecting to VPN. Please follow these steps to reset your password:

1. Open the CATO VPN
   
2. Connect to VPN by click "Sign in with Azure" connect and signing in with your current Windows
3. Select Ctrl+Alt+Delete and select option to Change a Password.
   
   

Info: Karma uses Okta for multi-factor authentication. All users are responsible for setting up a minimum of three verification options for multi-factor authentication. Please refer to the Okta set up video here for guidance on how to set these up.