Add password policy

.vitepress/config.mjs

@@ -118,6 +118,10 @@ export default defineConfig({
             text: "Information Security Roles and Responsibilities",
             link: "/security/information-security-roles-and-responsibilities",
           },
+          {
+            text: "Password policy",
+            link: "/security/password-policy",
+          },
         ],
       },
     ],

handbook/company/leadership.md

@@ -12,5 +12,6 @@ This document contains information about the leadership team at Tuist (roles and
 | ---- | ---- | ---- |
 | Chief Executive Officer (CEO) | The CEO is responsible for the overall vision and strategy of the company. | Pedro Piñera |
 | Chief Technology Officer (CTO) | The CTO is responsible for the technical vision and strategy of the company. | Marek Fort |
+| Chief Information Officer (CIO) | The CIO is responsible for the company's information technology strategy. | Marek Fořt |
 | Chief Information Security Officer (CISO) | The CISO is responsible for the company's information security strategy. | Marek Fořt |
 | Compliance Officer (CO) | The Compliance Officer is responsible for ensuring that the company complies with all relevant laws and regulations. | Pedro Piñera |

handbook/company/services-and-tools.md

@@ -16,3 +16,7 @@ We use [Vanta](https://vanta.com) to automate our security compliance. Vanta hel
 
 ### CanIPhish
 We use [CanIPhish](https://caniphish.com/) to provide security trainings to employees. We use them because they offer a reasonable and open pricing model.
+
+### 1Password
+
+We use [1Password](https://1password.com) to store and manage our passwords securely. 1Password helps us generate strong and unique passwords for each account, and it provides us with a secure vault to store sensitive information. We chose 1Password because it's a trusted and reliable password manager that helps us protect our data.

handbook/people/onboarding.md

@@ -10,6 +10,11 @@ This document contains the onboarding process for new Tuist staff. The onboardin
 
 ## Security
 
+### Training
 To ensure the security of Tuist, you are required to complete the following training modules at [caniphish.com](https://caniphish.com/):
 - Cyber-security
 - Device-security
+
+### 1Password
+
+You'll get access to our 1Password vault, which contains all the necessary credentials and information you need to get started at Tuist. Make sure to follow the password policy outlined in the [Password Policy](/security/password-policy) document.

handbook/security/password-policy.md

@@ -0,0 +1,43 @@
+---
+title: Password policy
+titleTemplate: :title | Security | Tuist Handbook
+description:
+---
+
+# Password policy
+
+At Tuist, protecting our systems and data is a top priority. To ensure security, all employees must adhere to the following password requirements:
+
+## Password Requirements:
+
+- **Minimum Length:** Passwords must be at least 12 characters long.
+- **Complexity:** Passwords must include at least three of the following:
+  - Uppercase letters (A-Z)
+  - Lowercase letters (a-z)
+  - Numbers (0-9)
+  - Special characters (!, @, #, $, etc.)
+- **Avoid Common Passwords:** Do not use easily guessable passwords (e.g., "password," "123456," names, or birthdays).
+- **Unique Passwords:** Each account must have a unique password. Never reuse passwords across different services or accounts.
+
+## Password Storage
+
+- **Use of Password Managers:** Employees are required to use [1Password](https://1password.com) for storing and generating passwords securely.
+- **No Written or Shared Passwords:** Passwords must never be written down or shared. If you need to grant access, use secure methods (e.g., temporary access management tools).
+
+## Password Updates
+
+- **Regular Updates:** Passwords should be updated every 90 days, or immediately if a potential breach is suspected.
+- **Compromised Passwords:** If a password is suspected to be compromised, it must be changed immediately and reported to the CISO.
+
+## Multi-Factor Authentication (MFA)
+
+- **Mandatory MFA:** All employees must enable Multi-Factor Authentication (MFA) wherever possible for added security, particularly for sensitive systems (e.g., email, project management tools, cloud storage).
+
+## Monitoring and Compliance
+
+- **Random Audits:** The CIO will perform periodic audits to ensure compliance with the password policy.
+- **Non-Compliance:** Failure to comply with the password policy may result in disciplinary action.
+
+## Reporting Security Incidents
+
+If you suspect any suspicious activity, security breaches, or compromised passwords, report it immediately to the CIO or CISO.