Password Management Policy¶
| Owner | Classification | Review Date | Status |
|---|---|---|---|
| CDO Office | Internal | April 2027 | Active |
| Document Type | Policy |
| Owner | CISO |
| Classification | Confidential |
| Review Cycle | Annual |
Document #: SP-PMP-026 | Version: V1.2 | Issue Date: 05/09/2025
Document Creation¶
| Field | Details |
|---|---|
| Document # | SP-PMP-026 |
| Document Title | Password Management Policy |
| Version | V1.2 |
| Confidentiality Level | Class 2 (Private Data / Confidential) |
| Date Created | 26/03/2021 |
| Issue Date | 05/09/2025 |
| Document Owner | Chief Information Security Officer |
| Author(s) | Simpaisa |
| Purpose | To ensure that Password Management Policy is implemented |
| Authorised By | Yassir Pasha |
Steering Committee¶
| Name | Role |
|---|---|
| Yassir Pasha | Chief Executive Officer |
| Kamil Shaikh | Chief Operating Officer |
| Osama Hashmi | Chief Financial Officer |
| Bachir Njeim | Chief Strategy and Operations Officer |
| Saqlain Raza | Acting Chief Technology Officer |
| Rizwan Zafar | Chief Product Officer |
| Ahsan Hussain | Payment Channel Partnerships |
| Danish Abdul Hameed | Chief Information Security Officer |
| Shahroze Khan | Head of International Merchant Sales and Strategic Alliances |
| Noor Ali | Country Head Pakistan |
| Shoukat Bizinjo | Global Head of Regulatory Affairs — Regulatory |
Change Control¶
| Version | Date of Issue | Author(s) | Brief Description of Changes | Approved By |
|---|---|---|---|---|
| V1.0 | 08/04/2021 | Rizwan Zafar | Initial release | Salim Karim |
| V1.1 | 07/02/2022 | Rizwan Zafar | Annual review | Salim Karim |
| V1.2 | 02/02/2023 | Rizwan Zafar | Annual review | Salim Karim |
| V1.2 | 27/09/2024 | Syed Zubair Ahmed | Annual review | Yassir Pasha |
| V1.2 | 05/09/2025 | Simpaisa | Annual review | Yassir Pasha |
1. Purpose¶
The purpose of this policy is to establish a standard for creating strong passwords, the protection of those passwords, and the frequency of change.
2. Scope¶
The scope of this policy includes all personnel who have or are responsible for an account (or any form of access that supports or requires a password) on any system that resides at any Simpaisa facility, has access to the Simpaisa network, or stores any non-public Simpaisa information.
3. Policy¶
Policy Definitions¶
-
All system-level passwords (e.g., root, enable, NT Admin, application administration accounts, etc.) must be changed on at least a quarterly basis.
-
All production system-level passwords must be part of the Simpaisa IT administered global password management database.
-
All user-level passwords (e.g., email, web, desktop computer, etc.) must be changed at least every six months. The recommended change interval is every four months.
-
User accounts that have system-level privileges granted through group memberships or programmes such as sudo must have a unique password from all other accounts held by that user.
-
Passwords must not be inserted into email messages or other forms of electronic communication.
-
Where SNMP is used, the community strings must be defined as something other than the standard defaults of "public", "private" and "system" and must be different from the passwords used to log in interactively. A keyed hash must be used where available (e.g., SNMPv2).
-
All user-level and system-level passwords must conform to the guidelines described below.
-
Passwords must not be shared with anyone, including administrative assistants or secretaries. All passwords are to be treated as sensitive, confidential Simpaisa information.
-
Passphrases are used for user accounts. A passphrase is a sequence of words or other text used to control access to a computer system, programme or data. A passphrase is similar to a password in usage, but is generally longer for added security. Passphrases are often used to control both access to, and the operation of, cryptographic programmes and systems.
-
Here are some examples of poor passphrases: "My name is name", "I was born on 1st January". Here are some examples of good passphrases: "the!Moon is Blu and *White", "S!mpa!sa is digital @nd payment".
-
Application developers must ensure their programmes contain the following security precautions: Applications must support authentication of individual users, not groups. Applications must not store passwords in clear text or in any easily reversible form. Applications must not transmit passwords in clear text over the network. Applications must provide for some sort of role management, such that one user can take over the functions of another without having to know the other's password.
-
Do not use the same password for Simpaisa accounts as for other non-Simpaisa access (e.g., personal ISP account, option trading, benefits, etc.). Where possible, don't use the same password for various Simpaisa access needs. For example, select one password for the engineering systems and a separate password for IT systems.
-
Do not write passwords down and store them anywhere in your office. Do not store passwords in a file on ANY computer system (including Handheld/Mobile devices) without encryption.
Password Criteria¶
Passwords must:
-
Contain at least 8 characters including 1 number, 1 uppercase letter and 1 special character
-
Not be the same as the username
-
Not be previously used (last 5 passwords)
-
Not contain any identifiable personal information
4. Enforcement¶
Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.