Authentication & Access Control Policies

🔐 Authentication & Access Control Policies

➡️ Purpose

To define Jisr's approach to secure authentication, enforce access controls, and manage user sessions across our cloud-native HR SaaS platform. These controls are essential for protecting sensitive data and ensuring only authorized access is permitted.

🔑 Password Policy

Overview:
Passwords are the first line of defense in securing user accounts. Jisr enforces strong password standards to mitigate unauthorized access risks.
 

Policy Controls:

• Minimum length: 8 characters
• Complexity: Must include uppercase, lowercase, number, and special character
• Expiration: Every 180 days
• Password history: Cannot reuse last 5 passwords
• Lockout: Accounts are locked after 5 failed login attempts

🔐 Multi-Factor Authentication (MFA)

Overview:
MFA is enforced to add a second layer of authentication beyond passwords, significantly reducing account compromise risk.
 

Policy Controls:

• Mandatory for all administrative and privileged accounts
• Enforced for users accessing production or sensitive systems
• Supported methods: TOTP (e.g., Google Authenticator), SMS (limited), and hardware security keys

🕒 Session Management Policies

Overview:
Session controls protect against session hijacking and unauthorized long-term access.
 

Policy Controls:

• Inactivity timeout: 15 minutes
• Maximum session duration: 12 hours
• Forced logout: On password change or privilege escalation
• Concurrent sessions: Limited to a defined number per user
• Session revocation: Admins can revoke sessions at any time

📥 FAQ / Client-Facing Summary

Q: Do you enforce strong authentication mechanisms?
A: Yes. Jisr enforces strong password policies, mandatory MFA for critical access, and session timeouts to ensure secure authentication and access control.