Secure Communications and Multi-Factor Authentication Policy

The Secure Communications and Multi-Factor Authentication (MFA) Policy establishes comprehensive controls to safeguard organizational communications and user access, aligning with rigorous regulatory and industry standards. Its primary purpose is to ensure the confidentiality and integrity of information transmitted across all communication channels, including voice, video, text, and emergency systems, by mandating advanced authentication processes in accordance with NIS2 Article 21(2)(j). Applying to all employees, contractors, and external parties, the policy compels the exclusive use of organization-approved and encrypted communication tools for sensitive or operational information. These requirements are extended to emergency notification systems, ensuring that even during crises, communication remains secure, resilient, and available. Emergency response coordinators are assigned a direct role in both the periodic testing of these systems and personnel training for their proper and secure use. A crucial objective of the policy is enforcing MFA for all network and system access, particularly for privileged and remote accounts. Privileged account holders must utilize separate credentials that always enforce MFA or continuous authentication, and any elevation of access is stringently time-limited and monitored. Should technical limitations prevent the immediate implementation of MFA or encryption, such as legacy system constraints or operational outages, compensating controls, such as heightened system monitoring or temporary access restrictions, are required, with all exceptions formally approved by the CISO and undergoing quarterly review. The policy also mandates rigorous training and awareness programs for all users, both at onboarding and annually thereafter. These sessions, with heightened focus for high-risk roles such as administrators and executives, ensure staff can distinguish secure from insecure channels, understand phishing and social engineering tactics, and properly use secure communications tools. Beyond onboarding, targeted training is provided for users at elevated risk levels, focusing on advanced authentication methods and the particular risks associated with emergency communications. To ensure ongoing compliance, continual monitoring and annual auditing of all authentication and communication systems are performed. Any user attempting to circumvent policies, or use unauthorized or unsecured communication methods, faces disciplinary action, including possible termination. IT Security maintains responsibility for monitoring logs and enforcing secure default configurations, while audit processes verify continuous alignment with policy and regulatory obligations. This policy thus delivers a layered, comprehensive approach to protecting the organization's information assets by tightly integrating controls for both secure communications and access authentication, in full alignment with directives such as NIS2, ISO/IEC 27001:2022, and related frameworks.