Multi-Factor Authentication (MFA) Policy

Multi-Factor Authentication (MFA) Policy 

Objective 

To enhance the security of our organization's digital assets and protect against unauthorized access by implementing Multi-Factor Authentication (MFA) for all users accessing corporate resources. 

Policy Statement  

All users accessing church resources, including but not limited to applications, email, and data, must authenticate using Multi-Factor Authentication (MFA). This policy applies to all employees, contractors, partners, and any other individuals with access to our organization's systems and data. 

Policy 

1. Scope: This policy applies to all users and accounts within our organization. 

2. Enforcement: Multi-Factor Authentication (MFA) will be enforced for all users during sign-in 

3. Authentication Methods: 

• Users will be required to authenticate using at least two of the following factors: 

• Something they know (password or PIN) 

• Something they have (phone, token, smart card) 

• Something they are (biometric, such as fingerprint or facial recognition) 

• Approved authentication methods include: 

• Phone call verification 

• Text message verification 

• Microsoft Authenticator app 

• Verification code from mobile app 

• Users are encouraged to use the Microsoft Authenticator app for a more secure and convenient authentication experience. 

4. Conditional Access Policies: (Optional but recommended) 

• Conditional Access policies may be configured to enforce MFA under specific conditions, such as: 

• Accessing sensitive applications or data 

• Accessing resources from outside the corporate network or from unfamiliar devices 

• Any other conditions deemed necessary to mitigate security risks 

5. User Training and Awareness: All users will be provided with training and resources on how to set up and use Multi-Factor Authentication (MFA) effectively. Regular reminders and updates will be communicated to ensure compliance with this policy. 

6. Exceptions: Exceptions to this policy may be granted on a case-by-case basis and must be approved by IT Team and Lead Pastor. Exceptions will only be granted for valid business reasons and must include appropriate compensating controls to mitigate security risks. 

Responsibilities: 

• IT Department: The IT department is responsible for configuring MFA settings in Azure AD, providing user support for MFA setup, and ensuring compliance with this policy. 

• Users: All users are responsible for adhering to this policy, setting up and using MFA as required, and promptly reporting any security concerns or issues related to MFA. 

Non-Compliance: Non-compliance with this policy may result in lost computer and/or network access privileges and may be subject to disciplinary action in accordance with and subject to appropriate church policy and procedures and may also lead to legal consequences in cases of data breach or security incident resulting from non-compliance.  

Policy Revision History: 

• February 2024: Initial version of the MFA policy created.