Thank you all for the suggestions for actual policies –
much appreciated.
My personal approach would be risk based and apply
length/longevity/second factor etc. to the category of data and user that I’m
looking at. Taking a for-instance a person with a high level of access to
sensitive personal info would have to meet a higher bar in terms of password policy
(or intro of 2nd factor – crypto-card etc.) than one who was
just using it for personal web-browsing with no significant data exposure
threat.
You should usually be able to identify some categories of user (in
my case staff/student/techy for instance) and apply suitable policies and
training.
What I was wondering is whether there were any “best
practice” documents put forth by such bodies as the ICO etc?
Kind regards,
Jon