compliances , policies , security

Sample – Access and Authentication Policy

February 13, 2013

This document is provided without warranty, always vet out what works best for you and your organization.

Policy

IT validates user identification and authentication prior to a user being granted access into the IT network infrastructure and resources. Access controls are further used to grant user privileges based on the user’s business role. Additional network access controls are used to validate the authenticity of the electronic communication.

Guidelines

IT electronic information is a critical asset to the corporation and access to information is based on a user’s need-to-know and business role.  The purpose of this policy is to establish guidelines for implementing the following access controls:

  • User Identification Management
  • Password Management
  • Session Management
  • Access Management
  • Security Administration Management

User Identification Management

  • A unique user name (logon ID) is associated with each individual who accesses IT network infrastructure and resources.  Passwords are required to authenticate a logon ID.
  • Shared IDs are prohibited.
  • Where technically feasible, the logon ID is linked to the single role security template that is appropriate to the user’s role within the company.  Multiple security templates per user are discouraged.  Where this linkage is not feasible, a separate user name and password is used.
  • Where technically feasible, single sign-on technology is used.
  • When the logon ID is presented at initial network sign-on, the user’s desktop is populated with icons representing the appropriate resources for that individual’s role within the company.
  • Logon IDs follow a naming convention that allows for the distinction between various users where technically feasible.  Associates require further distinction for full-time, part-time and consultants. Where appropriate, logon IDs are restricted to particular dates and times such as weekdays or business hours.
  • User online activity is systematically logged by the user’s logon ID, date and time stamp (where necessary).
  • Logon IDs are not hard-coded to bypass or over-ride a user from manually entering their user name.
  • Administrative and Maintenance IDs are renamed and monitored closely for unusual activities. Installation and Guest default accounts and backdoors are prohibited.

Password Management

  • Access to IT resources, applications and data requires authentication as well as identification. A user password has a minimum length of 8 characters and follows password construction and re-use restrictions. Network and system administrative passwords follow additional restrictions (e.g., installation default passwords and shared passwords are prohibited).
  • All active directory passwords associated with an individual user ID expire every 30 days and require the associate to change their password. Expired passwords not used in 90 days are systemically suspended and then revoked.
  • Except in older legacy systems where encryption is not feasible, passwords are internally encrypted and not passed through the network.   Passwords are not visible on any screen or paper.
  • Resetting passwords is systemically performed by the user or administrator.  In the case of user password resets, the user initiates a query/response mode with the NetIQ password reset process..  In the case of administrator password resets, default passwords are issued by the administrator, and the system forces the end-user to change the default password upon logon.
  • Users are required to manually key in passwords.  Hard-coding passwords into executables to by-pass manual entry is prohibited.
  • Scripts or code containing user IDs and passwords used by processes for application or data transmission (e.g., file transfer), are secured via encryption or access control lists.

Session Management and Password-Protected Screen Savers

  • Network sessions are terminated after a specified period of inactivity.
  • All network sessions use a password-protected screen saver after 30 minutes of inactivity.    The workstation lock feature is available for the user to lock the workstation prior to wait time where necessary.
  • Logon IDs are deactivated after three consecutive, incorrect authentication attempts. Sign on to the network or application is locked until reset by an authorized administrator or by the user with the use of an automated password reset application.
  • All unsuccessful attempts to access systems or information must be logged, and reported to the security administrators for review and corrective action where necessary.
  • At logon, desktop configuration, software and application versions are validated.  At end of session, buffers are cleared out so no residual data are left in memory.
  • Additional session controls for remote and web-based sessions are used to maintain and validate session communication where applicable.

Security Administration Management

  • The administration of security access to the IT infrastructure and resources is centrally administered within IT.  When necessary, individuals within operating areas that have been approved by IT may have the capability to administer specific application security access along with periodic reviews.
  • Security Administrative privileges are validated by IT periodically to ensure the appropriateness of access granted and segregation of duties.
  • A formal process exists for the identification, documentation, approval and periodic review of network and resource access granted to individuals. The formal process includes timely processing of adds, changes and terminations of security access.
  • Logging, monitoring and reporting of security related activity is required to identify the following:
    • Security violations and trend analysis for abnormal behavior
    • Security file inquiry and changes
    • Security file content reporting for periodic access validation reviews.
  • Logging, monitoring and reporting of IT infrastructure security related activity is centralized for enterprise security management.  Monitoring and reporting of application-level activity may in some cases be delegated to security administrators within the business area.