Sample Access Control Standard:
Document History
Version | Date | Revised By | Description |
1.0 | 1 January 2009 <Current date> | Michael D. Peters <Owners's name> | This version replaces any prior version. |
Document Certification
Description | Date Parameters |
Designated document recertification cycle in days: | 30 - 90 - 180 - 365 <Select cycle> |
Next document recertification date: | 1 January 2010 <Date> |
Sample Access Control Standard
The <Your Company Name> (the "Company") Sample Asset Protection Policy defines objectives for establishing specific standards for protecting the confidentiality, integrity, and availability of <Your Company Name> information assets.
This Access Control Standard builds on the objectives established in the Sample Asset Protection Policy, and provides specific instructions and requirements for the proper identification, authentication, and authorization controls necessary to access Company information assets.
I. Scope
All employees, contractors, part-time and temporary workers, and those employed by others to perform work on Company premises or who have been granted access to Company information or systems, are covered by this standard and must comply with associated guidelines and procedures.
Authentication refers to the controls for providing Users the means to verify or validate a claimed identity through the presentation of something they know (e.g., passwords), something they own (e.g., hardware token), or something they are (e.g. fingerprint, biometrics, etc.).
Authorization refers to the controls for determining the resources that Users are permitted to access based upon the permissions and privileges for which they have been authorized.
Confidentiality classifications are defined in the Sample Information Classification Standard.
Encryption refers to a method of scrambling information to render it unreadable to anyone except the intended recipient, who must decrypt it to read it.
Identification refers to the controls for providing Users the means to convey their identities through the use of pre-determined identifiers.
Information assets are defined in the Sample Asset Identification and Classification Policy.
Integrity refers to the protection of information and systems from malicious, unauthorized, or accidental changes.
Sensitive information refers to information that is classified as Restricted or Confidential. Refer to the Sample Information Classification Standard for confidentiality classification categories.
II. Requirements
- A. Identification
- 1. Each User must have a unique account identifier or user ID.
- 1. Each User must have a unique account identifier or user ID.
- 2. User communities and working groups must not share a single user ID for system access to ensure accurate accounting of user access and actions.
- 2. User communities and working groups must not share a single user ID for system access to ensure accurate accounting of user access and actions.
- 3. User IDs should not be shared or used by anyone other than the User to whom they are assigned. Users shall be accountable for all activity associated with their assigned user IDs.
- 3. User IDs should not be shared or used by anyone other than the User to whom they are assigned. Users shall be accountable for all activity associated with their assigned user IDs.
- 4. User IDs should be added, modified, and deleted in accordance with Company-approved account management processes.
- 4. User IDs should be added, modified, and deleted in accordance with Company-approved account management processes.
- 5. User IDs must be disabled within twenty-four (24) hours of notification of a status change (for example, termination or change in job).
- 5. User IDs must be disabled within twenty-four (24) hours of notification of a status change (for example, termination or change in job).
- 6. User IDs that are unused, dormant, or inactive for forty-five (45) days must be disabled.
- 6. User IDs that are unused, dormant, or inactive for forty-five (45) days must be disabled.
- 7. User IDs that are disabled for ninety (90) days must be deleted.
- 7. User IDs that are disabled for ninety (90) days must be deleted.
- 8. Temporary User IDs (for testing, contractors and temporary employees) should have an account expiration date that coincides with the anticipated end of employment, testing, or contract.
- 8. Temporary User IDs (for testing, contractors and temporary employees) should have an account expiration date that coincides with the anticipated end of employment, testing, or contract.
- B. Authentication
- 1. Each user ID or account must be assigned a password.
- 1. Each user ID or account must be assigned a password.
- 2. Passwords on new accounts must expire upon first login and require an immediate password change.
- 2. Passwords on new accounts must expire upon first login and require an immediate password change.
- 3. All default system and application passwords must be changed prior to placing in the production environment or connecting to a live network.
- 3. All default system and application passwords must be changed prior to placing in the production environment or connecting to a live network.
- 4. Authentication credentials such as passwords and tokens should not be used by anyone other than the User to whom they are assigned.
- 4. Authentication credentials such as passwords and tokens should not be used by anyone other than the User to whom they are assigned.
- 5. Passwords must conform to the following criteria, with native system enforcement when possible:
- 5. Passwords must conform to the following criteria, with native system enforcement when possible:
- Password length must be eight (8) characters or longer. If the system does not support eight (8) characters, the password must contain the maximum number of characters allowed by the system.
- Passwords must not be equal to, or a derivative of, the user ID.
- Passwords must contain at least one (1) alphabetic and one (1) non-alphabetic character.
- Passwords must not contain more than two (2) identical consecutive characters.
- Password length must be eight (8) characters or longer. If the system does not support eight (8) characters, the password must contain the maximum number of characters allowed by the system.
- 6. When password criteria cannot be enforced by the native system, an automated password system or tool should be used, whenever possible, to verify and enforce the password criteria.
- 6. When password criteria cannot be enforced by the native system, an automated password system or tool should be used, whenever possible, to verify and enforce the password criteria.
- 7. Password changes are required every ninety (90) days.
- 7. Password changes are required every ninety (90) days.
- 8. Password changes are required every sixty (60) days for User IDs with administrative or equivalent privileges.
- 8. Password changes are required every sixty (60) days for User IDs with administrative or equivalent privileges.
- 9. Users should be notified a minimum of seven (7) days before a current password expires.
- 9. Users should be notified a minimum of seven (7) days before a current password expires.
- 10. Grace logins after a required password change must be limited to three (3).
- 10. Grace logins after a required password change must be limited to three (3).
- 11. Passwords must not be allowed in rapid succession in order to prevent a user from "cycling" through passwords.
- 11. Passwords must not be allowed in rapid succession in order to prevent a user from "cycling" through passwords.
- 12. All systems, in accordance with the Sample Auditing Standard, must log the date and time for all failed and successful user attempts to access the system.
- 12. All systems, in accordance with the Sample Auditing Standard, must log the date and time for all failed and successful user attempts to access the system.
- 13. All systems, in accordance with the Sample Auditing Standard, must limit the number of failed log-on attempts to three (3) before disabling the user ID.
- 13. All systems, in accordance with the Sample Auditing Standard, must limit the number of failed log-on attempts to three (3) before disabling the user ID.
- 14. Authentication credentials, as user IDs and passwords, must not be written down or stored in readable form in automatic login scripts, software macros, terminal function keys, in computers without access control, shortcuts, or in other locations where unauthorized persons might discover them.
- 14. Authentication credentials, as user IDs and passwords, must not be written down or stored in readable form in automatic login scripts, software macros, terminal function keys, in computers without access control, shortcuts, or in other locations where unauthorized persons might discover them.
- 15. All passwords must be immediately changed if known or suspected of being disclosed.
- 15. All passwords must be immediately changed if known or suspected of being disclosed.
- 16. All systems must require and authenticate a valid user ID and password or token prior to granting access to network or system resources.
- 16. All systems must require and authenticate a valid user ID and password or token prior to granting access to network or system resources.
- 17. Authentication data (e.g. password files) must be protected with encryption controls to prevent unauthorized individuals from obtaining the data.
- 17. Authentication data (e.g. password files) must be protected with encryption controls to prevent unauthorized individuals from obtaining the data.
- 18. Authentication data transmitted over a public or shared network must be encrypted in accordance with the Sample Encryption Standard and Sample Information Handling Standard.
- 18. Authentication data transmitted over a public or shared network must be encrypted in accordance with the Sample Encryption Standard and Sample Information Handling Standard.
- C. Authorization
- 1. User access to information will be based on the confidentiality classification of the information asset.
- 1. User access to information will be based on the confidentiality classification of the information asset.
- 2. Users should be only authorized the level of access to information assets that is required to meet an approved business need or perform prescribed job responsibilities.
- 2. Users should be only authorized the level of access to information assets that is required to meet an approved business need or perform prescribed job responsibilities.
- 3. Access to sensitive information must be provided on a need-to-know basis.
- 3. Access to sensitive information must be provided on a need-to-know basis.
- 4. User access rights to files, directories, and other objects should be assigned on a group basis and not assigned individually, unless doing so cannot be avoided.
- 4. User access rights to files, directories, and other objects should be assigned on a group basis and not assigned individually, unless doing so cannot be avoided.
- 5. Login time restrictions, whenever practical, should be set to limit the time of day when Users can be logged into the system or network.
- 5. Login time restrictions, whenever practical, should be set to limit the time of day when Users can be logged into the system or network.
- 6. The number of concurrent logins allowed per user ID should be restricted to the minimum number required to perform a given job function.
- 6. The number of concurrent logins allowed per user ID should be restricted to the minimum number required to perform a given job function.
- 7. Administrative access must be limited to only those users that explicitly require such privileged access.
- 7. Administrative access must be limited to only those users that explicitly require such privileged access.
- 8. User with administrative responsibilities must not use a privileged account unless specifically performing actions that required an elevated privilege level.
- 8. User with administrative responsibilities must not use a privileged account unless specifically performing actions that required an elevated privilege level.
III. Responsibilities
The Chief Information Security Officer (CISO) approves the Access Control Standard. The CISO also is responsible for ensuring the development, implementation, and maintenance of the Access Control Standard.
Company management, including senior management and department managers, is accountable for ensuring that the Access Control Standard is properly communicated and understood within their respective organizational units. Company management also is responsible for defining, approving and implementing procedures in its organizational units and ensuring their consistency with the Access Control Standard.
Asset Owners (Owners) are the managers of organizational units that have primary responsibility for information assets associated with their functional authority. When Owners are not clearly implied by organizational design, the CIO will make the designation. The Owner is responsible for defining processes and procedures that are consistent with the Access Control Standard; defining the access control requirements for information assets associated with their functional authority; processing requests associated with Company-approved access request procedure; determining the level of access and authorizing access based on Company-approved criteria; ensuring the revocation of access for those who no longer have a business need to access information assets; and ensuring the access controls and privileges are reviewed at least annually.
Asset Custodians (Custodians) are the managers, administrators and those designated by the Owner to manage, process or store information assets. Custodians are responsible for providing a secure processing environment that protects the confidentiality, integrity, and availability of information; administering access to information assets as authorized by the Owner; and implementing procedural safeguards and cost-effective controls that are consistent with the Access Control Standard.
Users are the individuals, groups, or organizations authorized by the Owner to access to information assets. Users are responsible for familiarizing and complying with the Access Control Standard and associated guidelines; following Company-approved processes and procedures to request and obtain access to information assets; ensuring authorization credential such as password and tokens are not written down or stored in a place where unauthorized persons might discover them; reporting immediately to <INSERT CONTACT> when authorization credentials have been or may have been compromised; and maintaining the confidentiality, integrity and availability of information accessed consistent with the Owner's approved safeguards while under the User's control.
IV. Enforcement and Exception Handling
Failure to comply with the Access Control Standard and associated guidelines and procedures can result in disciplinary actions up to and including termination of employment for employees or termination of contracts for contractors, partners, consultants, and other entities. Legal actions also may be taken for violations of applicable regulations and laws.
Requests for exceptions to the Access Control Standard should be submitted to <Insert Title> in accordance with the Information Security Standards Exception Procedure. Prior to official management approval of any exception request, the individuals, groups, or organizations identified in the scope of this standard will continue to observe the Access Control Standard.
V. Review and Revision
The Access Control Standard will be reviewed and revised in accordance with the Sample Information Security Program Charter.
Approved: _______________________________________________________
- Signature
- Signature
- <Insert Name>
- <Insert Name>
- Chief Information Security Officer
- Chief Information Security Officer