Sample Access Control Standard:

Sample Access Control Standard

This Access Control Standard builds on the objectives established in the Sample Asset Protection Standard, and provides specific instructions and requirements for the proper identification, authentication, and authorization controls necessary to access Company information assets.

Objectives

Identification
1. Each User must have a unique account identifier or user ID.
2. User communities and working groups must not share a single user ID for system access to ensure accurate accounting of user access and actions.
3. User IDs should not be shared or used by anyone other than the User to whom they are assigned. Users shall be accountable for all activity associated with their assigned user IDs.
4. User IDs should be added, modified, and deleted in accordance with Company-approved account management processes.
5. User IDs must be disabled within twenty-four (24) hours of notification of a status change (for example, resignation or change in job).
  1. User IDs must be disabled as soon as possible (Immediately) when user has been terminated under adversarial conditions to prevent retaliatory risks to company assets, resources, reputation, and employees. Any requests must come from MediaWiki system to satisfy historical tracking, compliance requirements and audit requirements.
6. User IDs that are unused, dormant, or inactive for 15 days must be disabled.
7. User IDs that are disabled for 90 days must be deleted.
8. Temporary User IDs (for testing, contractors and temporary employees) should have an account expiration date that coincides with the anticipated end of employment, testing, or contract.
Authentication
1. Each user ID or account must be assigned a password.
2. Passwords on new accounts must expire upon first log-in and require an immediate password change.
3. All default system and application passwords must be changed prior to placing in the production environment or connecting to a live network.
4. Authentication credentials such as passwords and tokens should not be used by anyone other than the User to whom they are assigned.
5. Passwords must conform to the following criteria, with native system enforcement when possible:
  1. Password length must be eight (8) characters or longer. If the system does not support eight (8) characters, the password must contain the maximum number of characters allowed by the system.
  2. Passwords must not be equal to, or a derivative of, the user ID.
  3. Passwords must contain at least one (1) alphabetic and one (1) non-alphabetic character.
6. When password criteria cannot be enforced by the native system, an automated password system or tool should be used, whenever possible, to verify and enforce the password criteria.
7. Password changes are required every ninety (90) days.
8. Password changes are required every three hundred and sixty-five (365) days for service and system IDs accounts, or within twenty-four (24) hours upon the termination of any employee with knowledge of the password to service and system IDs accounts.
  1. The account name and password must be transcribed onto a physical document containing the following information:
    1. Custodians name and position
    2. Date of creation
    3. Date of recertification
    4. Asset account belongs to
    5. Password of the account
  2. There must be two identical copies of this document provided to the Chief Administrative Officer (CAO) and the Chief Executive Officer (CEO) for physical safe storage or password vault application.
    1. The document must be placed into a sealed envelope and placed into safe storage or password vault application.
    2. The sealed envelope must be destroyed when it is replaced by a newly certified document.
  3. Under no circumstances should the document reside electronically in any email system, file system, or storage media without the highest level of encryption applied according to the Lazarus Alliance, LLC. Encryption Standard.
9. Password changes are required every one hundred and eighty (180) days for user IDs with administrative or equivalent privileges or within twenty-four (24) hours upon the termination of any employee with knowledge of the password to administrative accounts.
10. Users should be notified a minimum of fifteen (15) days before a current password expires.
11. Grace log-ins after a required password change must be limited to three (3) log-ins.
12. Passwords must not be allowed in rapid succession, in order to prevent a user from "cycling" through passwords.
13. All systems, in accordance with the Auditing Standard, must log the date and time for all failed and successful user attempts to access the system.
14. All systems, in accordance with the Auditing Standard, must limit the number of failed log-on attempts to three (3) before disabling the user ID.
15. Authentication credential, as user IDs and passwords, must not be written down or stored in readable form in automatic log-in scripts, software macros, terminal function keys, in computers without access control, shortcuts, or in other locations where unauthorized persons might discover them.
16. All passwords must be immediately changed if known or suspected of being disclosed.
17. All systems must require and authenticate a valid user ID and password or token prior to granting access to network or system resources.
18. Authentication data (e.g. password files) must be protected with encryption controls to prevent unauthorized individuals from obtaining the data.
19. Authentication data transmitted over a public or shared network must be encrypted in accordance with the Encryption Standard and Information Handling Standard.
Authorization
1. User access to information will be based on the confidentiality classification of the information asset.
2. Users should be only authorized the level of access to information assets that is required to meet an approved business need or perform prescribed job responsibilities.
3. Access to sensitive information must be provided on a need-to-know basis.
4. User access rights to files, directories, and other objects should be assigned on a group basis and not assigned individually, unless doing so cannot be avoided.
5. Log-in time restrictions, whenever practical, should be set to limit the time of day when users can be logged into the system or network.
6. The number of concurrent log-ins allowed per user ID should be restricted to the minimum number required to perform a given job function.
7. Administrative access must be limited to only those users that explicitly require such privileged access. This access shall not be granted until a properly documented request has been approved by three designated managers to include the Chief Administrative Officer (CAO).
8. User with administrative responsibilities must not use a privileged account unless specifically performing actions that required an elevated privilege level.