OVERVIEW (AC-1)

Our access control policy governs how access is managed and who may access information under what circumstances.

ACCOUNT MANAGEMENT (AC-2)

IT Management is responsible for granting/revoking access based on changes to an individual's role. For example, if an employee is terminated all access privileges shall be revoked.

Employee Roster

IT Management shall be responsible for keeping a roster of all employees and contractors. Roster shall also identify role.
(See Awareness and Training Policy for more information on Employee Roster (AT001)).

Roles

The following roles have been identified within the organization:

  • Administration - No access to customer data
  • Sales & Marketing - No access to customer data
  • Technical Support - Job role requires access to customer data
  • Account Management - Job role requires access to customer data
  • Professional Services - Job role requires access to customer data
  • Engineering & Test - Job role requires access to customer data
  • Data Center Operations - Job role requires access to customer data, Remote Desktop Access to Servers and access to system/audit logs
  • IT Management - Job role requires access to customer data, Remote Desktop Access to Servers and access to system/audit logs. Responsible for Access Management.

Onboarding

When a new employee or contractor is hired, their role determines which systems and data they have access to.

The following procedure is followed:

  • Employee Roster is updated
  • IT completes an Employee Access Checklist (AC001) (containing system access permissions and authorization levels - based on employee role). AC001 also specifies whether a background check is required (see Background Check Policy for more information).
  • IT reviews checklist with senior IT management
  • Accounts are provisioned as appropriate (with specified access level)

Offboarding

When an employee or contractor is exited, the following procedure is followed:

  • IT uses the associated Employee Access Checklist (AC001) to disable all system access
  • Employee Roster is updated

This procedure must be followed within 5 business days of exit.

Role Change

When a employee or contractors role changes, their new role determines which systems and data they have access to.

The following procedure is followed:

  • IT updates their Employee Access Checklist (AC001)
  • IT reviews checklist with senior IT management
  • Accounts are provisioned/deprovisioned as appropriate (with specified access level)
  • Employee Roster is updated

ACCESS ENFORCEMENT (AC-3)

Access is granted based on the principle of least privilege. A quarterly Access Audit (AC002) will be performed as a control for access enforcement.

UNSUCCESSFUL LOGON ATTEMPTS (AC-7)

Where possible, all systems should be configured as follows:

  • After 3 unsuccessful login attempts within a 15 minutes period, the user shall be locked out of the system for a period of 30 minutes

SYSTEM USE NOTIFICATION (AC-8)

The information system:

  1. As appropriate, information system displays to users system use notification message before granting access to the system that provides privacy and security notices consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance and states that:
    1. Users are accessing a U.S. Government information system
    2. Information system usage may be monitored, recorded, and subject to audit
    3. Unauthorized use of the information system is prohibited and subject to criminal and civil penalties
    4. Use of the information system indicates consent to monitoring and recording
  2. Retains the notification message or banner on the screen until users acknowledge the usage conditions and take explicit actions to log on to or further access the information system
  3. For publicly accessible systems:
    1. Displays system use information and notifies user that by authenticating they are agreeing to the terms of use, before granting further access
    2. Displays references, if any, to monitoring, recording, or auditing that are consistent with privacy accommodations for such systems that generally prohibit those activities
    3. Includes a description of the authorized uses of the system.

PERMITTED ACTIONS WITHOUT IDENTIFICATION OR AUTHENTICATION (AC-14)

No actions that allow access to customer data are permitted prior to authentication. If this changes at any point in the future, this policy will need to be updated (reference MR002).

REMOTE ACCESS (AC-17)

If job role requires access to application servers then user must authenticate into VPN in order to gain access to remote desktop connectivity.

WIRELESS ACCESS (AC-18)

Wireless network policy:

  1. Access to corporate wireless network shall require a passcode that is a minimum of 12 characters long (including one number and one special character)
  2. The passcode should be changed every 90 days
  3. The corporate wireless shall never allow access to any information systems or customer data
  4. No wireless access is available in data center server environment
  5. Employees and contractors accessing the wireless network shall be made aware of the acceptable use policy

ACCESS CONTROL FOR MOBILE DEVICES (AC-19)

The organization:

  1. Establishes usage restrictions, configuration requirements, connection requirements, and implementation guidance for organization-controlled mobile devices
  2. Authorizes the connection of mobile devices to organizational information systems.

USE OF EXTERNAL INFORMATION SYSTEMS (AC-20)

The organization establishes terms and conditions, consistent with any trust relationships established with other organizations owning, operating, and/or maintaining external information systems, allowing authorized individuals to:

  1. Access the information system from external information systems
  2. Process, store, or transmit organization-controlled information using external information systems.

PUBLICLY ACCESSIBLE CONTENT (AC-22)

The organization:

  1. Designates individuals authorized to post information onto a publicly accessible information system
  2. Trains authorized individuals to ensure that publicly accessible information does not contain nonpublic information
  3. Reviews the proposed content of information prior to posting onto the publicly accessible information system to ensure that nonpublic information is not included
  4. Reviews the content on the publicly accessible information system for nonpublic information quarterly and removes such information, if discovered.

AUDIT PROCEDURES

The following procedure shall be followed for the quarterly access control audit (AC002).

  • IT management shall verify that wireless passcodes are changed as required
  • IT management shall review user accounts for all systems using the Information Systems Inventory (SA001) as reference
  • IT management shall review employee roster for correctness
  • IT management shall verify that all Employee Access Checklists (AC001) are correct and on file
  • IT management shall verify that all required Employee Background Checks are on file
  • Workstation Audit (see procedure below)
  • Issues shall be corrected (e.g. disable a given user's access to a system that was missed during offboarding)
  • Where possible, disabled accounts that are older than 5 years shall be deleted.
  • Disabling inactive logins (See Identification and Authentication Policy for guidelines)

IT Management is responsible for a workstation audit of 3 randomly chosen employees to check the following:

  • Only approved software is installed
  • All installed software is properly licensed
  • Security settings are valid (e.g. auto-screen-lock, etc.).
  • Verify that peer-to-peer file sharing does not contain sensitive data
  • Virus protection is enabled and functional

AUDIT

  • Quarterly Management Review (MR002) includes:
    1. Access Control Audit (AC002) (procedure described above)
    2. WIRELESS ACCESS (AC-18) check
  • Annual Management Review (MR001) includes review of this policy including checks on controls AC-8, AC-14, AC-17, AC-20 and AC-22