Versions Compared

Version Old Version 3 New Version Current
Changes made by

Jan Tenenberg

Jan Tenenberg

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

These requirements may depend on factors such as:

  • The security classification of the information stored and processed by a particular system or service

  • Relevant legislation that may apply in areas such as privacy and corporate compliance

  • The regulatory framework in which the organization and the system operates

  • Contractual obligations to external third parties

  • The threats, vulnerabilities and risks involved

  • The organisation’s appetite for risk

This access control policy is designed to take account of the business and information security requirements of the organization and is subject to regular review to ensure that it remains appropriate.

...

The following policies and procedures are relevant to this document:

  • Mobile Device Policy

  • User Access Management Process

  • Cloud Computing Policy

  • Internet Acceptable Use Policy

Business requirements of access control

...

In addition to the specific requirements, a number of general principles will be used when designing access controls for Vertic Pty Ltd systems and services.

These are:

  • Defence in Depth: security must not depend upon any single control but be the sum of a number of complementary controls

  • Least Privilege: the default approach taken must be to assume that access is not required, rather than to assume that it is

  • Need to Know: access is only granted to the information required to perform a role, and no more

  • Need to Use: users will only be able to access physical and logical facilities required for their role

Adherence to these basic principles will help to keep systems secure by reducing vulnerabilities and therefore the number and severity of security incidents that occur.

As part of the selection of cloud service providers specifically, the following access-related considerations must be considered:

  • User registration and

...

  • de-registration functions provided

  • Facilities for managing access rights to the cloud service

  • To what extent access to cloud services, cloud service functions and cloud service customer data can be controlled on an as required basis

  • Availability of multi-factor authentication for administrator accounts

  • Procedures for the allocation of secret information such as passwords

Addressing these requirements as part of the selection process will ensure that the provisions of this policy can be met in the cloud as well as within on-premise systems.

...

User access rights must be reviewed at regular intervals to ensure that the appropriate rights are still allocated. System administration accounts must only be provided to users that are required to perform system administration tasks.

User registration and

...

de-registration

A request for access to the organisation’s network and computer systems must first be submitted to the IT Service Desk for approval. All requests will be processed according to a formal procedure that ensures that appropriate security checks are carried out and correct authorisation is obtained prior to user account creation. The principle of segregation of duties will apply so that the creation of the user account and the assignment of permissions are performed by different people.

...

On a regular basis (at least annually) asset owners must review who has access to their areas of responsibility and the level of access in place. This will be to identify:

  • People who should not have access (e.g. leavers)

  • User accounts with more access than required by the role

  • User accounts with incorrect role allocations

  • User accounts that do not provide adequate identification, e.g. generic or shared accounts

  • Any other issues that do not comply with this policy

This review will be performed according to a formal procedure and any corrective actions identified and carried out.

...

A strong password is an essential barrier against unauthorised access. Unfortunately, this area is often proven to be the weak link in an organisation’s security strategy and a variety of ways to improve the security of user authentication are available, including various forms of multifactor multi-factor authentication and biometric techniques.

Vertic Pty Ltd policy is to make use of additional authentication methods based on a risk assessment which considers:

  • The value of the assets protected

  • The degree of threat believed to exist

  • The cost of the additional authentication method(s)

  • The ease of use and practicality of the proposed method(s)

  • Any other relevant controls in place

Use of multifactor multi-factor authentication methods must be justified based on the above factors and securely implemented and maintained where appropriate.

Single Sign-On (SSO) will be used within the internal network where supported by relevant systems unless the security requirements are deemed to be such that a further logon is required.

Whether single or multifactor multi-factor authentication is used, the quality of user passwords must be enforced in all networks and systems using the following parameters (using our selected password management platform):

...

In order to maximise the security of our information every user must:

  • Use a strong password i.e. one which is in line with the rules set out in this policy

  • Never tell anyone their password or allow anyone else to use their account

  • Not record the password in writing or electronically e.g. in a file or email

  • Avoid using the same password for other user accounts, either personal or business-related

  • Ensure that any device they leave unattended connected to the network is locked or logged out

  • Leave nothing on display that may contain access information such as login names and passwords

  • Inform the IT Service Desk of any changes to their role and access requirements

Failure to comply with these requirements may result in the organization taking disciplinary action against the individual(s) concerned.

...

These must consist of a comprehensive security model that includes support for the following:

  • Creation of individual user accounts

  • Definition of roles or groups to which user accounts can be assigned

  • Allocation of permissions to objects (e.g. files, programs, menus) of different types (e.g. read, write, delete, execute) to subjects (user accounts and groups)

  • Provision of varying views of menu options and data according to the user account and its permission levels

  • User account administration, including ability to disable and delete accounts

User logon controls such as

  • Non-display of password as it is entered

  • Account lockout once number of incorrect logon attempts exceeds a specified threshold

  • Provide information about number of unsuccessful logon attempts and last successful logon once user has successfully logged on

  • Date and time-based logon restrictions

  • Device and location logon restrictions

  • User inactivity timeout

Password management, including

...