Access Controls and Password Policy

All systems must authenticate the identity of Users through individually assigned unique identifiers, known as user account IDs, and authentication tokens (e.g., password, key fob, biometrics and/or multifactor authentication). All users are accountable for all activity associated with their user accounts and authentication tokens.

Access Controls and Password Policy

Purpose

To reduce the cybersecurity risk to the organization, SLAM is required to design, implement and maintain a coherent set of policies, standards and procedures (collectively the Security Program) to manage risks to its data and information systems. Users are required to protect and ensure the Confidentiality, Integrity, and Availability (CIA) of data and information systems, regardless of audience, purpose, or how data is created, distributed, or stored. Security controls will be tailored accordingly so that cost-effective controls can be applied commensurate with the risk and sensitivity of the data and information system. 

Passwords are the primary form of user authentication used to maintain access control to SLAM’s information systems. To ensure that passwords provide as much security as possible, they must be carefully created and used. Without strict usage guidelines, the potential exists that passwords will be created that are easy to break, thus allowing easier illicit access to systems, and thereby compromising the security of those systems. This policy covers the requirements for authentication controls, including password constructs enforced by access controls such as Active Directory.

Definition

In the realm of IT security terminology, the National Institute of Standards and Technology (NIST) IR 7298, Revision 1, Glossary of Key Information Security Terms, is the primary reference document that SLAM uses to define common IT security terms. Key terminology to be aware of includes:

• Control: A term describing any management, operational, or technical method that is used to manage risk. Controls are designed to monitor and measure specific aspects of standards to help SLAM accomplish stated goals or objectives.
• CIA: Confidentiality, Integrity, and Availability of company information systems and the underlying electronic data.
• Users: SLAM staff, volunteers, and contractors who have access to SLAM information systems and who are in a computer-related position of trust.
• Systems: Information Technology systems (e.g., networks, operating systems, applications and databases)
• Privileged User Accounts: Those accounts granted special access rights for particular business needs pursuant to approved procedures.

Policy

All systems must authenticate the identity of Users through individually assigned unique identifiers, known as user account IDs, and authentication tokens (e.g., password, key fob, biometrics and/or multifactor authentication). All users are accountable for all activity associated with their user accounts and authentication tokens. 

The following access control requirements are the responsibility of the IT staff:

• Access to specific systems is granted based on principles of “least privilege” and “need to know.”  This means that access must be restricted to the minimum level necessary for legitimate business operations.  In other words, no one should have access to information unless such access is necessary for business operations that are authorized and in compliance with all business and legal requirements. Business operation managers decide who is allowed access to specific business systems and directs IT staff to perform the action to add, change, delete the user access. IT staff maintains the audit trail of user access requests and approvals.
• Requests for addition, deletion or modification of access privileges must be submitted to IT staff through Team Dynamix. Where a User has been terminated or transferred, the user's supervisor/manager and/or HR must provide documentation of such change in status to IT staff, and IT staff must terminate such accounts promptly upon receiving notice.
• The number of privileged user accounts shall be strictly limited to the minimum absolutely necessary for authorized business purposes.  Privileged accounts shall be reviewed periodically (at least annually) to ensure ongoing access complies with business and legal requirements.
• Access to system administration accounts must require multifactor authentication. Additionally, user account access must require multifactor authentication when accessing systems remotely from external (i.e. off site) networks.
• Systems must utilize automated techniques and safeguards to lock sessions and require authentication or re-authentication after each period of inactivity. While the session is locked, any system display must conceal non-public information (e.g. through the use of a “screen saver” or a blank screen).
• All systems must utilize automated techniques and safeguards to terminate sessions based on inactivity. This does not remove the responsibility for users to manually lock their device when stepping away. Please refer to the Internal Access Review Process and Procedures documentation.

Users must adhere to the following access control requirements:

• Authentication tokens, passwords, etc. must not be stored on paper, or in an electronic file, hand-held device or browser, unless they can be stored securely and the method of storing (e.g., 1Password) has been approved by IT staff. IT may provide or prescribe approved methods for safeguarding passwords, tokens, etc. Use of non-approved safeguards is prohibited.
• Users must select or be assigned passwords that match the following constructs as a minimum:

Length of minimum 8 characters

Contain both upper- and lower-case letters

Contain 1 number

Contain 1 special character

• Passwords will have a maximum lifespan of 90 days.
• Passwords may not be reused.
• Passwords are to be obscured during entry into information system login screens and are to be transmitted in an encrypted format.
• Passwords are to be individually owned and kept confidential and are not to be shared under any circumstances. Functionality requiring the use of shared accounts and shared passwords should be brought to the attention of IT for remediation. 

Approval and Ownership

Revision History