This group of policies
applies to computers and information systems. Authentication policies often
form the largest collection of policy statements in a computer environment because
authentication systems and variations are so complex and because they tend to
have the greatest impact on the average computer users in Software Development Companies. Password policies are
often the largest subset of authentication policies.
Account/Password
Authentication: A unique account and password
combination must authenticate all users of information systems. The account
name must be used only by a single individual, and the password must be a
secret known only to that individual.
New
Account Requests: The manager responsible for a new end
user must request access to corporate information systems via a new account.
End users may not request their own accounts. The new account request must be
recorded and logged for the record. When the account is no longer needed, the
account must be disabled.
Account
Changes: The manager responsible for the end
user must request changes in access privileges for corporate information
systems for a system account. End users may not request access-privilege
changes to their own accounts. The request must be recorded and logged for the
record.
Two-Factor
Authentication: All administrators of critical
information servers must be authenticated via a token card and PIN code. The
individual must be uniquely identified based on possession of the token card
and knowledge of a secret PIN code known only to the individual user.
Desktop
Command Access: Access to operating system components
and system administration commands on end-user workstations or desktop systems
is restricted to system support staff only. End users will be granted access
only to commands required to perform their job functions.
Generic
User Accounts: Generic system accounts for use by
people are prohibited in Software Development Companies. Each system account must be traceable to a single
specific individual who is responsible and accountable for its use. Passwords
may not be shared with any other person.
Inactive
Screen Lock: Computer systems that are left
unattended must be configured to lock the screen with a password-protected
screensaver after a period of inactivity. This screen locking must be
configured on each computer system to ensure that unattended computer systems
do not become a potential means to gain unauthorized access to the network.
Login
Message: All computer systems that connect to the
network must display a message before connecting the user to the network. The
intent of the login message is to remind users that information stored on the
organization’s information systems belongs to the organization and should not
be considered private or personal. The message must also direct users to the
corporate information system usage policy for more detailed information. The
message must state that by logging on, the user agrees to abide by the terms of
the usage policy. Continuing to use the system indicates the user’s agreement
to adhere to the policy.
Failed
Login Account Disabling: After ten successive failed login
attempts, a system account must be automatically disabled to reduce the risk of
unauthorized access. Any legitimate user whose account has been disabled in
this manner may have it reactivated by providing both proof of identity and
management approval for reactivation.
Password
Construction: Account names must not be used in
passwords in any form. Dictionary words and proper names must not be used in
passwords in any form. Numbers that are common or unique to the user must not
be used in passwords in any form. Passwords shorter than eight characters are
not allowed.
Password
Expiration: Passwords may only be used for a
maximum of 3 months. Upon the expiration of this period, the system must
require the user to change their password. The system authentication software
must enforce this policy.
Password
Privacy: Passwords that are written down must be
concealed in a way that hides the fact that the written text is a password.
When written, the passwords should appear as part of a meaningless or
unimportant phrase or message, or be encoded in a phrase or message that means
something to the password owner but to nobody else. Passwords sent via e-mail
must use the same concealment and encoding as passwords that are written down,
and in addition must be encrypted using strong encryption.
Password
Reset: In the event that a new password must
be selected to replace an old one outside of the normally scheduled password
change period, such as when a user has forgotten their password or when an
account has been disabled and is being reactivated, the new password may only
be created by the end user, to protect the privacy of the password.
Password
Reuse: When the user changes a password, the
last six previously used passwords may not be reused. The system authentication
software must enforce this policy.
Employee
Account Lifetime: Permanent employee system accounts will
remain valid for a period of 12 months, unless otherwise requested by the
employee’s manager. The maximum limit on the requested lifetime of the account
is 24 months. After the lifetime of the account has expired, it can be reactivated
for the same length of time upon presentation of both proof of identity and
management approval for reactivation.
Contractor
Account Lifetime: Contractor system accounts will remain
valid for a period of 12 months, unless otherwise requested by the contractor’s
manager. The maximum limit on the requested lifetime of the account is 24
months. After the lifetime of the account has expired, it can be reactivated
for the same length of time upon presentation of both proof of identity and
management approval for reactivation.
Business
Partner Account Lifetime: Business partner system accounts will
remain valid for a period of 3 months, unless otherwise requested by the
manager responsible for the business relationship with the business partner. The
maximum limit on the requested lifetime of the account is 12 months in Software Development Companies. After the
lifetime of the account has expired, it can be reactivated for the same length
of time upon presentation of both proof of identity and management approval for
reactivation.
Same
Passwords: On separate computer
systems, the same password may be used. Any password that is used on more than
one system must adhere to the policy on password construction.
Generic
Application Accounts: Generic system accounts
for use by applications, databases, or operating systems are allowed when there
is a business requirement for software to authenticate with other software.
Extra precautions must be taken to protect the password for any generic
account. Whenever any person no longer needs to know the password, it must be
changed immediately. If the software is no longer in use, the account must be
disabled.
Inactive
Accounts: System accounts that have
not been used for a period of 90 days will be automatically disabled to reduce
the risk of unused accounts being exploited by unauthorized parties. Any
legitimate user whose account has been disabled in this manner may have it
reactivated by providing both proof of identity and management approval for
reactivation.
Unattended
Session Log off: Login sessions that are
left unattended must be automatically logged off after a period of inactivity.
This automatic log off must be configured on each server system to ensure that
idle sessions do not become a potential means to gain unauthorized access to
the network.
User-Constructed
Passwords: Only the individual owner
of each account may create passwords, to help ensure the privacy of each
password. No support staff member, colleague, or computer program may generate
passwords.
User
Separation: Each individual user must
be blocked by the system architecture from accessing other users’ data. This
separation must be enforced by all systems that store or access electronic
information. Each user must have a well-defined set of information that can be
located in a private area of the data storage system.
Multiple
Simultaneous Logins: More than one login
session at a time on any server is prohibited, with the exception of support
staff. User accounts must be set up to automatically disallow multiple login
sessions by default for all users. When exceptions are made for support staff,
the accounts must be manually modified to allow multiple sessions.
No comments:
Post a Comment