Policy Logon/Logoff

R

C

I

1.     Identification (a user ID) and authentication (a password) are required before any system access is permitted, including re-connections. 

x

x

x

1.     The maximum number of consecutive attempts over one or more sessions to sign on with an invalid user ID/password combination must be limited to 4.  After the threshold has been reached, the user is disconnected and the user ID is suspended. Intervention by the security manager is required to activate the user ID.  If access to both internal and restricted data is required, restricted access rules apply. 

x

x

2.     Procedures must be in effect to suspend logon IDs for employees who are on inactive status or who terminate or transfer (and no longer need this capability). 

x

x

x

3.     Employee IDs must be uniquely identifiable by either social security number or employee number. Non‑employee IDs must also be identifiable e.g.: contractor,  production IDs, customers, etc.

x

x

x

4.     Controls will be provided to identify and deactivate the IDs that belong to customers who no longer have authorization to use the network. (The control used for identification may be a contractual agreement with the customer.)

x

x

N/a

5.     Administration Ids should be stored in a safe place and not used unless in an emergenct situation.

Policy Logon/Logoff

R

C

I

6.     Controls will be provided that can detect a sign on attempt to the network using an ID already validated and in session, and prevent access. This event must be logged. 

x

7.     The security manager or security officer has the capability to suspend logon IDs. 

x

x

x

8.     The company name and logo are not disclosed on the user's screen or terminal until after the user has successfully logged onto the network. A trespass message should be displayed at logon time.

x

x

x

9.     Access can be limited by the hour (i.e. 8am to 5pm) and/or by the day of the week and holidays. These controls should be effective across time zones (the computer in one time zone, the user in another).

x

10.  Corporate policy must state that IDs and passwords cannot be shared.  Audit trails of session activity (logon, logoff, connect time, resources, and type of access) are created and retained for a minimum of one year. 

x

x

x

11.  Controls exist to display to the user the last time the user's logon ID and password were logged onto the system so that unauthorized use of user IDs can be detected (i.e., When user logs on, a message will be displayed: “Last logon”...).

x

x

x

12.  Attempts to logon without a valid user identification / verification combination must be failed only after both items have been entered. There must be no error messages stating the reason for failure.

x

x

13.  The system should not display any functions the user is not authorized to use in the current session.

x

x

14.  Non-employee IDs can be set to expire at a predefined date.

x

x

x

15.  Is the default ID or GROUP deactivated?

x

x

x

16.  WEB access is limited to authorized users only.

x

x

17.  WEB users can only access authorized data.

x

x

18.  Telecommuting access/remote access will in addition use smart token security for authentication

x

x

x

Policy Password

R

C

I

1.     The minimum password length must be 7 characters or longer. Passwords can be up to 240 characters long. Best is to use Password Phrases. I.E. “My first Dog Tasso died age 12”. Easy to remember, but hard to guess. Use something you know, but nobody else.

x

x

x

2.     The maximum number of consecutive password violations before suspension occurs must be four. 

x

x

3.     Password values must be changed periodically.  For restricted systems passwords must be changed every 30 days, for Confidential and internal use, 90 days. The password cannot be changed back to itself (i.e., the new valid password supplied must be different from the last 23 passwords used). The password value should not be easy to guess. The password must be complex, I.E. contain a mixture of alphanumeric and special characters.  A warning message will be issued 5 days prior to the password expiration date. 

x

x

x

4.     A procedure will be in place to suspend a user ID 14 days after the password expiration date if no password change has been made. 

x

x

x

5.     Access to password datasets must be restricted to the minimum number of authorized personnel required to maintain the system. 

x

x

x

6.     Initial password must be unique and communicated to user in a secure manner.

x

x

x

7.     A password change must be forced during the initial sign on. 

x

x

x

8.     The security administrator can reset the password.  When the reset password is issued to the user, it must be changed during the initial sign on session. 

x

x

x

9.     Passwords are never displayed on the terminal screen during session sign on, or in clear text on any other media. 

x

x

x

Policy Password

R

C

I

10.  Passwords are stored one way encrypted (that is, decryption is not possible). 

x

x

x

11.  Passwords in clear text are destroyed in storage after encryption.

x

x

x

12.  An audit trail must exist for password changes and violations. The audit trail must be retained for a minimum of one year. 

x

x

x

13.  Password violation count is stored and reset only after a valid entry. 

x

x

x

14.  At the time the user is forced by the system to change password values, a message is displayed stating that it is the company corporate policy that IDs/passwords are not to be shared.

x

x

x

Policy Session

R

C

I

1.     Users may not leave terminals logged on unattended. A user is automatically disconnected or logged off from the system if no activity has occurred within a specified period of 15 minutes. Reconnections require revalidation. 

x

x

x

2.     A user must be limited to authorized applications.

x

x

x

Policy Computer Environmental

R

C

I

1.  See audit trails

2.     Exception reports of unauthorized access attempts will be generated such as:

·       Reporting of all unauthorized attempts to access system (sign-on).

·       Reporting of all unauthorized attempts to access system resources.

·       Reporting of all unauthorized attempts to view or change security definitions and rules.

·       Reporting of all resource access privileges by user ID

The proponent or his/her delegate will define the extent of exception reporting. Department managers of persons attempting unauthorized access and the proponent of the denied resources must review the exception reports and take corrective action.

x

x

3.     The company must initiate vendor connection from remote locations for diagnostics and maintenance.

x

x

x

4.     Suspiciously high levels of unauthorized access attempts must be brought to the attention of attendant technicians by an alarm mechanism.

x

x

x

5.     The unauthorized alteration or bypassing of security facilities must be prevented.

x

x

x

6.     Control software must prevent application programs from attaining privileged status.

x

x

x

7.     The application must beY2k compliant.

x

x

x

Policy Transmission

R

C

I

1.     GUI – passwords must be done in an approved secure manner, I.E. encrypted

x

x

x

2.     API – passwords must be done in an approved secure manner, I.E. encrypted

x

x

x

3.     EDI – passwords must be done in an approved secure manner, I.E. encrypted

x

x

x

4.     Client to Application Server passwords must be encrypted

x

x

x

5.     Application Server to SQL server passwords must be encrypted

x

x

x

Policy Logon/Logoff Audit trails

R

C

I

1. Contains User ID

x

x

x

2. Contains time and date of logon/logoff.

x

x

x

3. Retention period minimum of one year.

x

x

x

4. Exception reporting must be done in an approved manner.

x

x

x

Policy Transaction Audit trail

R

C

I

1. Contains User ID.

x

x

x

2. Contains time and date of logon/logoff.

x

x

x

3. Retention period minimum of one year.

x

x

x

4. Exception reporting, see above

x

x

5. Identifies Transaction

x

x

6. Unique transaction number

x

x

7. All access events can be reconstructed

x

x

Policy Transaction log

R

C

I

1. There must be a transaction log

2. Audit trail used can be as transaction log if it contains approved information

3. Before and after image should be done for updates

x

x

4. Contains User ID

x

x

5. Contains time and date of logon/logoff

x

x

6. Retention period minimum of one year

x

x

7. Exception reporting, see above

x

x

8. Identifies transaction

x

x

9. Unique transaction number

x

x

10. All access events can be reconstructed

x

x

Policy Recovery of the Servers

C

L

N

1. Real time recovery - different location

x

2. Real time recover - same location

x

x

3. Back up and restore of data bases & software.

x

x

x

4. Apply transactions from transaction log - real time

x

x

5. Apply transactions from transaction log - off-line

x

x

x

6. Backup of data bases - off site storage

x

x

x

7. Backup of transaction log- off site storage

x

x

x