I. Purpose of Policy
The purpose of this Policy is to protect, and reduce risk to, business operations by establishing requirements for creating, maintaining, and controlling access to information assets. This Policy ensures that both the information assets and the information in those assets are adequately protected against unauthorized access.
II. Policy Scope
This Policy applies to all of Intelligent IT’s (IIT) Information Assets regardless of whether that is stored by IIT on-site or by a Third Party Service Provider in a hosted or cloud environment and to all IIT employees, including third parties, contractors, Third Party Service Providers, and anyone else who has, or may have, access to IIT’s data and/or information is of value to the organization, including such information as patient records, nonpublic information, intellectual property, or customer information. (together ‘Information Assets’).
III. Policy Statement
Access Control Policy
- Access to IIT’s Information Assets will be limited solely to users whose business needs, job functions, and responsibilities require such access, or to users on a need-to-know basis; such access will follow the Least Privilege Access protocol.
- The ability to approve additions, changes, and deletions to a user’s system access will be limited to specific personnel authorized by IIT and that personnel shall grant such approvals only when necessary for valid business reasons.
- The ability to create, delete, and modify user accounts, as well as to grant access to IIT’s protected data and resources will be limited to specific personnel authorized by IIT.
- Access reviews for all users and administrative access to IIT’s systems will be conducted periodically and, at a minimum, annually.
- Reported discrepancies in permitted access will be remediated immediately.
Granting & Removing User Access
- A process for establishing, activating, modifying, reviewing, disabling, and removing accounts will be formally documented, implemented, and maintained.
- Whenever there is a change in a user’s employment status, that user’s access will be reviewed and removed or revised to ensure access is limited to only that needed for legitimate business purposes.
- User access granted to third parties, including access granted to Third Party Service Providers and maintenance accounts, will be reviewed regularly, and removed or revised to ensure access is limited only to those third-party accounts with legitimate business purposes.
- Guest/anonymous, shared/group, emergency, and temporary accounts will be specifically authorized and monitored.
- Unnecessary accounts will promptly be removed, disabled, or otherwise secured.
- As a best practice, IIT will require strong passwords for all user accounts.
- Inactive accounts will be disabled after 30 days of inactivity.
- User access will be enabled only during the time period needed and disabled when an account is not in use.
- When an account is in use, access will be monitored.
- Users will be locked out after no more than 5 repeated access attempts.
- Lockout duration will be for a minimum of 30 minutes or until such personnel as authorized by IIT re-enables the user ID.
- A user will be required to re-authenticate and to re-activate the terminal or session if the session has been idle for 10 minutes.
- Users will not be permitted to use generic, shared, or service accounts to login.
Privileged Account Management (Administrative Access)
- The allocation and use of Privileged Access to IIT’s Information Systems and services will be restricted and controlled. Special attention shall be given to the allocation of Privileged Access rights, which allow users to override system controls.
- Privileged user accounts will be separate from non-privileged user accounts and privileged user accounts will be used only when Privileged Access is required to complete a specific task or function.
- All of a user’s Privileged Access to IIT’s Information Systems will be immediately revoked or revised as soon as that user’s change in employment status, job function, or responsibilities dictate that the user no longer requires such access.
- No service account will be used by more than one service, application, or system.
- Users with Privileged Access will not extend a user group’s permissions if such permissions would provide inappropriate access to any user in that group.
- When technically feasible, all servers, applications, and network devices will contain a login banner that coveys the following:
- This computer and network are provided for use by authorized members of IIT.
- The use of this computer and network are subject to all applicable policies of IIT and any applicable laws and regulations.
- The use of this computer or network constitutes acknowledgment that the user is subject to all applicable policies of IIT, laws, and regulations.
- Any other use is prohibited.
Remote Access
- A SSL or IPsec Virtual Private Network (VPN) or Multi-Factor Authentication (MFA) will be required for all individuals using an external network to access IIT’s internal network.
- IIT’s VPN will require the use of a Company-supply application or tunnel connecting back to the Company controlled firewall or VPN appliance.
- IIT’s MFA will require the use of two authentication methods: first, a username and password or PIN combination, and second, a method not based on user credentials, such as a certificate or token, that IIT shall provision to the user.
- All remote access communications to internal networks will be authenticated, encrypted, and monitored within a log.
- All machines used for remote access will have the latest antivirus, security patches, and host-based firewall software installed, running, and enabled.
- Third party access to IIT’s systems will be limited only to those specifically approved for valid business reasons.
- Copying of data containing Nonpublic Information or other highly sensitive or confidential information to a user’s remote machine is prohibited unless such copying is necessary for business purposes, approved by IIT, and the copied data is encrypted.
- Remote access will be disconnected automatically after 30 minutes of inactivity and will require a user to reauthenticate to regain access.
Review of Access Rights
- If a user’s status changes as a result of a promotion, transfer, demotion, or termination of employment, that user’s access rights will be reviewed and revised as necessary to ensure access remains limited only to those accounts with legitimate business purposes.
- System accounts will be reviewed annually, and any account that cannot be associated with a user or business process shall be disabled.
- User accounts assigned to third parties that have access to restricted or confidential information will be reviewed at least annually and access rights updated to ensure that those accounts have access only to what is needed for legitimate business purposes.
IV. Authentication
A user’s identity at IIT is comprised of many elements including their phone number and/or extension, username, office location, etc. All of these are protected by some form of authentication that proves who you are. To get into the office, you may have to use a badge or key. To use an Information Asset, users will need to log in with a username and password which comport with IIT policies regarding same.
Responsible Parties of IIT must adhere to the IIT means of authentication:
- Use passwords or PINs on all devices, including your personal phone and tablet.
- Passwords or PINs must comply with the IIT Password Policy
- Never share accounts among multiple people.
- Always enable two-factor authentication when available and offered on any application used on company devices or personal devices used for business. Contact IT if you are unsure whether or not it is supported.
- Access to our data and systems is limited to the people that need it to do their job.
V. Policy Approval
- IIT will review this Policy periodically for accuracy, completeness, and applicability, and revise and approve it annually.
