Account Setup

During initial account setup, certain checks must be performed in order to ensure the integrity of the process. The following policies apply to account setup:

• Positive ID and coordination with the Executive Team is required.

• Users will be granted least amount of network access required to perform his or her job function.

• Users will be granted access only if he or she accepts the Acceptable Use Policy.

• Access to the network will be granted in accordance with the Acceptable Use Policy.

 

Account Use

Network accounts must be implemented in a standard fashion and utilized consistently across the organization. The following policies apply to account use:

• Accounts must be created using a standard format (i.e., firstname‑lastname, or firstinitial‑lastname, etc.)

• Accounts must be password protected (refer to the Password Policy for more detailed information).

• Accounts must be for individuals only. Account sharing and group accounts are not permitted.

• User accounts must not be given administrator or 'root' access unless this is necessary to perform his or her job function.

• Occasionally guests will have a legitimate business need for access to the corporate network. When a reasonable need is demonstrated, temporary guest access is allowed. This access, however, must be severely restricted to only those resources that the guest needs at that time, and disabled when the guest's work is completed.

• Individuals requiring access to confidential data must have an individual, distinct account. This account may be subject to additional monitoring or auditing at the discretion of the company, or as required by applicable regulations or third-party agreements.

 

Account Termination

When managing network and user accounts, it is important to stay in communication with the Human Resources department so that when an employee no longer works at the company, that employee's account can be disabled. Human Resources must create a process to notify IT personnel in the event of a staffing change, which includes employment termination, employment suspension, or a change of job function (promotion, demotion, suspension, etc.).

 

Authentication

User machines must be configured to request authentication against a domain at startup. If the domain is not available or authentication for some reason cannot occur, then the machine should not be permitted to access the network.

 

Passwords and Two-Factor Authentication

All accounts must have a strong password required for initial login. When accessing network resources outside of the local network, or when accessing systems that contain confidential or protected information, two-factor authentication (such as smart cards, tokens, or biometrics) is required.

 

Remote Network Access

Remote access to the network may be provided for convenience to users but this comes at some risk to security. For that reason, the company encourages additional scrutiny of users remotely accessing the network. Due to the elevated risk, company policy dictates that when accessing the network remotely two-factor authentication (such as smart cards, tokens, or biometrics) must be used. Remote users must adhere to the Remote Access Policy.

 

Screen Lock After Inactivity

Computers can be configured to lock a user’s session after a set period of time. This provides an easy way to strengthen security by removing the opportunity for a malicious user, curious employee, or intruder to access network resources through an unattended computer. All computers are required to have a screen-locking mechanism activate after a set delay; 15 minutes is recommended. All exception to this rule must be documented for rationale, and devices must have minimal access to confidential or protected information.

 

Minimum Configuration for Access

Any system connecting to the network can have a serious impact on the security of the entire network. A vulnerability, virus, or other malware may be inadvertently introduced in this manner. For this reason, users must strictly adhere to corporate standards regarding endpoint security software and patch levels on their machines. Users must not be permitted network access if these standards are not met. This policy should be enforced with a product that provides network admission control, and at minimum requires manual auditing of any newly-introduced devices.

 

Encryption

Industry best practices state that username and password combinations must never be sent as plain text. If this information were intercepted, it could result in a serious security incident. Therefore, authentication credentials must be encrypted during transmission across any network, whether the transmission occurs internal to the company network or across a public network such as the Internet.

 

Failed Logons

Repeated logon failures can indicate an attempt to 'crack' a password and surreptitiously access a network account. In order to guard against password-guessing and brute-force attempts, the company must lock a user's account after 10 unsuccessful logins. This can be implemented as a time-based lockout or require a manual reset, at the discretion of the company.

​

In order to protect against account guessing, when logon failures occur the error message transmitted to the user must not indicate specifically whether the account name or password were incorrect. The error can be as simple as "the username and/or password you supplied were incorrect."

 

Authentication Auditing

All systems owned and used by the company must generate an authentication audit log that can be reviewed on demand. Audit log entries should contain the following information:

• Time and date of the audited event, accurate to the second

• The username used by the user or requesting entity

• The device name and/or IP address of the requesting entity

• A success or failure status

• A reason code and description for failure log entries

 

Non-Business Hours

While some security can be gained by removing account access capabilities during non-business hours, the company does not mandate time-of-day lockouts. This may be either to encourage working remotely, or because the company's business requires all-hours access.

 

Applicability of Other Policies

This document is part of the company's cohesive set of security policies. Other policies may apply to the topics covered in this document and as such the applicable policies should be reviewed as needed.