Network Access & Authentication Policy
Consistent standards for network access and authentication are critical to the company's information security and are often required by regulations or third-party agreements. Any user accessing the company's computer systems has the ability to affect the security of all users of the network. An appropriate Network Access and Authentication Policy reduces risk of a security incident by requiring consistent application of authentication and access standards across the network.
The purpose of this policy is to describe what steps must be taken to ensure that users connecting to the corporate network are authenticated in an appropriate manner, in compliance with company standards, and are given the least amount of access required to perform their job function. This policy specifies what constitutes appropriate use of network accounts and authentication standards.
The scope of this policy includes all users who have access to company-owned or company-provided computers or require access to the corporate network and/or systems. This policy applies not only to employees, but also to guests, contractors, and anyone requiring access to the corporate network. Public access to the company's externally-reachable systems, such as its corporate website or public web applications, are specifically excluded from this policy.
During initial account setup, certain checks must be performed in order to ensure the integrity of the process. The following policies apply to account setup:
Positive ID and coordination with the Executive Team is required.
Users will be granted least amount of network access required to perform his or her job function.
Users will be granted access only if he or she accepts the Acceptable Use Policy.
Access to the network will be granted in accordance with the Acceptable Use Policy.
Network accounts must be implemented in a standard fashion and utilized consistently across the organization. The following policies apply to account use:
Accounts must be created using a standard format (i.e., firstname‑lastname, or firstinitial‑lastname, etc.)
Accounts must be password protected (refer to the Password Policy for more detailed information).
Accounts must be for individuals only. Account sharing and group accounts are not permitted.
User accounts must not be given administrator or 'root' access unless this is necessary to perform his or her job function.
Occasionally guests will have a legitimate business need for access to the corporate network. When a reasonable need is demonstrated, temporary guest access is allowed. This access, however, must be severely restricted to only those resources that the guest needs at that time, and disabled when the guest's work is completed.
Individuals requiring access to confidential data must have an individual, distinct account. This account may be subject to additional monitoring or auditing at the discretion of the company, or as required by applicable regulations or third-party agreements.
When managing network and user accounts, it is important to stay in communication with the Human Resources department so that when an employee no longer works at the company, that employee's account can be disabled. Human Resources must create a process to notify IT personnel in the event of a staffing change, which includes employment termination, employment suspension, or a change of job function (promotion, demotion, suspension, etc.).
User machines must be configured to request authentication against a domain at startup. If the domain is not available or authentication for some reason cannot occur, then the machine should not be permitted to access the network.
Passwords and Two-Factor Authentication
All accounts must have a strong password required for initial login. When accessing network resources outside of the local network, or when accessing systems that contain confidential or protected information, two-factor authentication (such as smart cards, tokens, or biometrics) is required.
Remote Network Access
Remote access to the network may be provided for convenience to users but this comes at some risk to security. For that reason, the company encourages additional scrutiny of users remotely accessing the network. Due to the elevated risk, company policy dictates that when accessing the network remotely two-factor authentication (such as smart cards, tokens, or biometrics) must be used. Remote users must adhere to the Remote Access Policy.
Screen Lock After Inactivity
Computers can be configured to lock a user’s session after a set period of time. This provides an easy way to strengthen security by removing the opportunity for a malicious user, curious employee, or intruder to access network resources through an unattended computer. All computers are required to have a screen-locking mechanism activate after a set delay; 15 minutes is recommended. All exception to this rule must be documented for rationale, and devices must have minimal access to confidential or protected information.
Minimum Configuration for Access
Any system connecting to the network can have a serious impact on the security of the entire network. A vulnerability, virus, or other malware may be inadvertently introduced in this manner. For this reason, users must strictly adhere to corporate standards regarding endpoint security software and patch levels on their machines. Users must not be permitted network access if these standards are not met. This policy should be enforced with a product that provides network admission control, and at minimum requires manual auditing of any newly-introduced devices.
Industry best practices state that username and password combinations must never be sent as plain text. If this information were intercepted, it could result in a serious security incident. Therefore, authentication credentials must be encrypted during transmission across any network, whether the transmission occurs internal to the company network or across a public network such as the Internet.
Repeated logon failures can indicate an attempt to 'crack' a password and surreptitiously access a network account. In order to guard against password-guessing and brute-force attempts, the company must lock a user's account after 10 unsuccessful logins. This can be implemented as a time-based lockout or require a manual reset, at the discretion of the company.
In order to protect against account guessing, when logon failures occur the error message transmitted to the user must not indicate specifically whether the account name or password were incorrect. The error can be as simple as "the username and/or password you supplied were incorrect."
All systems owned and used by the company must generate an authentication audit log that can be reviewed on demand. Audit log entries should contain the following information:
Time and date of the audited event, accurate to the second
The username used by the user or requesting entity
The device name and/or IP address of the requesting entity
A success or failure status
A reason code and description for failure log entries
While some security can be gained by removing account access capabilities during non-business hours, the company does not mandate time-of-day lockouts. This may be either to encourage working remotely, or because the company's business requires all-hours access.
Applicability of Other Policies
This document is part of the company's cohesive set of security policies. Other policies may apply to the topics covered in this document and as such the applicable policies should be reviewed as needed.
This policy will be enforced by the Executive Team and supported by IT personnel. Violations may result in disciplinary action, which may include suspension, restriction of access, or more severe penalties up to and including termination of employment. Where illegal activities or theft of company property (physical or intellectual) are suspected, the company may report such activities to the applicable authorities.
Antivirus Software An application used to protect a computer from viruses, typically through real time defenses and periodic scanning. Antivirus software has evolved to cover other threats, including Trojans, spyware, and other malware.
Authentication A security method used to verify the identity of a user and authorize access to a system or network.
Biometrics The process of using a person's unique physical characteristics to prove that person's identity. Commonly used are fingerprints, retinal patterns, and hand geometry.
Encryption The process of encoding data with an algorithm so that it is unintelligible without the key. Used to protect data during transmission or while stored.
Password A sequence of characters that is used to authenticate a user to a file, computer, or network. Also known as a passphrase or passcode.