Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Networking

Business Requirement for Access Control

advertisement 
Commonwealth of Massachusetts
Information Technology Division
Enterprise Access Control Policy
Reference #: ITD-SEC-X.X
Issue Date: Month XX, 2010
Issue #: No. Pri #17 Draft v. 0.4
TABLE OF CONTENTS
EXECUTIVE SUMMARY ............................................................................................. 1
WHO THIS POLICY APPLIES TO................................................................................. 2
POLICY STATEMENT ................................................................................................ 2
ROLES AND RESPONSIBILITIES .................................................................................. 9
RELATED DOCUMENTS ........................................................................................... 10
CONTACT.............................................................................................................. 11
TERMS ................................................................................................................. 12
DOCUMENT HISTORY ............................................................................................. 14
EXECUTIVE SUMMARY
This policy articulates requirements to ensure that appropriate security and
access controls are applied to applications, information assets, Information
Technology (IT) Resources and infrastructure for local and remote access to
prevent any compromise of confidentiality, integrity and availability of the data
and IT Resources used to manage the services provided by Commonwealth
agencies, authorities, and business partners. In addition, the purpose of this
policy is to ensure that remote access to the Wide Area Network (WAN) and all
Commonwealth IT domains does not result in an unacceptable level of risk to the
security of the connected IT systems. Since a security breach committed or
caused by one agency WAN user can adversely impact other agency members
or the entire IT environment, all agencies must take responsibility for their
system’s security by adhering to the requirements of this policy.
It is the responsibility of Agency Heads to have the appropriate combination of
controls (administrative, technical, physical) in place and in effect that provide
reasonable assurance that security objectives are addressed. Agencies must
achieve compliance with the overall information security goals of the
Commonwealth including compliance with laws, regulations, policies and
standards to which their technology resources and data, including but not limited
to personal information, are subject.
- Uncontrolled if printed -
Page 1 of 14
Medium sensitivity
Commonwealth of Massachusetts
Information Technology Division
ITD-SECX.X: Enterprise Access Control Policy
Issue Date: XX/XX/2010
WHO THIS POLICY APPLIES TO
All Secretariats and their respective Agencies and entities governed by the
overarching Enterprise Information Security Policy must adhere to requirements
of this supporting policy.

Executive Department Secretariats and their respective Agencies, 1 in
addition to any agency or third party that connects to the Commonwealth’s
wide area network (MAGNet), must comply with this policy.

Executive Department Secretariats and their respective Agencies are
required to ensure compliance by any business partner that accesses
Executive Department IT Resources or shared environments, e.g. MAGNet;
and

Executive Department Secretariats and their respective Agencies are
required to ensure compliance by third parties in any aspect of the process of
providing goods and services to their agency. These include, but are not
limited to, electronic data collection, storage, processing, disposal,
dissemination and maintenance. Third parties that interact in any way with
Executive Department Commonwealth IT Resources, e.g. MAGNet, are
required to comply with this policy.
Other Commonwealth entities are encouraged to adopt, at a minimum, security
requirements in accordance with this Enterprise Access Control Policy or a more
stringent agency policy that addresses agency specific and business related
directives, laws, and regulations.
POLICY STATEMENT
BUSINESS REQUIREMENT FOR ACCESS CONTROL
Executive Department Secretariats and their respective Agencies are required to
implement controls for authorized access to information, IT Resources,
information processing facilities, and business processes on the basis of
business and security requirements. This policy is preconditioned upon having
performed for all users, background verification checks (as part of human
resource security procedures) for employees, contractors and third party users in
accordance with relevant ethics, laws and regulations commensurate with
business requirements, data classes to be accessed and the perceived risks.
The following must be applied when evaluating and implementing access
controls:
1. Access to IT systems must be commensurate with security requirements
of that system and the classification of data it provides access to.
1
The Executive Department is comprised of the Executive Branch minus the Constitutional
Offices, i.e., the State Auditor, State Treasurer, the Attorney General, and the Secretary of the
Commonwealth.
- Uncontrolled if printed -
Page 2 of 14
Medium sensitivity
Commonwealth of Massachusetts
Information Technology Division
ITD-SECX.X: Enterprise Access Control Policy
Issue Date: XX/XX/2010
2. Authentication methods used for systems classified as having medium
sensitivity must at a minimum require a username/password combination
to provide verification of the users’ identity.
3. Agencies must develop and/or maintain an access control policy including
remote access that documents agencies’ use of authorized and
acceptable remote access methodologies.
USER ACCESS MANAGEMENT
1. User Registration
Agencies must have an appropriate Human Resource identity proofing and
pre-provisioning process in place to ensure and verify an individual’s identity
prior to the creation of user accounts and associated IT Resource access.
Agencies are responsible for applying sufficient user registration controls that
accomplish the following:
a. Provide an inclusive and exhaustive listing of all users to be
registered.
b. Provide unique identification of enabled users
c. Administer permissions of authorized user within a system or
environment as required by the business owner and appropriate
stakeholders
d. Provide authorized users with documentation of their access rights
and responsibilities and verification of user acceptance of terms
e. Ensuring service providers do not provide access until authorization
procedures have been completed
f. Maintains system/environment specific documentation of current
users and their access
g. Allows for appropriate blocking of access based on role changes or
change of employment
h. Ensures that redundant user IDs are not issued to other users
2. Privilege Management
Access control rules must take into account existing policies for information
dissemination and authorization with consideration for the application of:
Least privilege: grant only the lowest level of access, rights, privileges, and
security permissions needed for the performance of authorized tasks to all IT
systems which include:
a. Allocation of user privileges on a need-to-use basis, per system,
per application;
b. Allocation of user privileges per business requirements with the
minimum requirements per functional role.
c. Restriction of system administration privileges and usage of “super
user” account log on.
- Uncontrolled if printed -
Page 3 of 14
Medium sensitivity
Commonwealth of Massachusetts
Information Technology Division
ITD-SECX.X: Enterprise Access Control Policy
Issue Date: XX/XX/2010
d. Agencies must adhere to the principles of separation of duties
when assigning job responsibilities and roles relating to restricted or
IT Resources identified as mission critical and classified as high
sensitivity.
e. Agencies must limit and provide access to IT systems and users
based upon the following criteria: system and data classification,
business requirements, job function, related responsibilities or
“need to know”. Unique roles and responsibilities must be assigned
with consideration for the segregation of access control roles (i.e.
access request, access authorization, and access administration)
and management to reduce the risk of accidental or deliberate
system or application misuse. Implementation and enforcement of
the separation of duties security principle provides a mechanism to
manage conflict of interest and restricts the amount of power and/or
control by an individual while reducing risk of system or application
misuse.
3. User Password Management
Allocation of complex passwords through a formalized and preferably
automated process requiring users to change their passwords at periodic
intervals and restrict re-use of previously used passwords
4. Review of User Access Rights
Agencies must establish procedures to cover all phases in the life-cycle of
user access, authorization and privileges from provisioning to de-provisioning.
User accounts and associated access and authorization in all systems (e.g.
Active Directory as well as within applications themselves) must be reviewed
at regular intervals or when employment or information system changes occur
which impact their roles, responsibilities and system access requirements.
Agencies should implement session time outs for inactive sessions depending
upon the application type, classification of the data, and the types of access
to the data and IT systems to reduce the risk of access by unauthorized
persons including:
a. Invoke account lock-outs following a fixed number of unsuccessful
log on attempts and;
b. Enforce user screen/computer lock out settings upon the assigned
time period of inactivity (i.e. password protected screen saver).
c. Resumption of the session must require re-authorization
USER RESPONSIBILITIES
Require users to sign an acknowledgement statement of the conditions prior
to use of remote access systems.
- Uncontrolled if printed -
Page 4 of 14
Medium sensitivity
Commonwealth of Massachusetts
Information Technology Division
ITD-SECX.X: Enterprise Access Control Policy
Issue Date: XX/XX/2010
1. Password Use
Agency users must be advised to:
a. Keep passwords confidential
b. Avoid keeping a record (e.g. paper, software file or hand-held device) of
passwords, unless this can be stored securely and the method of storing
has been approved
2. Unattended User Equipment
Agency users must be advised to:
a. Terminate active sessions when finished, unless they can be secured by
an appropriate locking mechanism, e.g. a password protected screen
saver
3. Clear Desk and Clear Screen Policy
A clear desk policy for papers and removable storage media and a clear
screen policy for information processing facilities must be adopted that is
compatible with the working environment of Agency staff.
NETWORK ACCESS CONTROL
1. Policy on Use of Network Services
Agencies must specify:
a. network and network services which are allowed to be accessed
b. authorization procedures for determining who is allowed to access which
networks and networks services
c. management controls and procedures to protect access to network
connections and network services
d. the means used to access networks and network service (e.g. the
conditions for allowing access to an Internet service provider or remote
system)
2. User Authentication for External Connections
Agencies must use approved techniques to authenticate remote users, e.g.
VPN
3. Equipment Identification in Networks
Agencies must indicate that communications to IT assets can only be initiated
from a specific locations and equipment types, e.g. Agency-owned
equipment. A protocol for approving non-standard equipment must be
instituted in the case of external contractors. This protocol must contain
provisions for equipment which does not remain onsite and which may
become infected with malware while off-site.
- Uncontrolled if printed -
Page 5 of 14
Medium sensitivity
Commonwealth of Massachusetts
Information Technology Division
ITD-SECX.X: Enterprise Access Control Policy
Issue Date: XX/XX/2010
4. Remote Diagnostic and Configuration Port Protection
TBD
5. Segregation in Networks
Agencies must adopt a segmentation approach to separate logical network
domains. An organization’s internal network domains must be separated from
external facing network domains or DMZ, each protected by a defined
security perimeter with unique parameters appropriate for that segment.
Consideration should be given to the segregation of wireless networks from
internal and private networks.
6. Network Connection Control (flow control)
The connection capability of Agency users must be restricted through network
gateways that filter traffic by means of pre-defined tables or rules. Examples
are: messaging, e.g. electronic mail, file transfer, interactive access,
application access
7. Network Routing Control
Controlled access and authentication to applications, systems and
networks: A combination of application and business requirements are the
determining factors in developing and defining flow control as it relates to
application, system and network access. Flow control is the management of
data flow between computers and\or devices or between nodes in a network
so only the necessary sources, destinations and ports are allowed to
transverse the network. Agencies will protect IT systems through the following
approaches:
a. Restrict access to all systems per business application requirements and
allow access to only those required and at the minimum level required.
b. Deploy a firewall or secure gateway which must protect the internal
trusted network from an external un-trusted (public) network such as the
Internet.
c. Ensure the secure gateway provides a level of protection to ensure that
only authorized users can access the internal network.
d. Enforce encryption when remote users are accessing and transferring
data which is classified as high sensitivity.
e. Establish, document and test processes for revoking access rights or
interrupting the connection between systems when appropriate.
f. Require agency remote access users to utilize an authorized agency
computer system for remote access where possible. If home computers
are used for remote access to agency IT resources, the computer must
be configured at a minimum with: antivirus software with current
definition files, spyware detection and removal tools, personal firewall,
manufacturer supported operating system with current updates and
- Uncontrolled if printed -
Page 6 of 14
Medium sensitivity
Commonwealth of Massachusetts
Information Technology Division
ITD-SECX.X: Enterprise Access Control Policy
Issue Date: XX/XX/2010
agency supported remote access software as prerequisites for remote
access to Commonwealth IT systems.
OPERATING SYSTEM ACCESS CONTROL
1. Secure Log-on Procedures
Agency login procedures must, as a rule, minimize the opportunity for
unauthorized access. The log-on procedure should therefore disclose the
minimum of information about the system, in order to avoid providing an
unauthorized user with any unnecessary assistance. A good log-on procedure
should:
a. Not display system or application identifiers until the log-on process has
been successfully completed
b. Record successful and failed system authentication attempts
c. Issue alarms when system security policies are breached
d. Where appropriate, restrict the connection time of users
2. User Identification and Authentication
TBD
3. Password Management System
TBD
4. Use of System Utilities
TBD
5. Session Time-out
TBD
6. Limitation of Connection Time
TBD
7. Communication and Operations Management
Assignment of Privileges: Agencies must adhere to the principles of
separation of duties when assigning job responsibilities and roles relating to
restricted or IT Resources identified as mission critical and classified as high
sensitivity. Agencies must limit and provide access to IT systems and users
based upon the following criteria: system and data classification, business
requirements, job function, related responsibilities or “need to know”.
Administration of Privileges: Unique roles and responsibilities must be
assigned with consideration for the segregation of access control roles (i.e.
access request, access authorization, and access administration) and
management to reduce the risk of accidental or deliberate system or
- Uncontrolled if printed -
Page 7 of 14
Medium sensitivity
Commonwealth of Massachusetts
Information Technology Division
ITD-SECX.X: Enterprise Access Control Policy
Issue Date: XX/XX/2010
application misuse. Implementation and enforcement of the separation of
duties security principle provides a mechanism to manage conflict of interest
and restricts the amount of power and/or control by an individual while
reducing risk of system or application misuse.
APPLICATION AND INFORMATION ACCESS CONTROL
Place IT resources which require remote access in a DMZ where possible.
1. Information Access Restriction
2. Sensitive System Isolation
MOBILE COMPUTING AND TELEWORKING
1. Mobile Computing and Communications
Wireless and remote access methods and controls: Wireless local area
network (LAN) access is considered to be remote access and therefore
subject to the following authorized and supported remote access methods
and controls to agency systems:
a. Ensure the logon process uses an appropriately strong mechanism to
validate a user’s identity. Two-factor authentication is required for
remote access.
b. Utilize strong passwords, and further enforce the use of such strong
passwords where technically feasible.
c. Implement and utilize authorized VPN technology standard supported by
the agency for all users that require remote access.
d. Invoke and maintain system controls that log identification of each
remote access user.
e. Invoke and maintain system audit logs of remote user activity.
f. Comply and adhere to the following authorized methods and related
standards when agency remote access services are utilized and
deployed including:
1. Mass.Gov Portal (State’s Web Server)
2. Public Access Architecture (PAA)
3. MassMail Remote Access - Activesync, Outlook Web Access
(OWA) and Native Outlook
4. Enterprise SSL VPN Solution.
- Uncontrolled if printed -
Page 8 of 14
Medium sensitivity
Commonwealth of Massachusetts
Information Technology Division
ITD-SECX.X: Enterprise Access Control Policy
Issue Date: XX/XX/2010
g. Educate users of the specific risks, threats, vulnerabilities and the proper
use of a secured remote access system.
h. Inform users to notify appropriate agency security staff if they see or
witness suspicious activity, or activity that violates this policy.
2. Teleworking
a. Communicate and educate agency users regarding adherence to
Enterprise Wireless Security Policy & Standards.
ROLES AND RESPONSIBILITIES
All agencies and entities governed by the overarching Enterprise Information
Security Policy are subject to the referenced roles and responsibilities in addition
to those specifically stated within this supporting policy. The roles and
responsibilities associated with implementation and compliance with this policy
follow:
Assistant Secretary for Information Technology

Develop mandatory standards and procedures for agencies to follow before
entering into contracts that will provide third parties with access to electronic
high sensitivity information including but not limited to personal information or
IT systems containing such information.

The Assistant Secretary for Information Technology is responsible for the
approval and adoption of the Enterprise Access Control Policy and its
revisions.
Secretariat Chief Information Officer (SCIO) and Agency Head

SCIOs and Agency heads are responsible for exercising due diligence in
adhering to the requirements contained in this policy.

Provide communication, training and enforcement of this policy that support
the security goals of the Secretariat, its agencies and the Commonwealth.

Provide proper third party oversight as applicable for access to and
communication with agency IT Resources including applications and
information assets.
Secretariat or Agency Information Security Officer (ISO)

Ensure that the goals and requirements of the Enterprise Access Control
Policy are implemented and met.
- Uncontrolled if printed -
Page 9 of 14
Medium sensitivity
Commonwealth of Massachusetts
Information Technology Division
ITD-SECX.X: Enterprise Access Control Policy
Issue Date: XX/XX/2010
Enterprise Security Board (ESB)

Recommend revisions and updates to this policy and related standards.
Information Technology Division (ITD)

After review of any related recommendations of the Enterprise Security
Board, issue revisions and updates to this policy and related standards.
Third parties

Required to comply with agency implementation of this policy at a minimum or
a more stringent agency specific policy including:
o Attestation and certification that third parties have read Executive Order
504 and this policy.
o Review and compliance with all information security programs, plans,
guidelines, standards and policies that apply to the work they will be
performing for their contracting agency.
o Communication of such provisions to and enforce them against their
subcontractors, and that they will implement and maintain any other
reasonable and appropriate security procedures and practices necessary
to protect high sensitivity information including but not limited to personal
information to which they are given access as part of the contract from
unauthorized access, destruction, use, modification, disclosure or loss.
RELATED DOCUMENTS
Related Standards and Procedures include:
Mass.Gov Portal
Public Access Architecture
Outlook Web Access (OWA) Procedures
Security Shared Service Procedures
VPN Procedures
Primary references that were used in development of this policy include:
ISO 27001
Executive Order 504
Additional information referenced includes:
M.G.L., Ch 93H
M.G.L., Ch 93I
- Uncontrolled if printed -
Page 10 of 14
Medium sensitivity
Commonwealth of Massachusetts
Information Technology Division
ITD-SECX.X: Enterprise Access Control Policy
Issue Date: XX/XX/2010
M.G.L., Ch 66A
ISO 27002
CobiT
ITIL
HIPAA Security Rule
CONTACT
Standards@state.ma.us
- Uncontrolled if printed -
Page 11 of 14
Medium sensitivity
Commonwealth of Massachusetts
Information Technology Division
Appendix: Terms
TERMS
Key terms used in this policy have been provided below for your convenience.
For a full list of terms please refer to the Information Technology Division’s web
site where a full glossary of Commonwealth Specific Terms is maintained.
Agency – A department, bureau, commission, board, office, council, or other
entity in the executive department of government, which was created by the
constitution or statues of this State.
Business Partner – A generic term referring to both contracted business
partners and statutory business partners.
Contracted Business Partner - An entity under contract with the
Commonwealth with which the Commonwealth has an agreement to share data
or engage in secure communications for a limited purpose. Contracted business
partners do not include individuals who are under contract with and paid directly
by the Commonwealth.
DMZ – Demilitarized Zone. DMZ, within the context of this policy is defined as a
network added between a protected internal network and an unprotected external
network in order to provide a layer of security. A DMZ is sometimes referred to
as a “perimeter network”. The DMZ is a location where Internet accessible
servers are maintained separately from the internal network. If a DMZ-sited
server is breached, it prevents a greater security vulnerability to the internal
network.
XDMZ - An extended Demilitarized Zone (see DMZ above), in which the DMZ
has been deployed either within the Internal network or located within the ITD or
local agency environment.
Employees – Either Agency’s employees or individuals under contract with the
agency to provide services and paid directly by the agency whose work is
controlled and directed by the agency.
Hardware – Includes computers and any physical equipment used in connection
with it, such as keyboards, printers, etc.
Information Technology (IT) Resources – Commonwealth’s computers,
printers, and other peripherals, programs, local and wide area networks, access
to the Internet when provided by the Commonwealth, and remote access
methods, including VPN.
MAGNet – Commonwealth’s Wide Area Computer Network.
OWA - is Outlook Web Access. OWA is a feature subset of Microsoft Outlook
that allows MassMail users to remotely access their email via a web browser.
- Uncontrolled if printed -
Page 12 of 14
Medium sensitivity
Business Partner – A generic term referring to both contracted business
partners and statutory business partners
User – Any workforce member (or computer performing automated tasks) with a
legitimate reason and purpose to use Commonwealth IT resources
- Uncontrolled if printed -
Page 13 of 14
Medium sensitivity
Commonweatlh of Massachusetts
Information Technology Division
Appendix: Document History
DOCUMENT HISTORY
Date
Action
Effective
Date
MM/DD/YYYY Ref # Enterprise Access
Control Policy
- Uncontrolled if printed -
Page 14 of 14
Next Review
Date
MM/DD/YYYY MM/DD/YYYY
Medium sensitivity
Related documents
Project Associate - Massachusetts Public Health Association
Project Associate - Massachusetts Public Health Association
presentation
presentation
C2: Risky business - the Commonwealth Risk
C2: Risky business - the Commonwealth Risk
Sample CAMP Action Alert - Massachusetts Climate Change
Sample CAMP Action Alert - Massachusetts Climate Change
COMMONWEALTH OF AUSTRALIA Copyright Regulations 1969
COMMONWEALTH OF AUSTRALIA Copyright Regulations 1969
House Sends Economic Stimulus Package to Governor`s Desk
House Sends Economic Stimulus Package to Governor`s Desk
Copyright Regulations - Edith Cowan University
Copyright Regulations - Edith Cowan University
Activity checklist
Activity checklist
Introduction to Comcover
Introduction to Comcover
Hot Air Balloon--Origami
Hot Air Balloon--Origami
Download
advertisement