Access Control Policy
Purpose
This policy defines the control requirements surrounding the management of access to information on Uncanny Software computer and communications systems.
Scope
This policy applies to all Uncanny Software computer systems and facilities, with a target audience of Uncanny Software Information Technology employees and partners.
Policy
Access Control System
Access Control System: User ID Creation Date - Access control systems must be configured to capture and maintain the creation date for every user ID.
Password Retrieval - Computer and communication systems must be designed, tested, and controlled to prevent both the retrieval of, and unauthorized use of stored passwords, whether the passwords appear in encrypted or unencrypted form.
Access Control Information In Cookies - Uncanny Software information systems must never store any access control information in cookies deposited on, or stored on, end-user computers.
System Capabilities And Commands - End users must be presented with only the system capabilities and commands that they have privileges to perform.
Authorization
Sensitive Or Valuable Information Access - Access to Uncanny Software sensitive information must be provided only after express management authorization has been obtained.
Granting Access To Organization Information - Access to Uncanny Software information must always be authorized by a designated owner of such information, and must be limited on a need-to-know basis to a reasonably restricted number of people.
Information System Privilege Usage - Every information system privilege that has not been specifically permitted by the Uncanny Software management must not be employed for any Uncanny Software business purpose until approved in writing.
Granting System Privileges - Computer and communication system privileges must be granted only by a clear chain of authority delegation.
User ID And Privilege Approval - Whenever user IDs, business application system privileges, or system privileges involve capabilities that go beyond those routinely granted to general users, they must be approved in advance by the user’s immediate supervisor.
Owner Approval for Privileges - Prior to being granted to users, business application system privileges must be approved by the applicable information owner.
Roles and Responsibilities
Coordinating the establishment, implementation, maintenance, performance reporting, and improvement of the ISMS
InfoSec Team
The team tasked with overseeing InfoSec policies and procedures.
Advising on information security risk assessment and treatment
InfoSec Team, Site Reliability Engineers (SRE), Line Managers
SRE has direct control of thedatabases. CS and AM can change data on behalf of the customer (at customer request) but only through the application
Designing information security processes and systems
InfoSec Team, Line Managers
Line managers are in charge of the enforcement and provide input into the process decisions
Setting standards concerning determination, configuration and operation of data security controls
SRE, Architecture Team
These two groups own setting the standards, line managers are in charge of implementing
Managing information security incidents
Line Managers
Typically this falls to Engineering and SRE line managers.
Reviewing and auditing the ISMS
InfoSec Team
Team includes CTO, Legal, HR, Engineering. IT, and Infrastructure
Implementation of security policies/procedures
Line Managers
Typically SRE and Engineering
Scheduling of work to implement security issue mitigation or resolution
Product Managers
Review of access controls
Asset Owners, HR
Asset owners are going to be SRE and IT
Access and Privilege Assignment
User IDs Employed In Abusive Activity - All access privileges for a user ID shown to be engaged in abusive or criminal activity must be immediately revoked.
Developer Access To Production Business Information - Where access to production business information is required so that new or modified business application systems may be developed or tested, only “read” and “copy” access must be granted on production machines. This access is permitted only for the duration of the testing and related development efforts, and must be promptly revoked upon the successful completion of these efforts.
Secret Information Access - Access to sensitive information must be granted only to specific individuals, not groups of individuals.
Production Application Information Access - Business application software development staff must not be permitted to access production information. An exception will be made in the case of production information relevant to the particular application software on which this staff is currently working.
Separation Of Activities And Data - Management must define user privileges such that ordinary users cannot gain access to, or otherwise interfere with, either the individual activities of, or the private data of other users.
Third Party Software Developers Access To Source Code - Third-party programmers must not be granted direct access to Uncanny Software source code. Only the modules needed for a specific programming task may be revealed to these programmers. These programmers must additionally never be given privileges to directly update Uncanny Software production source or object code.
Remote Access Control
Restricted Use Of Remote Control For Workstations – Management must review and approve no more than one remote access software. Remote control feature must only be authorized and enabled by employees for the IT team to take control when remote support is required. Maintain audit trail of all remote control sessions so the information can be audited as part of the periodic access review process.
System Privileges
Number Of Privileged User IDs - The number of privileged user IDs must be strictly limited to those individuals who absolutely must have such privileges for authorized business purposes.
Limiting Special System Privileges - Special system privileges must be restricted to those directly responsible for system management or security.
Records
Access Control Privilege Log Retention - Computerized records reflecting the access privileges of each user of Uncanny Software multi-user systems and networks must be securely maintained for a reasonable period of time.
Access Review
Review of Accounts Used in Applications and Middleware - Semi-annually, Uncanny Software must review the privileges of special accounts used for production applications or middleware.
Reauthorization Of User Access Privileges - The system privileges granted to every user must be reevaluated semi-annually to determine whether currently-enabled system privileges are needed to perform the user’s current job duties
Violations
Any violation of this policy may result in disciplinary action, up to and including termination of employment. Uncanny Software reserves the right to notify the appropriate law enforcement authorities of any unlawful activity and to cooperate in any investigation of such activity. Uncanny Software does not consider conduct in violation of this policy to be within an employee’s or partner’s course and scope of employment, or the direct consequence of the discharge of the employee’s or partner’s duties. Accordingly, to the extent permitted by law, Uncanny Software reserves the right not to defend or pay any damages awarded against employees or partners that result from violation of this policy.
Any employee or partner who is requested to undertake an activity which he or she believes is in violation of this policy, must provide a written or verbal complaint to his or her manager, any other manager or the Human Resources Department as soon as possible.
Definitions
Account (User ID or Username) – A unique string of characters assigned to a user by which a person is identified to a computer system or network. A user commonly must enter both a user ID and a password as an authentication mechanism during the logon process.
Confidential Information (Sensitive Information) – Any Uncanny Software information that is not publicly known and includes tangible and intangible information in all forms, such as information that is observed or orally delivered, or is in electronic form, or is written or in other tangible form. Confidential Information may include, but is not limited to, source code, product designs and plans, beta and benchmarking results, patent applications, production methods, product roadmaps, customer lists and information, prospect lists and information, promotional plans, competitive information, names, salaries, skills, positions, pre-public financial results, product costs, and pricing, and employee information and lists including organizational charts. Confidential Information also includes any confidential information received by Uncanny Software from a third party under a non-disclosure agreement.
Partner – Any non-employee of Uncanny Software who is contractually bound to provide some form of service to Uncanny Software.
Password – An arbitrary string of characters chosen by a user that is used to authenticate the user when he attempts to log on, in order to prevent unauthorized access to his account.
System Privileges – Advanced powers or authorities within a computer system, which are significantly greater than those available to the majority of users. Such persons will include, for example, the system administrator and network administrator who are responsible for keeping the system available and may need powers to create new user profiles as well as add to or amend the access rights of existing users.
User - Any Uncanny Software employee or partner who has been authorized to access any Uncanny Software electronic information resource.
References
ISO/IEC 27002:2013 – 9 Access Control
Related Documents
No documents listed
Revision History
Last updated