CPIT Crprate Services Divisin: ICT Christchurch Plytechnic Institute f Technlgy Access Cntrl Security Standard Crprate Plicies & Prcedures Sectin 1: General Administratin Dcument CPP121a Principles Infrmatin Cmmunicatin Technlgy Divisin Security Plicy Security Standard, aligned with Security Standards Guidelines and Prcedures AS/NZS ISO/IEC 27001: 2006 fr Infrmatin Security Management
CPIT Crprate Services Divisin: ICT Cntents 1 INTRODUCTION... 4 2 ACCESS REQUIREMENTS ASSESSMENT... 5 2.1 Access Requirements Checklist... 5 3 ACCOUNT MANAGEMENT STANDARDS... 7 3.1 Accunt Registratin Standards... 7 3.2 Privileged Accunt Standards... 8 3.3 Accunt Mnitring Standards... 8 3.4 Accunt Clse-dwn Standards... 9 4 PASSWORD MANAGEMENT STANDARDS... 10 4.1 Passwrd Allcatin Standards... 10 4.2 Passwrd Settings Standards... 10 4.3 Remte Access Standards... 11 Access Cntrl Security Standard Page 2 f 12
CPIT Crprate Services Divisin: ICT Access Cntrl Security Standard Purpse This Standard defines the recmmended security practices fr accunt management and access cntrl including passwrd settings. In additin, this Standard defines acceptable practice fr remte access, use and management f hand held devices and laptps. This dcument sets the benchmark fr administering user and system accunts and the required settings t maintain the level f security required at CPIT. Authrised By: Dcument Owner ICT Directr Infrastructure Manager and Technlgy Manager Date f Issue: 15 March 2012 Review date: Nvember 2014 Versin: 2.4 References: This dcument shuld be read in cnjunctin with the ICT Security Plicy. In additin it shuld be read in cnjunctin with the fllwing ICT Security Standards: 1. ICT Asset and Media Management Standard 2. Human Resurces ICT Security Standard 3. Cmmunicatins and Operatins Management Standard 4. Physical and Envirnmental Security Standard 5. Infrmatin Systems Acquisitin, Develpment and Maintenance Security Standard Access Cntrl Security Standard Page 3 f 12
CPIT Crprate Services Divisin: ICT 1 INTRODUCTION These Access Cntrl Security Standards recmmend the security measures t cntrl access t infrmatin and cmputer systems at CPIT. The aim is t define a set f accunt management standards that will restrict access t authrised persnnel and safeguard the services and infrmatin at CPIT. Unauthrised access may expse the Institutin t security threats including data lss r result in the privacy f infrmatin being ignred, knwingly r unknwingly. These standards recmmend the security measures that the Institutin shuld cnsider acrss the fllwing areas f accunt management: The fllwing tpics are cvered: Access Cntrl Accunt Management Passwrd Management Remte Access Standards t determine the level f access required by individuals t reduce the risk f unauthrised access t infrmatin and systems. This includes an Access Cntrl checklist t assess access requirements t ICT systems and services, and prcesses t cntinually re-assess access requirements. Standards t cntrl access t ICT services and particularly recrd visitr access t ICT secure facilities. Security standards fr rbust accunt lifecycle management. This includes; accunt registratin (set-up), privileged accunts set up, accunt mnitring and accunt clse dwn. Standards t be applied when allcating passwrds and defining passwrd settings t reduce the risk f passwrd cmprmises. Passwrds are the primary authenticatin mechanism used t secure ICT services at CPIT. Standards utilised t prevent unauthrised access t the netwrk when cnnecting remtely t ICT services. Access Cntrl Security Standard Page 4 f 12
CPIT Crprate Services Divisin: ICT 2 ACCESS REQUIREMENTS ASSESSMENT An effective access cntrl practice reduces the risk f unauthrised access t infrmatin and systems. Prcesses are required t ensure that individuals gain the right level f access t cmplete their wrk, whilst ensuring the apprpriate level f prtectin is applied. This sectin recmmends the access cntrl standards fr determining the level f access t be prvided and the measures t be cnsidered t maintain security. Determining the apprpriate level f access required fr individuals, remte users r third parties, engaged at the Institutin. T simplify the prcess an 'Access Requirements Checklist' can be used which is designed t determine the apprpriate level f access required. 2.1 Access Requirements Checklist Ref Security Access Checklist 1 Determine the security requirements f the business applicatins r data surces they require access t. (Fr example, certain applicatins may nly require read-nly access). 2 Review any particular plicies regarding infrmatin disseminatin and authrisatin. It may be inapprpriate t permit access t specific areas. (Fr example check with Human Resurces r Finance befre granting access). 3 Review infrmatin classificatin and align access cntrl rights t match the classificatin f the infrmatin. (Fr example, review the data gvernance standards and any data that is deemed read-nly). 4 Review Third Party agreements that may impact n cntractrs remte access t infrmatin, if applicable. (Fr example cntractrs may nly be allwed access during an agreed perid f time and hence access is granted fr that time perid nly). 5 Review agreements that are established fr prvisin f ICT services t grups f users at certain times. 6 Review legal requirements that may need t be cnsidered. 7 Clarify the specific task the individual will be perfrming. 8 Manage authrisatin and apprval fr access t be granted. This checklist can als be used t determine grup access t infrmatin r systems at the Institutin. The end result shuld be a clear list indicating the level f access required fr the individual/grup t Why d this? perfrm their rle at the Institutin. Defining the level f access required is nt an event perfrmed nce. It shuld be a cntinuus prcess that is fllwed t maintain the right levels f access fr individuals r grups. Access Cntrl arrangements shuld be regularly reviewed A significant number f security incidents result frm inapprpriate access t infrmatin. Fllwing the checklist each time will remind staff t check access rights and nt make assumptins. Access Cntrl Security Standard Page 5 f 12
CPIT Crprate Services Divisin: ICT t ensure they meet the fllwing standards: Access is restricted t a level agreed by the infrmatin wners. Fr example, access rights t financial infrmatin needs t be agreed by financial infrmatin wners. Access is reviewed regularly t ascertain the right level f access has been maintained; this may be by prviding infrmatin wners with a list f thse wh have access fr their validatin. Access is reviewed in respnse t changing threats: a higher security threat r a change in security envirnment may necessitate a change in access cntrl. Access Cntrl Security Standard Page 6 f 12
CPIT Crprate Services Divisin: ICT 3 ACCOUNT MANAGEMENT STANDARDS Security standards and guidelines are required fr the lifecycle f Accunt Management. This includes frm initial registratin f an accunt thrugh t clsing dwn accunts. It is acknwledged that these standards will require assistance frm Human Resurces t infrm ICT when staff changes ccur including when staff change rle and start r leave the institutin. The bjective f this standard is t ensure that rbust accunt management standards are fllwed thrughut the accunt management lifecycle. The fllwing security cntrls are detailed: Accunt Registratin (Set-up f Accunts) Privileged Accunts Set Up Accunt Mnitring Accunt Administratin Accunt Clse dwn 3.1 Accunt Registratin Standards A frmal prcedure is fllwed t create a user accunt and permit access t ICT services. The fllwing cntrls are recmmended when creating accunts: The default access rights are set t 'nne' rather than 'read' fr all new accunts. Unique user IDs are required fr all accunts (this is typically enfrced thrugh Windws Active Directry in use at CPIT). User accunts are nt t be shared unless authrised by ICT and will nly be agreed n a case by case basis. The principles f using grups t access infrmatin rather than specifying individual accunt access shuld be fllwed as a default. Individual users are added t grups rather than have direct access t infrmatin. Access t ICT services are dependent upn the rle within the institutin; rle based access whereby access is prvided t the services yu need t cmplete yur wrk. Checking that the user accunt is assciated with the permissins agreed thrugh the Access Requirements Checklist identified in sectin 2.1. In particular the infrmatin wner has apprved access t the infrmatin r service. Define the number f failed accunt lg-in attempts befre requiring an accunt t be re-set. The Standard defined in sectin 4.2 sets this t be 5 attempted lgins befre lcking ut the accunt. Users are infrmed f their access rights and the prcess fr requesting a higher level f access t CPIT services as described within the Service Catalgue. Access is nt permitted until the authrisatin prcess has been cmpleted. Why are unique Ids s imprtant? This security cntrl is imprtant as it establishes a link between a user accunt, an individual and the access rights granted t that accunt. Withut unique user IDs, audit lgs cannt accurately recrd the activities f users and this culd prevent the Institutin frm being able t cmplete security audits and reinfrce disciplinary actin r prsecute fr cmputer abuse. Access Cntrl Security Standard Page 7 f 12
CPIT Crprate Services Divisin: ICT 3.2 Privileged Accunt Standards A privileged accunt is an accunt that has higher access rights than a standard user accunt. A privileged accunt can include thse within the infrastructure grup but it als may include thse wh administer netwrks, manage critical business applicatins, administer databases r accunts that have access t sensitive infrmatin. Privileged accunts require a higher degree f security than standard user accunts as these accunts present a higher security risk if the accunt is cmprmised. Higher degrees f security cntrls are required t supprt these accunts. The ICT Security Plicy reinfrces that higher privileged accunts are t fllw the standards belw: Privileged accunts are allcated t an individual n a 'need t use' basis r n an 'event by event basis. Nt all members f ICT will be given higher privilege access. Use system alerts t ntify when privileged accunts settings are changed r additinal privileged accunts are added t a privileged accunt grup. An authrisatin prcess must be agreed t apprve changes in accunt privileges; accunts shuld nt gain access t a higher privilege until apprval has been btained. Accunts that perate at a higher privilege level are unique and nt the same accunt that is used t access line f business applicatins. It is essential that privileged accunts are nt used fr day t day ICT use and are nt used when accessing the internet. Keep an eye n the privileged accunts It is imprtant t keep a clse eye n the privileged accunts within CPIT. An attacker will try t cmprmise a privileged accunt r add an accunt t the privileged accunt grup. T prtect yur business keep these accunts under tight cntrl and mnitr when accunts are added r remved. T enfrce a higher level f prtectin the fllwing security cntrls are recmmended fr CPIT user accunts. Accunt level Descriptin Examples f Cntrls User Accunt Access t business as usual applicatins and infrmatin. CPIT standard passwrd security. See sectin 4.2 High Privileged Accunts Includes Systems Administratin Accunts (Micrsft Admin, Unix rt) and database admin accunts. Strnger passwrd cmplexity by increasing passwrd length t greater than 12 characters. Fr services that d nt supprt 12 characters the highest number f characters is t be used. 3.3 Accunt Mnitring Standards Once accunts have been created and access rights agreed, it is imprtant t define security cntrls t mnitr and recrd accunt activity. Access Cntrl Security Standard Page 8 f 12
CPIT Crprate Services Divisin: ICT The fllwing accunt mnitring standards are recmmended: Accunt lgin attempts, successful and unsuccessful, are recrded fr an agreed perid f time t assist with any future accunt investigatins. Unsuccessful lgin attempts must be recrded and reviewed peridically t identify regular unsuccessful passwrd lgins. (This is imprtant as it can identify when passwrd cracking sftware is targeting an accunt ver a perid f time). Lg files cntaining accunt infrmatin must be secured apprpriately t prevent alteratins t hide the tracks f an attacker. Identify accunts fr deletin: accunts that have been 'disabled' are deleted after an agreed perid f time. The ICT Security Plicy stipulates that accunts disabled fr a perid f 6 mnths will be deleted. 3.4 Accunt Clse-dwn Standards T maintain security, accunts must be reviewed regularly and apprpriate measures established t clse dwn accunts when they are n lnger required. The fllwing security standards apply: Accunt access requirements are t be reviewed when the ICT Divisin is advised f the fllwing: Individual emplyee changes psitins within the Institutin, r Services are replaced r renewed. Accunts are t be disabled nce an emplyee's cntract at the Institutin has expired. An emplyee cessatin prcess has been defined within Human Resurce ICT Security Standard. T achieve this standard will require Human Resurces infrming ICT when staff leave r there is a change in an emplyment cntract. Once accunts have been disabled they are t be reviewed at the 6 mnth interval and any accunts n lnger needed are t be permanently deleted. Why clse dwn user accunts It is imprtant fr the preventin f unauthrised access t accunts that they are clsed dwn as sn as the user leaves the Institutin. Often intruders will use accunts that haven t been used fr a perid f time making detectin harder t identify as the accunt activity lks legitimate. Access Cntrl Security Standard Page 9 f 12
CPIT Crprate Services Divisin: ICT 4 PASSWORD MANAGEMENT STANDARDS Passwrds are the primary methd used at CPIT t validate a user's identity t access a service r system. It is imprtant t maintain sund passwrd management practices in allcating passwrds, passwrd settings and passwrd awareness practice. This sectin recmmends the security measures fr: Passwrd Allcatin Passwrd Settings 4.1 Passwrd Allcatin Standards Reference: Passwrd Management Plicy in sectin 2.2.1 f the ICT Security Plicy. The allcatin f passwrds is t be cntrlled thrugh a frmal prcess which shuld include the fllwing standards: Users are made aware f the imprtance t maintain passwrd cnfidentiality thrugh the staff inductin prcess. Bth staff and students are t be reminded f the imprtance f keeping yur passwrd cnfidential thrugh an nging security awareness prgramme. When passwrds are first issued r a temprary passwrd is sent t a user they are required t be cnfigured s the user is frced t change their passwrd n next use. Passwrds are ideally nt t be seen r stred in clear text (including in-huse develped systems). It is recgnised that passwrds are first issued thrugh an email; this is acceptable practice as the passwrd will be changed n first use. Students are first made aware f their passwrd thrugh the enrlment prcess but are required t change their passwrd n first use. Temprary passwrds, issued when a user frgets their passwrd, need be prvided fllwing psitive identificatin f the user (apprpriate identificatin prcesses are agreed with ICT Service Desk staff). 4.2 Passwrd Settings Standards Passwrd cnstructin is t meet a high standard. Using passwrd settings that are lwer than thse recmmended will increase the risk f a security incident. Recmmended passwrd security settings are listed belw and shuld apply acrss all CPIT systems where the system can supprt the standard. If the system cannt meet the required passwrd setting the highest level f passwrd setting r cmplexity must be set. Set a passwrd histry t prevent users frm repeating passwrds. Recmmended level set t 24 passwrds befre allwing a repeat passwrd t be used. Passwrds s imprtant One f the mst frequently used and successful attack methds fr gaining system access is passwrd guessing, bth manual and autmated dictinary attacks. In bth cases the passwrd management plicy will help t ensure that the attack is unsuccessful by slwing dwn r preventing attempts at passwrd guessing. This may impact the calls t the ICT Service Desk but the security benefits utweigh the incnvenience. Access Cntrl Security Standard Page 10 f 12
CPIT Crprate Services Divisin: ICT Set a maximum passwrd age, this will set the number f days befre the user is prmpted t change their passwrd. This setting is applied t all passwrds. The ICT Security Plicy sets the length f time between passwrd changes. Set a minimum passwrd age, this will cntrl when a new passwrd can be changed. This is t prevent users frm changing a passwrd back t a passwrd they have used befre. A setting f 0 days is the recmmended standard t be fllwed. After 5 unsuccessful attempts t enter a passwrd the user accunt must be disabled. Users will need t cntact the ICT Service Desk t have access re-established. Set a minimum passwrd length fr the number f passwrd characters. This is as defined within the ICT Security Plicy. Set the passwrd cnstructin standard. Strng passwrds (smetimes referred t as cmplex passwrds) prvide a higher degree f prtectin. The ICT Security Plicy defines that passwrd cnstructin must fllw the strng passwrd standard. Strng passwrds are required t cntain characters frm at least three f the fllwing five categries: English uppercase (A-Z) English lwercase (a-z) Base digits (0-9) Nn-alphanumeric (fr example!@#$%^) Unicde Characters Passwrds that are stred n netwrk drives must be in a secure encrypted system. Enable the screen saver passwrd with a default setting as defined in the ICT Security Plicy, enfrcing users t re-enter their passwrds after a perid f inactivity. ICT services shuld be cnfigured t reduce further lgins nce a user has successfully lgged int the netwrk. This will reduce the number f passwrds users are required t remember. 4.3 Remte Access Standards This sectin prvides guidelines n the security cntrls t be cnsidered t prevent unauthrised access t the netwrk. These measures are in additin t the measures already discussed in the access cntrls standard. Security Standards fr remte access: A standard set f services are prvided fr staff and students t cnnect t ICT services, remtely. Requests fr alternative remte access services requires authrisatin by an apprpriate CPIT Manager r prject spnsr thrugh the ICT Service Desk. Only apprved cnnectin techniques are allwed. This will minimise the risk f a security incident ccurring. External cnnectins must be individually identified at least t the Organisatin level. Access Cntrl Security Standard Page 11 f 12
CPIT Crprate Services Divisin: ICT Access rights must be agreed and the level f access determined thrugh the access checklist, see sectin 2.1 Details f the remte access accunt shuld be kept recrding the fllwing infrmatin: When the accunt was created and why, Remte Access why wrry? External r remte user access t CPIT cmputer systems and netwrks must have the apprpriate authrisatin. This is t ensure that nly apprved and essential cnnectins are permitted. Access requirements (which part f the netwrk they have access t), Wh authrised the access, The methd utilised t cnnect t resurces, and The review date fr the remte access. With any remte access service there is an increased level f risk which needs t be explained, precautins undertaken and reviews made t keep ICT services secure. Any additinal Remte access services must be designed t: Restrict remte access traffic t specific parts f the netwrk (achieved thrugh firewalls, virtual LAN, web publishing services etc), Restrict access frm designated access pints, Verify the surce f the external cnnectin thrugh technlgy including using specific IP addresses. Third Party accunts must be reviewed at regular intervals (recmmend 6 mnths). Third Party accunts must be remved prmptly when n lnger required. Any dedicated equipment used t enable access including: ADSL ruters, data cards, etc, must be returned t ICT. This is the end f the Access Cntrl Standard This standard is ne f six standards that prvide advice and guidance n the best practices t fllw when using and accessing ICT services. The ther standards are available n the CPIT ICT intranet. Access Cntrl Security Standard Page 12 f 12