The access control policy at Netspective Communications LLC ensure that the right employees and systems have access to perform their job functions, while unauthorized access is monitored and prevented. The policy applies to all Netspective Communications LLC products and assets, all employees, contractors, and partners, as well as physical sites where the company operates. The policy is to maintain confidentiality, integrity, and availability of information.
-
Business Requirement for Access Control
- Netspective Communications LLC clearly states access control rules and rights for each user or group of users. [FII-SCF-012-IAC-01], [FII-SCF-012-IAC-02]
Role based users list
Admin users list
Non Admin users list
- Access controls requirements are both logical and physical
- Users and service providers are given a clear statement of the business requirements that access controls must meet.
- Netspective Communications LLC’s access control program addresses the following:
- Security requirements of individual business applications and business units
- Information dissemination and authorization, including need-to-know, need to share, and least privilege principles; security levels; and classification of information.
- Relevant legislation and any contractual obligations regarding protection of access to data or services
- Standard user access profiles for common job roles
- Requirements for formal authorization of access requests
- Requirements for emergency access
- Requirements for periodic review of access controls (at least once per quarter)[Gov-04]
- Removal of access rights [FII-SCF-009-DCH-09.3]
Disabled users list
- Netspective Communications LLC reviews its access control program at least annually
- All information related to the business applications and the risks the information faces are identified
- The access control and information classification policies are consistent across Netspective Communications LLC products and network
- Access control roles, such as access request, access authorization, and access administration, are segregated.
-
Authorized Access to Information Systems
User Registration [FII-SCF-012-IAC-01]
- Netspective Communications LLC maintains a current listing of all workforce members (employees, contractors, partners) who have access to PII data. [FII-SCF-012-IAC-02]
Admin users list
Non Admin users list
-
Guest/anonymous, shared/group, emergency and temporary accounts are specifically authorized and use monitored. [FII-SCF-012-IAC-03]
-
Unnecessary accounts are removed, disabled. [FII-SCF-012-IAC-07.1]
Accounts removed from Key clock
Accounts removed from Open Project
Accounts removed from Server
Accounts removed from Git lab
-
Managers are notified when users are terminated or transferred when accounts (including shared/group, emergency, and temporary accounts) are no longer required.
-
The Netspective Communications LLC communicates password procedures and policies to all users who are provided access to systems.
-
Separates approval for access rights are get from manager.
-
The manager checks that the level of access granted is appropriate to the business purpose.
-
Users are informed about their access rights.
-
The manager ensures default accounts are removed and/or renamed.
-
Removes or blocks critical access rights of users who have changed roles or jobs or left the Netspective Communications LLC immediately and removes or blocks non-critical access within 24 hours.
Disabled users list - keyClock
Disabled users list - OpenProject
Disabled users list - GitLab
User Login History
-
Netspective Communications LLC not uses group, shared or generic accounts and passwords.
List of users
-
Netspective Communications LLC verifies that the registration process to receive hardware administrative tokens and credentials used for Multi-Factor Authentication.
-
In addition to assigning a unique ID and password, any one of the below is used
- Token
-
The Devops team disables emergency accounts within 24 hours and temporary accounts with a fixed duration not to exceed 30 days. [FII-SCF-009-DCH-09.3]
Disabled users list - keyClock
Disabled users list - OpenProject
Disabled users list - GitLab
Privilege Management [FII-SCF-012-IAC-09]
-
The allocation of privileges for all systems and system components is controlled through a formal authorization. [FII-SCF-012-IAC-16], [FII-SCF-012-IAC-20], [FII-SCF-012-IAC-01]
Log In Error
Role based users list
-
The access privileges associated with each system product (e.g., operating system, database management system and each application) and the users to which they need to be allocated are identified.
-
Privileges are allocated to users on a need-to-use basis and on an event-by-event basis.
-
Netspective Communications LLC explicitly authorizes access to the following list of security functions
- Setting/modifying audit logs and auditing behavior.
- Setting/modifying boundary protection system rules.
- Configuring/modifying access authorizations (i.e., permissions, privileges);
- Setting/modifying authentication parameters.
- Setting/modifying system configurations and parameters
-
Record of all privileges allocated are maintained.
-
Role-based access control (RBAC) is implemented and capable of mapping each user to one or more roles, and each role to one or more system functions. [FII-SCF-012-IAC-01]
Role based users list
-
Elevated privileges are assigned to a different user ID from those used for normal business use. [FII-SCF-012-IAC-01]
Admin users list
Non Admin users list
-
The development and use of programs which avoid the need to run with elevated privileges are promoted.
-
The use of system administration privileges (any feature or facility of an information system that enables the user to override system or application controls) is minimized. Administration privileges are granted only when required and revoked once work is done.
-
Access to privileged functions (e.g., system-level software, administrator tools, scripts, utilities) deployed in hardware, software, and firmware is restricted.
-
The access control system for the system components storing, processing or transmitting covered information is set with a default “deny-all” setting.
-
Netspective Communications LLC limits authorization to privileged accounts on information systems to a pre-defined subset of users and tracks and monitors privileged role assignments for any misuse. Privileges are granted only when required and revoked when work is done also monitors privileged role assignments for any misuse.
-
Netspective Communications LLC audits the execution of privileged functions.
-
All file system access not explicitly required for system, application, and administrator functionality is disabled.
-
Access to all hypervisor management functions or administrative consoles are restricted and is given only when it is needed for the work and is revoked when the work is done for systems hosting virtualized systems is restricted to personnel based upon the principle of the least privilege and supported through technical controls (e.g., Multi-factor authentication, audit trails, IP address filtering, firewalls, and TLS encapsulated communications to the administrative consoles).
-
Contractors are provided with minimal system and physical access.
-
Netspective Communications LLC ensures that only authorized users are permitted to access those files, directories, drives, workstations, servers, network shares, ports, protocols, and services at time only when they are expressly required for the performance of the users’ job duties.
User Password Management [FII-SCF-012-IAC-16], [FII-SCF-012-IAC-15]
-
All users must enable Multi-factor Authentication (MFA) or two-factor authentication (2FA) on their accounts and keep it enabled at all times.
MFA/2FA Enabled users
-
Users must use an MFA/2FA such as a security token, biometric authentication, or a one-time code sent to a trusted device as the required means of authentication. They cannot use passwords as the sole means of authentication.
-
Passwords are prohibited from being displayed when entered.
-
Passwords are changed whenever there is any indication of possible system or password compromise.
-
User identity is verified before performing password resets.
Allocation of Passwords [FII-SCF-012-IAC-15]
-
The use of third-parties or unprotected (clear text) electronic mail messages is avoided.
-
Users acknowledge receipt of passwords.
-
Default vendor passwords are altered following installation of systems or software.
-
Temporary passwords are changed at the first log-on.
-
Temporary passwords are given to users in a secure manner.
-
Maintain a list of commonly-used, expected or compromised passwords, and update the list at least every 180 days.(Zero trust doesn’t promote rotation of passwords.)
-
Verify, when users create or update passwords, that the passwords are not found on the Netspective Communications LLC defined list of commonly-used, expected, or compromised passwords.
-
Transmit only cryptographically-protected passwords.[FII-SCF-012-IAC-04]
-
Store passwords using an approved hash algorithm and salt, preferably using a keyed hash.
Store passwords
-
Require immediate selection of a new password upon account recovery.
-
Allow user-selection of long passwords and passphrases, including spaces and all printable characters. (Zero Trust doesn’t promote use of special characters in passwords). [FII-SCF-012-IAC-16]
Store passwords
-
Employ automated tools to assist the user in selecting strong passwords and authenticators. (Zero Trust doesn’t promote use of special characters in passwords and password rotations). [FII-SCF-012-IAC-16]
- MinimumPasswordAge = one day;
- MaximumPasswordAge = 60 days;
- MinimumPasswordLength = Minimum length of 8 characters for regular user passwords, and minimum length of 15 characters for administrators or privileged user passwords;
- PasswordComplexity = minimum (three for High or one for Moderate or Low) character(s) from the four character categories (A-Z, a-z, 0-9, special characters; and
Reset Password - validating Password Complexity
- PasswordHistorySize = 12 passwords for High or six passwords for Moderate or Low systems
Passwords Settings
-
Passwords are protected from unauthorized disclosure and modification when stored and transmitted.
-
Passwords are not included in any automated log-on process.
-
All passwords are encrypted during transmission and storage.
Encrypted passwords
-
Users sign a statement to keep personal passwords confidential and to keep group passwords solely within the members of the group.
-
Temporary passwords are unique to an individual and are not guessable.
Review of User Access Rights [FII-SCF-012-IAC-08]
-
User’s access rights are reviewed after any changes, such as promotion, demotion, or termination of employment, or other arrangement with a employee/contractor member ends.
-
User’s access rights are reviewed and re-allocated when moving from one role to another./User rights are not permanent or long living they are given dynamically as and when required.
-
All types of accounts are reviewed at least every 90 days.
-
Critical system accounts are reviewed at least every 60 days.
-
User’s access rights are reviewed at least every 90 days.
-
Changes to access authorizations are reviewed at least every 90 days.
-
Authorizations for special privileged access rights are reviewed at least every 90 days.
-
User Responsibilities Password Use
- Keep passwords confidential.
- Avoid keeping a record (e.g., paper, software file or hand-held device) of passwords, unless this can be stored securely and the method of storing has been approved.
- Change passwords whenever there is any indication of possible system or password compromise.
- Not share individual user accounts or passwords.
- Not use the same password for business and non-business purposes.
- Select quality passwords.
Passwords Settings
Unattended User Equipment
- Terminate active sessions when finished, unless they can be secured by an appropriate locking mechanism.
Log
- Log-off Computers, servers when the session is finished.
- Secure PCs or terminals from unauthorized use by a key lock or an equivalent control (e.g., password access) when not in use.
Network Access Control [FII-SCF-016-NET-01]
Use of Network Service
- The Netspective Communications LLC specifies the networks and network services to which users are authorized access.
- Zero trust needs enterprise applications should be able to be used over the public internet, users should be able to log on to applications than login to networks.
- Netspective Communications LLC determines who is allowed to access which network and networked services.
- Specifies the means that can be used to access networks and network services.
Use of external information systems is managed effectively including: [FII-SCF-016-NET-03], [FII-SCF-016-NET-03.1]
- Information systems or components of information systems that are outside the boundary established by the Netspective Communications LLC are identified as external information systems including:
- Information systems or components of information systems for which the Netspective Communications LLC typically has no direct control over the application of required security controls, or the assessment of security control effectiveness are identified as external information systems;
- Personally owned information systems (e.g., computers, cellular telephones, or personal digital assistants) are identified as external information systems; and
- Privately owned computing and communications devices resident in commercial or public facilities (e.g., hotels, convention centers, or airports) are identified as external information systems.
- Authorized individuals are prohibited from using an external information system to access the information system or to process, store or transmit Netspective Communications LLC-controlled information except in situations where Netspective Communications LLC:
- Can verify the employment of required security controls on the external system as specified in the Netspective Communications LLC’s information security policy and system security plan; or
- Has approved information system connection or processing agreements with the organizational entity hosting the external information system.
User Authentication [FII-SCF-012-IAC-09], [FII-SCF-012-IAC-09.1]
-
Authentication of users is implemented using a password or passphrase using one of the below methods. Authentication using MFA should be done from a trusted device [FII-SCF-012-IAC-10]
- Cryptographic based technique
- Biometric techniques;
- Hardware tokens;
- Software tokens;
- A challenge/response protocol;
- Certificate agents.
Settings
-
Netspective Communications LLC protects wireless access to systems containing sensitive information by authenticating users and devices.
-
Remote access to business information across public networks only takes place after successful identification and authentication.
-
Remote access by vendors and business partners is disabled unless specifically authorized and immediate deactivation after use.
-
Authentication of remote users is implemented via virtual private network (VPN) solutions.(Zero trust doesn’t promote VPN it is also required that authentication should be done from a trusted device).
-
Control all remote access through a limited number of managed access control points.
-
The vendor is assigned a User ID and password and must enter the Netspective Communications LLC network through the standard authentication process. (Zero Trust needs people to login to applications directly rather than to the networks) Access to such systems is authorized and logged. User IDs assigned to vendors will be reviewed once a quarter.
-
Netspective Communications LLC requires all remote login access (including VPN, dial-up, and other forms of access that allow login to internal systems, e.g., from an alternate work location or to sensitive information via a web portal) to use two-factor authentication./Zero trust needs multi-factor authentication and could be done from a public internet.
-
The execution of privileged commands and access to security-relevant information via remote access is only authorized for compelling operational needs.
-
Frequently monitors and controls remote access methods.
Equipment identification in networks
- An identifier attached to the equipment to indicate whether this equipment is permitted to connect to the Netspective Communications LLC network. Identifiers shall clearly indicate to which network the equipment is permitted to connect, if more than one network exists and particularly if these networks are of differing sensitivity. Zero trust requires equipment to be a trusted device.
- Physical protection of the equipment is required to maintain the security of the equipment identifier. The identifier is stored and transported in an encrypted format to protect it from unauthorized access.
Remote Diagnostic and Configuration Port protection
- Access to network equipment is physically protected (e.g., a router must be stored in a room that is only accessible by authorized employees or contractors).
- Use of a key lock, Ports, services, and similar applications installed on a computer or network systems, which are not specifically required for business functionality, are disabled or removed.
- Diagnostic and configuration ports are only accessible by arrangement between the manager of the computer service and the hardware/software support personnel requiring access.
- Netspective Communications LLC reviews the information system within every 365 days to identify and disable unnecessary and non-secure functions, ports, protocols, and/or services.
- Netspective Communications LLC disables Bluetooth and peer-to-peer networking protocols within the information system determined unnecessary.
- Netspective Communications LLC disables peer-to-peer wireless network capabilities on wireless clients.
- Netspective Communications LLC identifies unauthorized software on the information system and prohibit the execution of known unauthorized software on the information system; and reviews and updates the list of unauthorized software periodically, but no less than annually
Segregation in networks [FII-SCF-016-NET-05.1]
Zero trust requires enterprise applications to be accessed over public internet.
-
Security gateways (e.g., a firewall) are used between the internal network, external networks (Internet and third-party networks), and any demilitarized zone (DMZ). [FII-SCF-010-END-07-2]
Firewall Inbound Rules
Firewall Outbound Rules
-
An internal network perimeter is implemented by installing a secure gateway (e.g., a firewall) between two interconnected networks to control access and information flow between the two domains.
Firewall Inbound Rules
Firewall Outbound Rules
-
Wireless networks are segregated from internal and private networks.
-
Establish a firewall between any wireless network and the covered information system’s environment.
-
Segregation of networks is based on the value and classification of information stored or processed in the network, levels of trust, or lines of business, in order to reduce the total impact of a service disruption.
-
Networks are divided into separate logical network domains each protected by a defined security perimeter.
-
A graduated set of controls is applied in different logical network domains to further segregate the network security environments (e.g., publicly accessible systems; internal networks; critical assets).
-
Segregation of separate logical domains are achieved by restricting network access using virtual private networks for user groups within Netspective Communications LLC.
-
Networks are also segregated using network device functionality (e.g., IP switching).
-
A baseline of network operations and expected data flows for users and systems is established.
-
The domains are defined based on a risk assessment and the different security requirements within each of the domains.
-
The Netspective Communications LLC implements subnetworks for publicly accessible system components that are logically separated from internal organizational networks.
-
Netspective Communications LLC verifies any server that is visible from the Internet or an untrusted network and, if it is not required for business purposes, moves it to an internal VLAN and gives it a private address.
-
Netspective Communications LLC use network segregated from production-level networks when migrating physical servers, applications or data to virtualized servers.
-
Netspective Communications LLC manages the network infrastructure across network connections that are separated from the business use of that network, relying on separate VLANs or, preferably, on entirely different physical connectivity for management sessions for network devices.
Network Connection Control [FII-SCF-016-NET-04.1]
-
Network traffic is denied by default and allowed by exception (i.e., deny all, permit by exception).
Firewall Inbound Rules
Firewall Outbound Rules
-
Netspective Communications LLC restricts the ability of users to connect to the internal network in accordance with the requirements of the business applications. Zero trust needs people to be able to connect to applications instead of network.
-
The connection capability of users is restricted through network gateways (e.g., a firewall) that filter traffic by means of pre-defined tables or rules.
- Messaging (e.g., electronic mail);
- File transfer (e.g., peer-to-peer, FTP);
- Interactive access (e.g., where a user provides input to the system); and
- Common Windows applications.
-
Review exceptions to the traffic flow within every 365 days
-
Linking network access rights to certain times of day or dates is implemented
-
Limit the number of external network connections to the information system (e.g., prohibiting desktop modems) to allow for more comprehensive monitoring of inbound and outbound communications and network traffic.
Firewall Outbound Rules
-
Implements a managed interface for each external telecommunication service.
-
Establishes a traffic flow policy for each managed interface
-
Employs security controls as needed to protect the confidentiality and integrity of the information being transmitted.
-
Documents each exception to the traffic flow policy
-
Removes traffic flow policy exceptions that are no longer supported by an explicit mission/business need.
-
Remote devices that have established a non-remote connection are prevented from simultaneously establishing non-remote connections with the system
Network Routing Control [FII-SCF-016-NET-04]
- Security gateways (e.g., a firewall) are used between internal and external networks (Internet and third-party networks). Netspective Communications LLC implements routing controls at the network perimeter.
- Security gateways (e.g., a firewall) are used to validate source and destination addresses at internal and external network control points.
- Netspective Communications LLC designs and implements network perimeters so that all outgoing network traffic to the Internet must pass through at least one application layer filtering proxy server.
- The proxy supports decrypting network traffic, logging individual TCP sessions, blocking specific URLs, domain names, and IP addresses to implement a blacklist, and applying whitelists of allowed sites that can be accessed through the proxy while blocking all other sites.
- Forces outbound traffic to the Internet through an authenticated proxy server on the enterprise perimeter.
- Routing controls are based on positive source and destination address checking mechanisms. Internal directory services and internal IP addresses are protected and hidden from any external access.
Operating System Access Control
Secure log on procedure
-
A secure log-on procedure:
- Displays a general notice warning that the computer can only be accessed by authorized users;
- Limits the number of unsuccessful log-on attempts allowed to six attempts;
- Enforces recording of unsuccessful and successful attempts;
Unsuccessful Attempts Log
- Forces a time delay of 30 minutes before further log-on attempts are allowed or reject any further attempts without specific authorization from an administrator; and
- Does not display the password being entered by hiding the password characters with symbols.
The log-on procedures
-
Limits the number of unsuccessful log-on attempts allowed to three attempts, and enforces:
- Disconnecting data link connections;
-
Sending an alarm message to the system console if the maximum number of log-on attempts is reached; and
-
Setting the number of password retries in conjunction with the minimum length of the password and the value of the system being protected;
-
limits the maximum and minimum time allowed for the log-on procedure, if exceeded, the system terminates the log-on;
-
Does not transmit usernames and passwords in clear text over the network;
-
Does not display system or application identifiers until the log-on process has been successfully completed;
-
Does not provide help messages during the log-on procedure that would aid an unauthorized user; and
-
validates the log-on information only on completion of all input data. If an error condition arises, the system does not indicate which part of the data is correct or incorrect.
-
Configure the information system to lock out the user account automatically after three failed log-on attempts by a user during a one-hour time period.
-
Fail2Ban →
Database error please contact administrator! -
Require the lock out to persist for a minimum of three hours.
-
Training includes reporting procedures and responsibility for authorized users to report unauthorized log-ons and unauthorized attempts to log-on.
-
The number of concurrent sessions is limited to a specified number for all account types defined by Netspective Communications LLC.
User Identification and Authentication
-
Before allowing access to system components or data verifiable unique IDs for all types of users. For ex.
- Technical support personnel;
- Operators;
- Network administrators;
- System programmers; and
- Database administrators.
-
The following is required for each category of User ID
- Regular User IDs:
Users list
- User IDs are used to trace activities to the responsible individual; and
- Regular user activities are not performed from privileged accounts.
-
Shared user/group IDs:
- In exceptional circumstances, where there is a clear business benefit, the use of a shared user ID for a group of users or a specific job is used;
- Approval by management is documented for such cases; and
- Additional controls are required to maintain accountability.
-
Generic IDs:
- Generic IDs for use by an individual are only allowed either where the functions accessible or actions carried out by the ID do not need to be traced (e.g., read-only access).
-
Redundant user IDs are not issued to other users
-
Non-organizational users are uniquely identified
-
Users are uniquely identified and authenticated for both local and remote accesses to information systems.
-
Electronic signatures, unique to one individual, ensure that the signature cannot be reused by, or reassigned to, anyone else
-
Strong authentication methods in addition to passwords are used for communicating through an external, non-organization-controlled network.
-
Help desk support requires user identification for any transaction that has information security implications.
-
During the registration process to provide new or replacement hardware tokens, in person verification is required.
-
When PKI-based authentication is used
- Validates certificates by constructing a certification path with status information to an accepted trust anchor;
- Validates certificates by constructing and verifying a certification path to an accepted trust anchor including checking certificate status information;
- Enforces authorized access to the corresponding private key;
- Maps the authenticated identity to the account of the individual or group; and
- Implements a local cache of revocation data to support path discovery and validation in case of an inability to access revocation information via the network.
-
The information system uses replay-resistant authentication mechanisms such as nonce, one-time passwords, or timestamps (e.g., Kerberos, TLS, etc.) for network access to privileged accounts.
-
The Netspective Communications LLC requires that access for all accounts, including those for network and security devices, is to be obtained through a centralized point of authentication, for example Active Directory or LDAP.
-
Electronic signatures and handwritten signatures executed to electronic records are linked to their respective electronic records.
-
Signed electronic records contain information associated with the signing that clearly indicates the following in human-readable format:
- Printed name of the signer
- The date and time when the signature was executed; and
- The meaning of the signature (e.g., review, approval, responsibility, authorship)
-
Use multifactor authentication for remote network access to privileged and non-privileged accounts such that one of the factors is provided by a device separate from the system gaining access.
Authentication
Password Management System
-
A password management system is implemented to
- Require the use of individual user IDs and passwords to maintain accountability;
- Allow users to select and change their own passwords and include a confirmation procedure to allow for input errors;
- Force users to change temporary passwords at the first log-on.
- Not display passwords on the screen when being entered;
- Always change vendor-supplied defaults before installing a system on the network including passwords, simple network management protocol (SNMP) community strings and the elimination of unnecessary accounts
-
The password management system
- Stores and transmits passwords in protected (e.g., encrypted or hashed) form;
Encrypted passwords
- Stores password files separately from application system data;
- Enforces a choice of quality passwords. Zero trust promote the usage of simple passwords.
- Enforces password changes
- Maintains a record of previous user passwords and prevents re-use
Use of system utilities [FII-SCF-012-IAC-20], [FII-SCF-012-IAC-21]
- The use of system utilities (e.g., administrative tools in Windows, the settings section— specifically network/device/security configuration–on VoIP phones, etc.) is controlled by implementing the following;
- Use of identification, authentication, and authorization procedures for system utilities;
- Segregation of system utilities from applications software; and
- limitation of the use of system utilities to the minimum practical number of trusted, authorized users
- The use of system utilities is controlled by implementing the following
- Authorization for ad hoc use of systems utilities;
- Limitation of the availability of system utilities (e.g., limitation of availability by setting restrictive file system-level permissions for the access and execution of system utilities such as cmd.exe, ping, tracert, ipconfig, ifconfig, etc.);
- Disabling public “read” access to files, objects, and directories;
- Logging of all use of system utilities;
- Defining and documenting authorization levels for system utilities;
- Deletion of, or file system file execution permission denial of, all unnecessary software-based utilities and system software; and
- Not making system utilities available to users who have access to applications on systems where segregation of duties is required
- The information system owner regularly reviews the system utilities available to identify and eliminates unnecessary functions, such as scripts, drivers, features, subsystems, file systems, and unnecessary web servers.
- Public “read” and “write” access to all system files, objects, and directories are disabled.
Session time out
- A time-out system that conceals information previously visible on the display with a publicly viewable image (e.g., a screen saver) pauses the session screen after 15 minutes of inactivity and closes network sessions after 30 minutes of inactivity.
- The system requires the user to re-establish access using appropriate identification and authentication procedures.
- For systems that are publicly positioned, a time-out system (e.g., a screen saver) pauses the session screen after 2 minutes of inactivity and closes network sessions after 30 minutes of inactivity.
Information access restriction [FII-SCF-012-IAC-17]
- Restrictions to access are based on individual business application requirements.
- Providing menus to control access to application system functions; and
- Controlling the access rights of users (e.g., read, write, delete, and execute)
- Associated identification and authentication controls are developed, disseminated, and periodically reviewed and updated, including:
- Specific user actions that can be performed on the information system without identification or authentication are identified and supporting rationale documented;
- Actions to be performed without identification and authentication are permitted only to the extent necessary to accomplish mission objectives;
- The following guidelines are implemented in order to support access restriction requirements:
- Controlling access rights to other applications according to applicable access control policies.
- Ensuring that outputs from application systems handling covered information contain only the information relevant to the use of the output and are sent only to authorized terminals and locations; and
- Performing periodic reviews of such outputs to ensure that redundant information is removed.
- Data stored in the information system is protected with system access controls including file system, network share, claims, application, and/or database specific access control lists and is encrypted when residing in non-secure areas.
- Specific user actions that can be performed on the information system without identification or authentication are identified and supporting rationale documented.
- Individuals accessing sensitive information (e.g., covered information, cardholder data) from a remote location, prohibit the copy, move, print (and print screen) and storage of this information onto local hard drives and removable electronic media, unless explicitly authorized for a defined business need.
- Restrict the use of database management utilities to only authorized database administrators.
- Users are prevented from accessing database data files at the logical data view, field, or field-value levels.
- Column-level access controls are implemented to restrict database access.
Teleworking
- The following points must be addressed
- The use of home networks and requirements or restrictions on the configuration of wireless network services including encryption (AES WPA2, at a minimum);
- Verifiable unique IDs are required for all teleworkers accessing the Netspective Communications LLC’s network via a remote connection.
- The connection between the Netspective Communications LLC and the teleworker’s location is secured via an encrypted channel.
- Training on security awareness, privacy and teleworker responsibilities is required prior to authorization and training methods are reviewed.
- The following matters are addressed prior to authorizing teleworking:
- A definition of the work permitted, the hours of work, the classification of information that may be held, and the internal systems and services that the teleworker is authorized to access;
- The provision of suitable communication equipment, including methods for securing remote access;
- The procedures for back-up and business continuity;
- All personnel working from home for Netspective Communications LLC must implement fundamental security controls and practices, including using passwords, installing virus protection, using personal firewalls, securing laptops with cable locks, recording serial numbers and identification information for laptops, and disconnecting modems when working at alternate worksites.
- Remote access is limited to only information resources required by home users to complete job duties.
- Netspective Communications LLC provided equipment is only used for business purposes by authorized employees.