Account Management Policy

Account Management Policy

SOC2 CertificationNetspective Unified Process
 

The Account Management Policy outlines the guidelines and procedures for the management of Account within the Netspective Communications LLC.

  • An individual employee or group must be assigned to be responsible for account management for all accounts. The business unit and information technology (IT) may be a combination for this responsibility.

  • Access to systems must be provided through the use of individually assigned unique identifiers, known as user-IDs, except as described in the Account Management/Access Control Standard.

User List

  • A user-ID must have an associated authentication token (e.g., password, key fob, biometric) which the person or system requesting access must use to authenticate their identity.

  • Automated techniques and controls must be implemented to require authentication or re-authentication after a period of inactivity for any system where authentication is required. During session lock, publicly viewable information (e.g., screen saver, blank screen, clock) must replace information on the screen.

  • A session must be terminated after specific conditions are met as defined in the Account Management/Access Control Standard, and automated techniques and controls must be implemented to achieve this.

  • Confidential treatment must be given to tokens used to authenticate a person or process, and they must be protected appropriately. Storing tokens on paper or in an electronic file, hand-held device or browser is not allowed unless the method of storing (e.g., password vault) has been approved by the ISO/designated security representative.

  • Information owners must determine who should have access to protected resources within their jurisdiction and what those access privileges should be (read, update, etc.).

  • Access privileges will be granted in accordance with the user’s job responsibilities and limited only to those necessary to accomplish assigned tasks in accordance with entity missions and business functions (i.e., least privilege).

  • Users must use a separate, non-privileged account when performing normal business transactions (e.g., accessing the Internet, e-mail) for privileged accounts.

  • All systems where logon banners exist must implement them to inform all users that the system is for business or other approved use consistent with policy, and that user activities may be monitored and the user should have no expectation of privacy.

  • The entity must provide advance approval for any remote access connection. An assessment must be performed and documented to determine the scope and method of access, the technical and business risks involved and the contractual, process and technical controls required for such connection to take place.

  • The ISO/designated security representative must review all managed points-of-entry through which all remote connections must be made.

  • Management must authorize working from a remote location, and practices assuring appropriate protection of data in remote environments must be shared with the individual prior to the individual being granted remote access.

Approved by
Ajay Kumaran Nair on August 9, 2023 |
Last Updated by
Sreejith K on August 9, 2023