it policy new

8/13/2019 It Policy New

1/9


2/9

a password for a system account is provided to the user by their manaer, rather thanelectronically throuh email messain12 and

b1 $nitial or temporary passwords are chaned immediately upon their first use.

1.3.( Revie$ o) *ser access ri"+ts

A! "##$C%&'A!P('P$#(A manaement shall ensure that comprehensive procedures

are developed and enforced for the review of user access rihts at reular intervals. Thisreview shall be documented for future reference and audits.

1.( Pass$ord Policy

A! "##$C%&'A!P('P$#(A manaement shall ensure that a stron passwordmanaement and usae policy is developed and enforced. The policy shall consider thefollowin aspects:

a. sers are re)uired to chane their password within 34 days. $f a user does notchane his'her password within 34 days, he'she will be automatically prompted forthe chane of password.

b. Passwords must be chosen by the users which are difficult to uess. This meansthat passwords must not be related to one5s job or personal life. #or e/ample, a carlicense plate number, a spouse5s name, or framents of an address must not beused. This also means passwords must not be a word found in the dictionary or someother part of speech. #or e/ample, proper names, places, technical terms, and slanmust not be used.

c. Password control software will be used to prevent users from selectin easily+uessed passwords. A ood password may be a mi/ture of alphabets in upper 6lower case alon with numbers.

7(ef: %mail 6 $nternet Policy for the #ederal !overnment 8 Anne/ure %9;

d. $ndividual passwords shall be enforced by the applications and operatin systemsto maintain accountability for access2

e. A record of previously used passwords shall be maintained by the passwordmanaement system to prevent re+use by users 0password history12

f. ?@B601+DE12

F. Passwords shall have at least eiht 01 characters2

G. Passwords shall not be written down, stored online or saved electronically2

H. PasswordIs minimum ae shall be zero 041 days2

J. PasswordIs history shall be enforced to last G passwords2

K. PasswordIs unsuccessful attempts shall not be more than three 0G12 and

L. Account lockout shall be confiured for at least 94 minutes.

VERSION: 1.3 ISSUE: MARCH2013 PAGE2 OF9 PROPRIETARY& CONFIDENTIAL

THEINFORMATIONCONTAINEDINTHISDOCUMENTISSENSITIVEANDINTENDEDFORAG OFFICES/AGPR/PIFRA INTERNALDISTRIBUTIONONLY.

NOT %ECOP&E'OR'&STR&%TE'


3/9

1., Clear 'es- and Clear Screen Policy

a. se password protected screen savers to avoid misuse of their PCs byunauthorized personnel. sers leavin their computers unattended for more than 9Jminutes should consider loin off the network.

b. Mo off the network at the end of each day and power off their workstations.

7(ef. %mail 6 $nternet Policy for the #ederal !overnment 8 Anne/ure %09G1;

c. &ensitive information on paper or removable media will be locked away or, at aminimum, stored out of siht when unattended and when not in use2 and

d. #a/es and photocopiers will be sited to protect aainst unauthorized access andwill be cleared of unclaimed content at least daily. Nhen printin or copyin sensitiveinformation it is the responsibility of the initiator to ensure the copies or printouts arecleared from the machine immediately.

1. Privile"e Access Policy

1..1 Privile"ed Access !ana"e#ent

a1 Administrative or similar privileed access to system level resources shall be for thee/clusive use of personnel performin system maintenance and relatedadministrative duties2

b1 Privileed access shall be used only for system administrative tasks where suchaccess is re)uired. Oon+administrative tasks shall be performed throuh standarduser identities and privilees 0no administrative rihts12 and

c1 Privileed access shall be loed and reviewed reularly to identify and removeinvalid users and accounts.

1..2 !aintenance o) Access Privile"es

"wners of information related assets or business processes shall perform reularreviews of user access privilees for their respective systems to identify and removeinvalid users and accounts.

1..3 Revo-in" Access Privile"es

a1 pon chane of a userIs employment status or role within A!"##$C%&'A!P('P$#(A 0e.. transfer, promotion, termination1, owners of theinformation related assets and business processes shall be notified by humanresource win2

b1 Access privilees shall be immediately revoked or reassined 0if appropriate1 upon

notification2 and

c1 Nhere the termination date is known as in the case of temporary workers orcontractors, the respective access privilees shall have an automatic termination datewhere possible.

1./ Net$or- Access Control

A Oetwork'&ystem administrator0s1 under the overall control of the controllin authority inrespective !overnment "ranizations will manae the $T $nfrastructure in his'heroranization as per the uideline provided at %mail 6 $nternet Policy for the #ederal!overnment + Anne/+%.

7(ef: %mail 6 $nternet Policy for the #ederal !overnment+ d;





4/9

1./.1 A*t+entication )or &nbo*nd Connections

A! "##$C%&'A!P('P$#(A throuh the Oetwork and A&$& team shall ensure thatauthorized e/ternal sources or users outside of the A! "##$C%&'A!P('P$#(A networkare appropriately identified and authenticated before their session is connected into thenetwork.

1./.2 A*t+entication )or O*tbo*nd ConnectionsA! "##$C%&'A!P('P$#(A manaement shall ensure that all e/ternal networkdestinations with which a connection is re)uired is identified, documented, andauthenticated, prior to establishin a connection into such e/ternal networks. This isessentially important to prevent any potential threat that e/poses A!"##$C%&'A!P('P$#(A to sinificant operational risk.

1./.3 Re#ote 'ia"nostic Port Protection

A! "##$C%&'A!P('P$#(A manaement shall ensure that only the network portsdocumented as necessary for its operations are opened. All the ports that permit remoteaccess for administrator or dianostic use shall have more strinent security

mechanisms to prevent unauthorized access. All the open ports shall re)uire prior formalauthorization from the owner of the information related asset or the relevant competentauthority. The level of security applied shall commensurate with the risks involved.

1./.( Se"re"ation in Net$or-s

A! "##$C%&'A!P('P$#(A manaement shall ensure that sements of the A!"##$C%&'A!P('P$#(A network are loically separated to implement the sereation ofincompatible duties and access privilees of users, both internal and e/ternal to A!"##$C%&'A!P('P$#(A.

$n consideration of access control policies, access re)uirements, and risk assessments,

the A! "##$C%&'A!P('P$#(A network shall be divided into appropriate domains,zones or


5/9

sement for which the user has been authorized to use. The controls to achieve thisinclude but are not limited to:

a1 -isablin of unlimited network roamin 0the user will have access to a specific


6/9


7/9

9. ser loin failures2 and

F. #ailure to obtain privileed access.

1.11 4ardenin" t+e Oeratin" Syste# and Alications

A! "##$C%&'A!P('P$#(A manaement shall ensure that it creates a -e+RilitarizedSone within its technical infrastructure. &pecial considerations shall be made in terms of

the followin:

a1 All systems to be placed in the -RS shall be *hardened 8 a process of shuttin offunnecessary protocols and services and applyin necessary security patches to theoperatin system and applications on the system2

b1 &ystems to be placed in the -RS shall be scanned for vulnerabilities2

c1 &cannin shall be done in such a manner that the systems shall not be interrupted2and

d1 pon identification of a vulnerability or threat in the network, the respective file servershall be temporarily disconnected from the network until security risks are mitiated.

1.12 Oeratin" Syste# Access Control

"peratin systems on all A! "##$C%&'A!P('P$#(A assets shall be appropriatelyconfiured and subject to access controls to prevent unauthorized modification or accessto information.

1.12.1 Sec*re Lo"5on Proced*res

Mo on procedures are customized wherever possible to provide the minimum amount ofinformation needed by the user to properly authenticate. Nhere possible, the followincontrols are implemented:

a1 &ystem or application identifiers are not be displayed until the lo+on process hasbeen successfully completed2

b1 Moon information is validated only upon correct completion of all input data and noindications as to which portion of the authentication information is incorrect will beiven on unsuccessful loin attempts2 and

c1 The number of unsuccessful system lo+on attempts is limited.

A time limit between unsuccessful system lo+on attempts is enforced to prevent bruteforce attacks on the systems.

1.12.2 ser &denti)ication and A*t+entication

a1 $dentification and authentication of a user is established prior to the user obtainin theability to access an application account after an account lockout, or when establishina new account2

b1 Access to computin resources is only initiated with appropriate authorization fromA! "##$C%&'A!P('P$#(A and from the system owner2

c1 Authorized users are uni)uely identified and verified by the system before access toits resources is permitted2

d1 An uni)ue user $- is assined to each employee, contractor or consultant re)uirinaccess to A! "##$C%&'A!P('P$#(A application to allow for appropriate monitorinof access and activities under that $-2 and

VERSION: 1.3 ISSUE: MARCH2013 PAGE OF9 PROPRIETARY& CONFIDENTIAL




8/9


9/9

After 34 days the lo are achieved and retained in a secondary backup media such astapes.

Mo information shall be protected aainst tamperin ' modification and unauthorizedaccess. "ut of Oormal usiness Qours workin to be loed and reviewed ne/t day.

1.13 !obile Co#*tin"

All mobile computin devices storin ' carryin sensitive information i.e. laptop computer,notebooks, mobile phones and black berry devices shall ensure secure communication.#urther, all mobile computin devices shall be encrypted to ensure confidentiality.




it policy new

Documents