Integrated Distributors Incorporated (IDI) will establish specific requirements for protecting information and information systems against unauthorised access. IDI will effectively communicate the need for information and information system access control.
Information security is the protection of information against accidental or malicious disclosure, modification or destruction. Information is an important, valuable asset of IDI which must be managed with care. All information has a value to IDI. However, not all of this information has an equal value or requires the same level of protection. Access controls are put in place to protect information by controlling who has the rights to use different information resources and by guarding against unauthorised use. Formal procedures must control how access to information is granted and how such access is changed. This policy also mandates a standard for the creation of strong passwords, their protection and frequency of change.
This policy applies to all IDI Stakeholders, Committees, Departments, Partners, Employees of IDI (including system support staff with access to privileged administrative passwords), contractual third parties and agents of the Council with any form of access to IDI’s information and information systems.
Access control rules and procedures are required to regulate who can access IDI information resources or systems and the associated access privileges. This policy applies at all times and should be adhered to whenever accessing IDI information in any format, and on any device.
On occasion business information may be disclosed or accessed prematurely, accidentally or unlawfully. Individuals or companies, without the correct authorisation and clearance may intentionally or accidentally gain unauthorised access to business information which may adversely affect day to day business. This policy is intended to mitigate that risk. Non-compliance with this policy could have a significant effect on the efficient operation of the Council and may result in financial loss and an inability to provide necessary services to our customers.
Applying the Policy – Passwords / Choosing Passwords
Passwords are the first line of defence for our ICT systems and together with the user ID help to establish that people are who they claim to be. A poorly chosen or misused password is a security risk and may impact upon the confidentiality, integrity or availability of our computers and systems.
Weak and strong passwords
A weak password is one which is easily discovered, or detected, by people who are not supposed to know it. Examples of weak passwords include words picked out of a dictionary, names of children and pets, car registration numbers and simple patterns of letters from a computer keyboard. A strong password is a password that is designed in such a way that it is unlikely to be detected by people who are not supposed to know it, and difficult to work out even with the help of a Protecting Passwords
It is of utmost importance that the password remains protected at all times. Do not use the same password for systems inside and outside of work.
All user-level passwords must be changed at a maximum of every 90 days, or whenever a system prompts you to change it. Default passwords must also be changed immediately. If you become aware, or suspect, that your password has become known to someone else, you must change it immediately and report your concern to IDI Technical Support. Users must not reuse the same password within 20 password changes.
System Administration Standards
The password administration process for individual IDI systems is well-documented and available to designated individuals. All IDI IT systems will be configured to enforce the following: Authentication of individual users, not groups of users – i.e. no generic accounts. Protection with regards to the retrieval of passwords and security details. System access monitoring and logging – at a user level.
Role management so that functions can be performed without sharing passwords. Password admin processes must be properly controlled, secure and auditable.
User Access Management
Formal user access control procedures must be documented, implemented and kept up to date for each application and information system to ensure authorised user access and to prevent unauthorised access. They must cover all stages of the lifecycle of user access, from the initial registration of new users to the final de-registration of users who no longer require access. These must be agreed by IDI. User access rights must be reviewed at regular intervals to ensure that the appropriate rights are still allocated. System administration accounts must only be provided to users that are required to perform system administration tasks.
A request for access to IDI’s computer systems must first be submitted to the Information Services Helpdesk for approval. Applications for access must only be submitted if approval has been gained from Department Heads. When an employee leaves IDI, their access to computer systems and data must be suspended at the close of business on the employee’s last working day. It is the responsibility of the Department Head to request the suspension of the access rights via the Information Services Helpdesk.
It is a user’s responsibility to prevent their userID and password being used to gain unauthorised access to IDI systems.
Network Access Control
The use of modems on non- IDI owned PC’s connected to the IDI’s network can seriously compromise the security of the network. The normal operation of the network must not be interfered with.
User Authentication for External Connections
Where remote access to the IDI network is required, an application must be made via IT Helpdesk. Remote access to the network must be secured by two factor authentication. Supplier’s Remote Access to the Council Network Partner agencies or 3rd party suppliers must not be given details of how to access IDI ’s network without permission. All permissions and access methods must be controlled by IT Helpdesk. Operating System Access Control Access to operating systems is controlled by a secure login process.
The access control defined in the User Access Management section and the Password section above must be applied. All access to operating systems is via a unique login id that will be audited and can be traced back to each individual user. The login id must not give any indication of the level of access that it provides to the system (e.g. administration rights). System administrators must have individual administrator accounts that will be logged and audited. The administrator account must not be used by individuals for normal day to day activities.
Application and Information Access
Access within software applications must be restricted using the security features built into the individual product. The IT Helpdesk is responsible for granting access to the information within the system.
If any user is found to have breached this policy, they may be subject to IDI’s disciplinary procedure. If a criminal offence is considered to have been committed further action may be taken to assist in the prosecution of the offender(s). If you do not understand the implications of this policy or how it may apply to you, seek advice from IT Helpdesk.
The following table identifies who within [Council Name] is Accountable, Responsible, Informed or Consulted with regards to this policy. The following definitions apply:
Head of Information Services, Head of Human Resources
Director of Finance etc.
All IDI Employees, All Temporary Staff, All Contractors.
Review and Revision
This policy will be reviewed as it is deemed appropriate, but no less frequently than every 12 months.
All users must use strong passwords.
Passwords must be protected at all times and must be changed at least every 90 days. User access rights must be reviewed at regular intervals. It is a user’s responsibility to prevent their userID and password being used to gain unauthorised access to IDI systems. Partner agencies or 3rd party suppliers must not be given details of how to access the IDI network without permission from IT Helpdesk. Partners or 3rd party suppliers must contact the IT Helpdesk before connecting to the IDI network.