Access Control Proposal - Integrated Distributors Incorporated

Proposal Statement

Integrated Distributors Incorporated (IDI) will establish specific requirements for protecting information and information systems against unauthorised access. IDI will effectively communicate the need for information and information system access control.

Purpose

Information security is the protection of information against accidental or malicious disclosure, modification or destruction. Information is an important, valuable asset of IDI which must be managed with care. All information has a value to IDI. However, not all of this information has an equal value or requires the same level of protection.

Access controls are put in place to protect information by controlling who has the rights to use different information resources and by guarding against unauthorised use. Formal procedures must control how access to information is granted and how such access is changed. This policy also mandates a standard for the creation of strong passwords, their protection and frequency of change.

Scope

This policy applies to all IDI Stakeholders, Committees, Departments, Partners, Employees of IDI (including system support staff with access to privileged administrative passwords), contractual third parties and agents of the Council with any form of access to IDI’s information and information systems.

Get quality help now
Bella Hamilton
Bella Hamilton
checked Verified writer

Proficient in: Computer security

star star star star 5 (234)

“ Very organized ,I enjoyed and Loved every bit of our professional interaction ”

avatar avatar avatar
+84 relevant experts are online
Hire writer

Definition

Access control rules and procedures are required to regulate who can access IDI information resources or systems and the associated access privileges. This policy applies at all times and should be adhered to whenever accessing IDI information in any format, and on any device.

Risks

On occasion business information may be disclosed or accessed prematurely, accidentally or unlawfully. Individuals or companies, without the correct authorisation and clearance may intentionally or accidentally gain unauthorised access to business information which may adversely affect day to day business.

Get to Know The Price Estimate For Your Paper
Topic
Number of pages
Email Invalid email

By clicking “Check Writers’ Offers”, you agree to our terms of service and privacy policy. We’ll occasionally send you promo and account related email

"You must agree to out terms of services and privacy policy"
Write my paper

You won’t be charged yet!

This policy is intended to mitigate that risk. Non-compliance with this policy could have a significant effect on the efficient operation of the Council and may result in financial loss and an inability to provide necessary services to our customers.

Applying the Policy – Passwords / Choosing Passwords

Passwords are the first line of defence for our ICT systems and together with the user ID help to establish that people are who they claim to be. A poorly chosen or misused password is a security risk and may impact upon the confidentiality, integrity or availability of our computers and systems.

Weak and strong passwords

A weak password is one which is easily discovered, or detected, by people who are not supposed to know it. Examples of weak passwords include words picked out of a dictionary, names of children and pets, car registration numbers and simple patterns of letters from a computer keyboard. A strong password is a password that is designed in such a way that it is unlikely to be detected by people who are not supposed to know it, and difficult to work out even with the help of a Protecting Passwords

It is of utmost importance that the password remains protected at all times. Do not use the same password for systems inside and outside of work.

Changing Passwords

All user-level passwords must be changed at a maximum of every 90 days, or whenever a system prompts you to change it. Default passwords must also be changed immediately. If you become aware, or suspect, that your password has become known to someone else, you must change it immediately and report your concern to IDI Technical Support. Users must not reuse the same password within 20 password changes.

System Administration Standards

The password administration process for individual IDI systems is well-documented and available to designated individuals. All IDI IT systems will be configured to enforce the following: Authentication of individual users, not groups of users - i.e. no generic accounts. Protection with regards to the retrieval of passwords and security details. System access monitoring and logging - at a user level.

Role management so that functions can be performed without sharing passwords. Password admin processes must be properly controlled, secure and auditable.

User Access Management

Formal user access control procedures must be documented, implemented and kept up to date for each application and information system to ensure authorised user access and to prevent unauthorised access. They must cover all stages of the lifecycle of user access, from the initial registration of new users to the final de-registration of users who no longer require access. These must be agreed by IDI. User access rights must be reviewed at regular intervals to ensure that the appropriate rights are still allocated. System administration accounts must only be provided to users that are required to perform system administration tasks.

User Registration

A request for access to IDI’s computer systems must first be submitted to the Information Services Helpdesk for approval. Applications for access must only be submitted if approval has been gained from Department Heads. When an employee leaves IDI, their access to computer systems and data must be suspended at the close of business on the employee’s last working day. It is the responsibility of the Department Head to request the suspension of the access rights via the Information Services Helpdesk.

User Responsibilities

It is a user’s responsibility to prevent their userID and password being used to gain unauthorised access to IDI systems.

Network Access Control

The use of modems on non- IDI owned PC’s connected to the IDI’s network can seriously compromise the security of the network. The normal operation of the network must not be interfered with.

User Authentication for External Connections

Where remote access to the IDI network is required, an application must be made via IT Helpdesk. Remote access to the network must be secured by two factor authentication. Supplier’s Remote Access to the Council Network Partner agencies or 3rd party suppliers must not be given details of how to access IDI ’s network without permission. All permissions and access methods must be controlled by IT Helpdesk. Operating System Access Control Access to operating systems is controlled by a secure login process.

The access control defined in the User Access Management section and the Password section above must be applied. All access to operating systems is via a unique login id that will be audited and can be traced back to each individual user. The login id must not give any indication of the level of access that it provides to the system (e.g. administration rights). System administrators must have individual administrator accounts that will be logged and audited. The administrator account must not be used by individuals for normal day to day activities.

Application and Information Access

Access within software applications must be restricted using the security features built into the individual product. The IT Helpdesk is responsible for granting access to the information within the system.

Policy Compliance

If any user is found to have breached this policy, they may be subject to IDI’s disciplinary procedure. If a criminal offence is considered to have been committed further action may be taken to assist in the prosecution of the offender(s). If you do not understand the implications of this policy or how it may apply to you, seek advice from IT Helpdesk.

Policy Governance

The following table identifies who within [Council Name] is Accountable, Responsible, Informed or Consulted with regards to this policy. The following definitions apply:

  • Responsible
  • Head of Information Services, Head of Human Resources
  • Accountable
  • Director of Finance etc.
  • Consulted
  • Policy Department
  • Informed
  • All IDI Employees, All Temporary Staff, All Contractors.

Review and Revision

This policy will be reviewed as it is deemed appropriate, but no less frequently than every 12 months.

Key Messages

All users must use strong passwords.
Passwords must be protected at all times and must be changed at least every 90 days. User access rights must be reviewed at regular intervals. It is a user’s responsibility to prevent their userID and password being used to gain unauthorised access to IDI systems. Partner agencies or 3rd party suppliers must not be given details of how to access the IDI network without permission from IT Helpdesk. Partners or 3rd party suppliers must contact the IT Helpdesk before connecting to the IDI network.

Updated: Jul 07, 2022
Cite this page

Access Control Proposal - Integrated Distributors Incorporated. (2016, Aug 17). Retrieved from https://studymoose.com/access-control-proposal-integrated-distributors-incorporated-essay

Access Control Proposal - Integrated Distributors Incorporated essay
Live chat  with support 24/7

👋 Hi! I’m your smart assistant Amy!

Don’t know where to start? Type your requirements and I’ll connect you to an academic expert within 3 minutes.

get help with your assignment