GDPR Draft: Data Access Control and Password Policy

Transcription

1 wea.org.uk GDPR Draft: Data Access Control and Password Policy Version Number Date of Issue Department Owner /01/2018 ICT Mark Latham-Hall Version 1.2 last updated 27/04/2018 Page 1

2 Contents GDPR Draft: Data Access Control and Password Policy Purpose Scope Related Guidance Detailed Procedures/Policies and Responsibilities Business Requirement for Access Control Internet Interface Access Control Policy User Access Management User Responsibilities Network Access Control Operating System Access Control Application Access Control Monitoring System Access and Use Mobile Computing and Teleworking Training Requirements Review Period Contact Information Revision History Appendix A: Password Use and Management Version 1.2 last updated 27/04/2018 Page 2

3 1. Purpose To control access to information to authorised personnel only and ensure that access is granted based on business requirements. 2. Scope The Policy applies to The Workers Educational Association, being a Charity registered in England and Wales (Charity number ) and in Scotland (Charity number SC039239) and a company limited by guarantee registered in England and Wales, number It applies to all data held by the WEA in any form. The Policy applies equally to: The WEA in England The WEA in Scotland WEA Branches Members of staff, tutors, students, volunteers and members in so far as they are in possession of any WEA data The WEA Board of Trustees has ultimate responsibility for the strategic direction of the WEA and ensuring that the organisation complies with legislation. This responsibility will be exercised holding the WEA s Senior Management Team to account for the practical implementation of the requirements of this policy across the Association. The policy objective defined within this policy is based on those found within ISO 27001:2013 Information Security Management System. The access to information shall be managed based on business requirements and using the following strategies: Access Control Policy - Access to systems shall be granted based on an analysis of business requirements and on a need to know basis; Ongoing Access Management - Access shall be managed in order that access privileges correspond with users' changing requirements; Network Access Controls shall be deployed to ensure that information is not subject to unacceptable risks due to insecure network connections (e.g. connection of unauthorised modems); Operating System Access Controls shall be implemented to ensure that only authorised users can log onto the system and that their levels of access are appropriate to their requirements; Application Access Control - Where appropriate, access controls shall be deployed within applications to further reduce access to sensitive information; System Monitoring - System access may be monitored to provide an audit trail traceable to individual users and that evidence gained is legally admissible; Version 1.2 last updated 27/04/2018 Page 3

4 Mobile Computing and Teleworking/Home Computing shall be subject to specific guidelines to ensure that sensitive information is afforded appropriate levels of protection regardless of site location. 3. Related Guidance Personal IS Policy Active Directory Accounts Security Management Mobile Devices Security Using two-factor authentication for external accesses Access to WEA Information Systems by non-employees 4. Detailed Procedures/Policies and Responsibilities 4.1 Business Requirement for Access Control Access to systems holding business information shall be granted based on current business requirements. Business managers shall be responsible for ensuring that access control requirements are clearly defined and documented in respect of: Access rights assigned to individuals; Access rights assigned to job positions. Access rights shall be reviewed on an annual basis by the ICT Department or in the event of an organisational change that might render the accounts redundant. 4.2 Internet Interface Access Control Policy User Access for all systems shall be managed by ICT Department on behalf of all WEA users. To prevent uncontrolled modifications that might result in the compromise of systems, business operations or WEA reputation, access to the following systems shall be specifically controlled: Intranet The Intranet is designed to provide information to WEA employees. There shall be no direct external access to the Intranet; Internal access to the Intranet shall be read only access except for topics requiring interactive response; Only authorised personnel shall be assigned write access for system development, maintenance and content editing. All such access shall be logged; No individual shall be given access to the Intranet until they have indicated their acceptance of the terms and conditions of this policy by either signing the Version 1.2 last updated 27/04/2018 Page 4

5 /Internet Usage form (supplied with the Lifestyle Device Security leaflet) or completing the relevant online system module; All maintenance activity on the Intranet server shall be logged and the logs duly monitored by the IT Manager, or his designated representative Internet Services The Internet facing services may be accessed by the public via a firewall and the Internet. To provide protection from the risks associated with public access, the system design shall be such that access to WEA network and other systems shall not be possible through the Internet server. Public read only access shall be provided to the Internet server; Write access shall be permitted only to ICT personnel with a business need to access the system e.g. for maintenance, development and content editing. All such access rights shall be controlled and documented; All write access activities shall be logged; All user activity on the Internet server shall be logged and the logs monitored for inappropriate usage by the Infrastructure Manager, or his designated representative. 4.3 User Access Management The management of access rights to WEA systems shall ensure that only authorised users have access to information systems, and that the permitted access is appropriate to current business requirements. Access management procedures shall include the following controls: User Registration The registration and access rights of system users shall be managed in accordance with the following criteria: User IDs shall be unique to individual users; Group IDs shall not be permitted; Users shall have formal authorisation from the system owner, and from management where appropriate, detailing the access rights required for the use of the information system or service; The level of access granted shall be appropriate to the business requirements and shall not compromise information security policy on segregation of duties; Access shall not be provided until authorisation procedures have been completed; A formal record shall be maintained of all persons registered to use the service together with details of the access rights granted; Business managers shall be responsible for notifying system owners of users who have changed jobs or left the organisation. The access rights of such individuals shall be rescinded immediately; Version 1.2 last updated 27/04/2018 Page 5

6 User ID records shall be periodically reviewed with redundant user IDs and accounts removed; Redundant user IDs shall not be issued to other users if they are person based, however if they are post based then they could be re-issued Privilege Management Inappropriate use of system privileges is often found to be a major contributory factor to breaches of system security. To address this concern, the allocation of privileges shall be managed through a formal authorisation process as follows: All privileges shall be defined by the system owner and allocated on a specific basis for a defined timescale. At the end of this timescale the need for privileged access shall be reviewed; Privileges shall be allocated on a need to know basis. Where privilege based activities are not a primary function of the (privileged) user, privileges shall be allocated on a specific, event basis; A Privileged Access register shall be maintained by system owners to include the ID of an individual allocated privileges and the level of access rights granted; The allocation of privileges shall be kept to a minimum; Privileged users shall be assigned different user IDs from those used for normal business use. The activity of privileged ID accounts shall be logged User Password Management Passwords are a means of validating a user s identity and shall be managed in accordance with the criteria outlined in Appendix A Review of Access Rights Access rights shall be reviewed on a regular basis in order that they remain appropriate to business requirements. Access rights shall be subject to continual review with a formal review by the systems owners on an annual basis; Privileged Access rights shall be reviewed on a 6-monthly basis by the Infrastructure Manager; All such reviews shall be logged and recorded in the respective registers by the Infrastructure Manager, or his designated representative. 4.4 User Responsibilities It shall be the responsibility of all system users to take appropriate precautions to prevent unauthorised access, whether deliberate or accidental, to WEA systems. Users shall be responsible for implementing effective passwords in accordance with the criteria detailed below. Password quality shall be system enforced; Users shall be responsible for ensuring that unattended equipment does not compromise security. Version 1.2 last updated 27/04/2018 Page 6

7 4.4.1 Password Use Users shall be required to create, manage and use their passwords in accordance with Appendix A as well as the extensive guidance provided in the Acceptable Use Policy and the Information Security Guide. Actual or potential security breaches caused by failure to follow password policy may render the individual concerned liable for disciplinary action Unattended User Equipment Whenever WEA equipment is left unattended, users shall ensure that the equipment has appropriate levels of protection to prevent unauthorised access to information or information systems. A password protected screen saver shall be activated if a machine is to be left logged on and unattended; Password protected screen savers shall be set to automatically activate after a maximum period of 20 minutes of inactivity. Actual or potential security breaches caused by failure to follow password policy may render the individual concerned liable for disciplinary action. 4.5 Network Access Control Appropriate measures shall be taken to ensure that both internal and external network services are protected from unauthorised access and use. The following controls shall be implemented where appropriate: Enforced paths shall be implemented to prevent network traffic accessing unauthorised or sensitive areas; All external connections shall be subject to user authentication; Remote Diagnostic Ports shall be subject to rigorous control and shall only be enabled on the direct authority of the ICT Operations Manager; Where justified by risk analysis, highly sensitive areas of the network shall be segregated from normal network traffic by appropriate network controls; Network Routing Controls shall be deployed to ensure that only authorised access can be gained to sensitive systems; The specification and design of these controls shall be restricted to authorised ICT personnel only. 4.6 Operating System Access Control Appropriate controls shall be implemented at operating system level to prevent unauthorised access to sensitive systems, including the measures below. Version 1.2 last updated 27/04/2018 Page 7

8 4.6.1 Terminal Log on Procedures Access to information services shall be attainable only via a secure log-on process designed to minimize the opportunity for unauthorised access. The specification and design of the process shall be restricted to authorised ICT personnel only. In general terms: An initial notice shall be displayed warning that the system may only be accessed by authorised users; System or application identifiers shall not be displayed until the log-on process has been successfully completed; Help messages that could aid an unauthorised user shall not be displayed during the log-on procedure User Identification and Authentication All users of any system shall be assigned a unique user ID for their personal and sole use. Passwords or other unique identifiers shall be used to authenticate the claimed identity of a user. All activities shall be traceable to a specific individual. Shared user IDs for specific groups of users shall not be permitted, except under extreme circumstances Password Management System Password management shall be affected by an interactive facility that will ensure the creation of quality passwords to control access to information systems. The password management system shall be set to enforce the rules detailed in Appendix A: Password Use and Management Use of System Utilities System utilities and tools can be capable of over-riding both system and application level security controls and their use shall be strictly controlled in accordance with the following criteria: System utilities and tools shall only be available to authorised users and only after users have undertaken appropriate training, to ensure the safe use of the utility; The use of system utilities shall be limited to the minimum practical number of trained, authorised users; The ID and authorisation level for authorised user of system utilities shall be recorded and retained with the respective system documentation; System utilities and tools shall be removed from systems where their use is not explicitly required for normal operations; Version 1.2 last updated 27/04/2018 Page 8

9 Individuals using system utilities and tools shall be responsible for taking appropriate precautions to protect the security of the system and any information within the system Terminal time out Sensitive systems and terminals in high risk locations, e.g. public or external areas shall incorporate a time-out facility which will clear the terminal screen and close both application and network sessions after a defined period of inactivity. Individual Services will be expected to identify which of their systems and terminals are classed as sensitive Limitation of Connection Time Limiting the period during which terminal connections are allowed for sensitive computer operations reduces the window of opportunity for unauthorised access. Where justified by business requirements and the sensitivity of information, the following controls may be established: Predetermined time slots may be used for batch file transmissions; Regular interactive sessions may be restricted to short durations; Connection times may be restricted to normal office hours, where there is no requirement for out-of-hours operation. 4.7 Application Access Control Appropriate logical or physical measures shall be deployed to restrict access at application level to authorised users Information Access Restriction Applications containing or processing sensitive information shall be designed to minimize the risk of unauthorised access. Where justified by business requirements and the sensitivity of the system, appropriate access control measures shall be incorporated in the application and may include: Deploying "Menu" access screens to application functions and information corresponding to the access rights of the user; Restricting the content of user documentation to those functions for which users are authorised; Controlling the read, write, delete and execute rights of users; Ensuring that output from applications processing sensitive information is directed only to authorised terminals and locations and contains only information that is relevant to the business use of the output Sensitive System Isolation For highly sensitive applications where security breaches may result in an unacceptable impact and where justified by risk analysis, specific security measures Version 1.2 last updated 27/04/2018 Page 9

10 shall be deployed to prevent unauthorised access to the application and information contained within it, particularly: The sensitivity or security classification of such applications shall be explicitly identified and documented by the application owner; In circumstances where a sensitive application is to run in a shared environment, the network controls and the application systems with which it will share resources shall be identified and agreed with the owner of the sensitive application. 4.8 Monitoring System Access and Use Access to, and use of, systems shall be monitored in order that any deviation from the access control policy can be identified. Also, WEA may want to verify/monitor when a user is logged in (legitimately) or for other purposes (e.g. investigating use or abuse of flexi time) Event logging System audit logs recording exceptions and other security-relevant events shall be maintained and retained for an agreed period if they may be required in future investigations. Audit logs shall record: User IDs; Dates and times for log-on and log-off; Terminal identity or location; Records of successful and rejected system access attempts. Exception reports shall be generated and reviewed on a regular basis, in line with ITIL recommendations, by the Infrastructure Manager or his designated representative. To facilitate the monitoring of significant security events, a process for automatically copying predefined exception message types to a second log, or file interrogation utility, may be implemented Monitoring System Use Where justified by risk analysis, systems processing sensitive information shall be monitored to ensure that users are performing only those activities for which they have been explicitly authorised. Audit logs shall record: (i) Authorised access including details of: User ID; Date and time of key events; Type of events; Files accessed; Program/utilities used. (ii) All privileged operations, including: Version 1.2 last updated 27/04/2018 Page 10

11 Use of supervisor or administrator account; System start-up and stop; I/O device attachment/detachment. (iii) Unauthorised access attempts, such as: Failed attempts; Access policy violations and notifications for network gateways and firewalls; Alerts from proprietary intrusion detection systems. (iv) System alerts or failures such as: Console alerts or messages; System log exceptions; Network management alarms Clock Synchronisation The correct setting of computer clocks is important to ensure the accuracy of audit logs. Computers and communications devices shall be set to local time and procedures implemented to check for and correct any significant variation in time. 4.9 Mobile Computing and Teleworking Procedures shall ensure that mobile computers and Teleworking facilities provide at least the minimum levels of protection required for sensitive data. When working in an unprotected environment, users must take care to ensure that sensitive information is not compromised. Mobile computing guidelines have been produced in the form of the Acceptable Use Policy and the Bring Your Own Device Policy. All relevant users should ensure that they are familiar with these guidelines. Home working, working from project sites and working while mobile is becoming ever more prevalent and provides considerable opportunities for increased flexibility and improved customer service. However, although portable equipment is very convenient, it is more vulnerable to security threats than office based equipment. Specific precautions shall be deployed to reduce the risk of compromise and all users of WEA assets off site shall be required to comply with the measures detailed below Portable Equipment Portable equipment covered by this policy includes: Portable computers; Laptops/Palmtops; Notebooks; Electronic Organisers/Personal Data Assistants; Mobile phones with data access; Pagers; Projectors and display equipment. Version 1.2 last updated 27/04/2018 Page 11

12 4.9.2 General Guidelines All users of portable equipment shall take the following precautions. Portable devices shall not be left unattended, especially when switched on; When operating portable equipment, care should be exercised to ensure that sensitive information cannot be overseen. Care should also be taken when discussing sensitive issues in public places eavesdropping; Information held on portable equipment shall be backed up as soon as is practicably possible; Sensitive information held on portable devices shall be encrypted; Access control shall be deployed on devices holding or processing sensitive information Remote Working Policy Teleworking occurs when an employee works from home, or at a location remote from WEA base, using IT and communication equipment to help perform their job. The following guidelines shall be implemented in respect of teleworking operations: Sensitive data shall be afforded an equivalent level of security that it would attract in the normal working environment; Appropriate levels of security shall be applied with respect to communications; Sensitive information shall not be stored in unencrypted form on equipment to which non-authorised individuals (e.g. family) may have access; All information shall be backed up in accordance with WEA policy; WEA shall retain audit rights over all equipment on which business information is processed, regardless of the ownership; Up to date Anti-Virus facilities shall be installed and maintained on all equipment on which business information is processed, regardless of the ownership; All individuals undertaking teleworking shall be required to formally signify compliance with WEA Teleworking Policy; A register of all individuals with teleworking facilities shall be maintained by Departmental Managers. 5. Training Requirements All new members of staff will receive training as part of the corporate Induction. Other, more specific, information will be supplied to individuals as and when it is needed. The on-line IS training system will be available to assist with users awareness and continual security awareness. 6. Review Period The procedure will be reviewed on an annual basis. However, Privileged Access rights will be reviewed on a 6-monthly basis. Version 1.2 last updated 27/04/2018 Page 12

13 7. Contact Information HR may be contacted on: Tel: Address: 10B, Josephs Well, Hanover Walk, Leeds, LS3 1AB 8. Revision History Version Number Date of Change Description of Change /04/2018 Formatting draft policy Version 1.2 last updated 27/04/2018 Page 13

14 Appendix A: Password Use and Management User Password Management All personal passwords shall be kept confidential; When access is initially required for a system, users shall be issued with a temporary, single use password that requires immediate change to a personal form; Temporary passwords shall only be supplied following positive identification of the user; Temporary passwords shall be issued to users in a secure manner. The telephone may be used provided clear identification of the recipient has been made; Users shall formally acknowledge receipt of a temporary password; Passwords shall not be stored on a computer in unprotected form. Password Use Passwords shall be kept confidential; Passwords shall not be recorded on paper, unless they can be stored securely; Passwords shall be changed whenever there is any indication of possible system or password compromise; Quality passwords shall be created having a minimum length of eight characters which are: o Easy to remember; o Not based on anything which could be easily guessed or obtained using person-related information, e.g. names, telephone numbers, dates of birth, etc.; o Free of consecutive identical characters or all-numeric or all-alphabetical groups; Passwords shall be changed at regular intervals or on the basis of the number of accesses to the system; Re-use or cycling previously used passwords shall not be permitted; Temporary passwords shall be changed at the first log-on; An automated log-on process using a macro or function key shall not be permitted; Passwords shall be unique to the user and not be shared. Password Management System The use of individual passwords shall be enforced; The system shall enforce quality passwords as defined in Section 7 of IS Policy and described in the Active Directory accounts security management; The system shall provide users with the facility to change and select their own passwords in accordance with these rules and check for input errors; Password changes shall be enforced at regular intervals defined by the system owner; Previous used passwords shall not be re-used; Passwords shall not be displayed in readable form whilst being entered; Version 1.2 last updated 27/04/2018 Page 14

15 Single use and immediate change of temporary passwords shall be enforced; Password files shall be stored in encrypted form remote from application system data; Default passwords shall be changed after the installation of software or system updates. Version 1.2 last updated 27/04/2018 Page 15