Last Revised October 1, 2020
Best Practice Logical & User Access Security Baseline Recommendations
IronOrbit security teams are operating 24/7/365 to protect the networks from unauthorized access. Their primary strategy is to restrict access to the internal networks and systems from malicious users, malware, viruses, networks and IP addresses.
The CLIENT has a major role in securing, protecting, and maintaining their environment through logical, role based, and user access controls.
By neutralizing security threats at the network level, clients can prevent unauthorized users from accessing their data and the more sensitive areas of their infrastructure.
The Following are Recommended Baseline Access Controls:
- Unique Users: All users must have a unique user name before being allowed access to any system components. Group, shared or generic accounts and passwords are not permitted. All activities are to be associated with an individual.
- User Maintenance:
- All change requests to a user’s access will be completed timely with their role change.
- All terminated user’s access will be immediately revoked.
- Any inactive user accounts over 90 days will be removed.
- User lists and access shall be reviewed quarterly for any potential changes.
- All changes; addition, deletion and modification of user ID’s and associated access must have the approval from the Information Security Officer.
- Change requests to Iron Orbit should only come from specified authorized sources.
- Password Complexity:
- Each user will be required to use a complex password.
- All first-time users must be assigned a unique password that is mandated to change on first use.
- All passwords will have a minimum length of 8 characters and contain both case, numeric, and special character complexity
- All passwords should be changed every 90 days.
- Changed passwords must be different than the last 6 passwords.
- Password Sharing, Transmitting, and Storage:
- Passwords are not to be shared for any reason.
- Passwords are to be encrypted during transmission and storage on all system components. Although these both are highly discouraged.
- Role Based Access Control: Restrict access for individuals depending on their need to perform their job function without unnecessary access to sensitive areas. A “Deny All” and then permit approach should be used.
- Two-factor Authentication will be maintained for any and all remote access.
- Logic Controls:
- Repeated access attempts will be limited by locking a user ID after no more than 6 attempts. The lockout will remain in effect for 30 minutes.
- User sessions, especially remote access, that are idle for more than 15 minutes will require the user to re-authenticate their session.
- Vendor Access: Any accounts created for vendor use to provide remote support will only be enabled for the mutually agreed upon time for service and then disabled afterwards.