Policy Reference

Category Computer and User Operations
Approval Date 01-29-2010
Scope All Personnel

Purpose

To establish system for the identification and authentication of users on City computer systems and applications and to ensure  the proper management of the privileges provided to each computer user.


Policy

  1. Procedures for user accounts and passwords will be followed to ensure  there are proper controls of the addition and modification of users IDs, credentials, and other identifier objects.
  2. Sharing any User Identification (ID) with any other person shall be prohibited with the exception of sharing with ITS  when required for system support purposes or others when authorized by the applicable Department Director.   (*406.4.6)
  3. User ID's will be unique and authentication in City systems and software will be logged.   Log monitoring and review will be provided as necessary.
  4. Requests for User IDs will be preauthorized.
    1. A request for system access, user ID's and related privileges must be made by a Department Director or Supervisor to ITS.
    2. Access will be requested and provided based upon the most restrictive rights, privileges and access which still allow the employee to perform the assigned tasks.
    3. ITS  will ensure that management pre-authorizes the assignment of system privileges for all users and job functions prior to granting of priveleges.
  5. Whenever the feature is available,  systems will automatically terminate or lock access by users after a maximum period of 15 minutes of inactivity, forcing the user to reenter the system and re-authenticate.  
  6. ITS  will ensure  there is  segregation of duties between those that develop systems and applications, those that test systems and applications, and those that manage systems and applications.
  7. Departments must screen all potential personnel (via Human Resources background check) to minimize the risk of attacks from internal sources.
  8. ITS will maintain an overall plan for managing identification, authentication, and access rights.
  9. The City will ensure that the information system enforces the most restrictive set of rights, privileges, and accesses needed by using for the performance of specified tasks.
  10. Supervisors must ensure that the assignment of privileges are based upon the person's job function responsibilities.
  11. The City will ensure that predefined systems automatically terminate users in a session after a predetermined period of inactivity, forcing the user to reenter the system and re-authenticate their status.
  12. Procedures to control the addition and modification of users IDs, credentials, and other identifier objects will be followed.
  13. ITS will ensure that user identities are confirmed before a password is reset.
  14. Supervisors must follow procedures to immediately revoke access for expired temporary accounts and accounts of terminated users.   Prior notice of the expiration or termination must be provided when possible, otherwise notice must be given to ITS  within 24 hours of the actual date.
  15. ITS  will ensure that inactive accounts are disabled after 90 days.
  16. ITS  will provide password policies and procedures to all users.
  17. Unless explicitly authorized by both ITS and the appropriate supervisor; the use of group, shared, or generic accounts and passwords are not permitted and may not be used.
  18. Systems will require users to change passwords a maximum of every 90 days unless a system cannot provide this control.
  19. Systems will require a minimum password length of at least eight characters unless a system cannot provide this control.
  20. Passwords must contain both numeric and alphabetic characters unless a system cannot provide this control.
  21. Personnel are not allowed to submit a new password that is the same as the previous 4 passwords utilized unless a system cannot provide this control.

Compliance

  1. The organization must ensure access to the cardholder data and system components are restricted to individuals whose job requires access and that access restrictions are based on least privileges and job classification and duties. Privileges must be requested by management in writing. The organization must use an automated access control system to implement the access controls. The organization must ensure all access to cardholder data databases by users, Administrators, and applications are authenticated. § 7.1(a), § 8.5.16, Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance All other Merchants and all SAQ-Eligible Service Providers, Version 1.2
  2. The user access rights should be examined to ensure user privileges are assigned according to the documented user authorizations and all user access is properly authorized. AC-3.1, AC-3.3, Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A, July 2008
  3. The organization must ensure it has developed a password and user authentication management program that controls the addition, modification, and deletion of userIDs, credentials, and other identified objects. § 7.1.4, § 8.5.1, Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance All other Merchants and all SAQ-Eligible Service Providers, Version 1.2
  4. The organization must ensure all users are identified by a unique userID and that each user is authenticated by either a password or two-factor authentication method. § 8 thru § 8.2, Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance All other Merchants and all SAQ-Eligible Service Providers, Version 1.2
  5. PCs, servers, and databases with payment application software should use unique userids and complex passwords to authenticate users. § 3.1.a, § 3.2, Payment Card Industry (PCI) Payment Application Data Security Standard, Version 1.1
  6. Unique IDs should be used to allow actions to be linked to individuals. Group IDs should be permitted only when necessary for business reasons. § 11.2.1, § 11.5.2, § 11.5.3, ISO/IEC 27002-2005 Code of practice for information security management
  7. The organization must ensure it has developed a password and user authentication management program that requires users change their passwords at least every 90 days. § 8.5.9, Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance All other Merchants and all SAQ-Eligible Service Providers, Version 1.2
  8. The organization must ensure it has developed a password and user authentication management program that requires users to use a password with a minimum of 7 characters. § 8.5.10, Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance All other Merchants and all SAQ-Eligible Service Providers, Version 1.2
  9. The longer the password, the harder it is for an intruder to guess or crack it. However, long passwords are also more difficult for users to remember. For Specialized Security - Limited Functionality systems, the password length should be set to 12. For all other Windows XP environments, this setting should be set to 8. § 6.1, Guidance for Securing Microsoft Windows XP Systems for IT Professionals, NIST SP 800-68, Revision 1
  10. The organization must ensure it has developed a password and user authentication management program that requires both numeric and alphabetic characters to be used for passwords. § 8.5.11, Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance All other Merchants and all SAQ-Eligible Service Providers, Version 1.2
  11. The organization must ensure it has developed a password and user authentication management program that requires a user to use a password that he/she has not used within the last 4 password changes. § 8.5.12, Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance All other Merchants and all SAQ-Eligible Service Providers, Version 1.2
  12. When changing passwords, users should not be allowed to recycle through old passwords. § 11.3.1, § 11.5.3, ISO 17799:2005 Code of Practice for Information Security Management
  13. The organization must ensure it has developed a password and user authentication management program that requires a user to reenter his/her password if the session has been idle for more than 15 minutes. § 8.5.15, Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance All other Merchants and all SAQ-Eligible Service Providers, Version 1.2
  14. The information security policy should include requirements for all users to either lock or log off the system when they leave their terminals unattended. SM1.2.6(b), CB3.2.2(d), CB3.3.3(e), CI2.3.1(c), CI2.3.4(c), CI2.4.3(e), CI4.4.2(d), UE2.2.2(c), UE4.1.2(d), The Standard of Good Practice for Information Security