Entities Affected By This Policy
The Client, and Client Business, and all personnel
- Responsible Executives: Client CEO
- Responsible Department: Information Technologies and Services
- Dates: Issued: Interim, Jan 1st, 2018. Final Issuance: December 31st, 2017
- Contact: Information Technologies and Services
Reason for Policy
State and federal regulations, as well as general best practices, shape the security and privacy protections that must be afforded to data classified as “Confidential”. This policy addresses regulatory and best practice requirements to ensure proper authentication and authorization to Confidential data.
Information systems or applications that create, receive, store, or transmit Confidential data (hereafter “Confidential Systems” – see Data Classification policy) must, without exclusion, adhere to the following:
- Managers and administrators of Confidential systems are responsible for ensuring access to those systems is based on work function and is controlled using the minimum necessary standard. Documented procedures for ensuring appropriate access to Confidential Systems must include:
- Authorization methods (e.g. using a CWID), including manner and type of authorized administrative access
- Authentication methods (e.g. requiring passwords), including manner and type of authentication
- Methods for evaluating access to Confidential systems based on the need to fulfil an appropriate business purpose
- Documentation of each workforce member’s and vendor’s access rights to Confidential systems
- Acknowledgement forms, signed by the appropriate supervisors, which document that they have knowingly and willingly authorized access rights to Confidential systems to appropriate workforce members and vendors
- Acknowledgement forms, signed by the appropriate workforce members and vendors, which document that all appropriate parties are aware of their authorized access rights to Confidential systems
- A formal process for annually reviewing and revising workforce member and vendor access to Confidential systems
- A formal process for the timely termination of workforce member and vendor access to Confidential systems whenever appropriate (e.g. immediately upon end of employment).
- A formal process for the timely change of workforce member and vendor access to Confidential systems whenever appropriate (e.g. after a change in role or position).
- A formal process for regularly assessing effectiveness of access controls to Confidential systems
- A formal process for providing, and subsequently removing, electronic access to Confidential systems to appropriate workforce members and vendors during an emergency
- All electronic access to Confidential systems must be the result of using a unique identifier, such as a username and password. Users are only granted one unique WCMC CWID and password. Using another user’s account (CWID) to access Confidential systems is prohibited. Violators will be subject to disciplinary action (see the WCMC Sanctions Policy).
- Managers and administrators of Confidential systems are responsible for ensuring that access technologies and methodologies for those systems incorporate the following:
- Usage of “strong” (difficult to guess) passwords that contain, at minimum, a combination of capital and lower‐case letters, and numbers
- Usage of “unique” (not shared among multiple users) user ID’s (e.g. CWID’s) with appropriate authentication mechanism (passwords, tokens, biometrics, etc)
- Forced periodic password changes of, at minimum, every 180 day
- v. Enforced prohibition of password reuse
- Enforced prohibition of sharing or disclosing of password