ACCESS CONTROL

The Access Control Policy deals with the definition and implementation of a set of procedures, which ensure that all the access to information, systems, networks, facilities etc. is secured. 1.1 Goal and Objective The key objectives of the Access Control domain are: To control access to information To ensure authorized user access and to prevent unauthorized access to operatin systems, application systems, information, users and networks To prevent compromise or theft of information and information processin facilities 1.2 Access Control Policy A! "##$C%&'A!P('P$#(A mana ement shall ensure that access control rules and ri hts for each user roup or individual user are clearly defined. The definition shall cover both lo ical and physical access and should be considered in totality. All access shall be ranted on the basis of operational re)uirement or *need+to+have, basis, duly approved by the competent authority. 1.3 ser Access !ana"e#ent 1.3.1 ser Re"istration A! "##$C%&'A!P('P$#(A mana ement shall ensure that comprehensive procedures are developed and enforced for user re istration or de+re istration. %ach user on the system shall have a uni)ue $-, with re)uisite approval from the concerned competent authorities. The level of access shall be consistent with the operational re)uirements, A! "##$C%&'A!P('P$#(A security policy, and the se re ation of duties principle. A * eneric, .ser $- that is desi nated for use by either multiple users or anonymous users, without enablin individual authentication and accountability, shall not be allowed. %/ceptions to this policy shall re)uire the formal authorization from both the owner of the information related asset or business process, and from the relevant competent authority. 1.3.2 Privile"e !ana"e#ent A! "##$C%&'A!P('P$#(A mana ement shall ensure that comprehensive procedures are developed and enforced for the control of system privile es for various components, such as operatin system, databases, applications etc. All the privile es shall be allocated strictly on a need basis with prior formal authorization from the relevant competent authority. An audit trail shall be maintained detailin all such privile es provided for future reference and investi ations. 1.3.3 ser Pass$ord !ana"e#ent A! "##$C%&'A!P('P$#(A mana ement shall ensure that access identifiers and their associated credentials 0e. . passwords1 are considered confidential information and are mana ed in a secure manner to prevent their disclosure durin the initial set up of the user account. At a minimum, the followin controls are applied: a1 $nitial passwords determined by the system, rather than by the user, are communicated to the user in a different medium than the one used by the system 0i.e.
VERSION: 1.3 ISSUE: MARCH 2013 PAGE 1
OF

PROPRIETARY & CONFIDENTIAL

THE INFORMATION CONTAINED IN THIS DOCUMENT IS SENSITIVE AND INTENDED FOR AG OFFICES/AGPR/PIFRA INTERNAL DISTRIBUTION ONLY. NOT %E COP&E' OR '&STR&% TE'

a password for a system account is provided to the user by their mana er, rather than electronically throu h email messa in 12 and b1 $nitial or temporary passwords are chan ed immediately upon their first use. 1.3.( Revie$ o) *ser access ri"+ts A! "##$C%&'A!P('P$#(A mana ement shall ensure that comprehensive procedures are developed and enforced for the review of user access ri hts at re ular intervals. This review shall be documented for future reference and audits. 1.( Pass$ord Policy A! "##$C%&'A!P('P$#(A mana ement shall ensure that a stron password mana ement and usa e policy is developed and enforced. The policy shall consider the followin aspects: a. .sers are re)uired to chan e their password within 34 days. $f a user does not chan e his'her password within 34 days, he'she will be automatically prompted for the chan e of password. b. Passwords must be chosen by the users which are difficult to uess. This means that passwords must not be related to one5s job or personal life. #or e/ample, a car license plate number, a spouse5s name, or fra ments of an address must not be used. This also means passwords must not be a word found in the dictionary or some other part of speech. #or e/ample, proper names, places, technical terms, and slan must not be used. c. Password control software will be used to prevent users from selectin easily+ uessed passwords. A ood password may be a mi/ture of alphabets in upper 6 lower case alon with numbers.
7(ef: %mail 6 $nternet Policy for the #ederal !overnment 8 Anne/ure %9:;

d.

$ndividual passwords shall be enforced by the applications and operatin systems to maintain accountability for access2 e. A record of previously used passwords shall be maintained by the password mana ement system to prevent re+use by users 0password history12 f. <endor default passwords shall not be retained in the systems followin the installation of any application or operatin system software2 and . All user level, system and applicable level passwords where applicable, shall conform to the rules and uidelines describe below: 9. Passwords shall have special characters 0e. . =>?@AB6C01+DE12 F. Passwords shall have at least ei ht 0:1 characters2 G. Passwords shall not be written down, stored online or saved electronically2 H. PasswordIs minimum a e shall be zero 041 days2 J. PasswordIs history shall be enforced to last G passwords2 K. PasswordIs unsuccessful attempts shall not be more than three 0G12 and L. Account lockout shall be confi ured for at least 94 minutes.

VERSION: 1.3 ISSUE: MARCH 2013

PAGE 2

OF

PROPRIETARY & CONFIDENTIAL

THE INFORMATION CONTAINED IN THIS DOCUMENT IS SENSITIVE AND INTENDED FOR AG OFFICES/AGPR/PIFRA INTERNAL DISTRIBUTION ONLY. NOT %E COP&E' OR '&STR&% TE'

1.,

Clear 'es- and Clear Screen Policy a. .se password protected screen savers to avoid misuse of their PCs by unauthorized personnel. .sers leavin their computers unattended for more than 9J minutes should consider lo in off the network. b. Mo off the network at the end of each day and power off their workstations.
7(ef. %mail 6 $nternet Policy for the #ederal !overnment 8 Anne/ure %09G1;

c.

&ensitive information on paper or removable media will be locked away or, at a minimum, stored out of si ht when unattended and when not in use2 and d. #a/es and photocopiers will be sited to protect a ainst unauthorized access and will be cleared of unclaimed content at least daily. Nhen printin or copyin sensitive information it is the responsibility of the initiator to ensure the copies or printouts are cleared from the machine immediately. 1.. Privile"e Access Policy 1...1 Privile"ed Access !ana"e#ent a1 Administrative or similar privile ed access to system level resources shall be for the e/clusive use of personnel performin system maintenance and related administrative duties2 b1 Privile ed access shall be used only for system administrative tasks where such access is re)uired. Oon+administrative tasks shall be performed throu h standard user identities and privile es 0no administrative ri hts12 and c1 Privile ed access shall be lo invalid users and accounts. ed and reviewed re ularly to identify and remove

1...2 !aintenance o) Access Privile"es "wners of information related assets or business processes shall perform re ular reviews of user access privile es for their respective systems to identify and remove invalid users and accounts. 1...3 Revo-in" Access Privile"es a1 .pon chan e of a userIs employment status or role within A! "##$C%&'A!P('P$#(A 0e. . transfer, promotion, termination1, owners of the information related assets and business processes shall be notified by human resource win 2 b1 Access privile es shall be immediately revoked or reassi ned 0if appropriate1 upon notification2 and c1 Nhere the termination date is known as in the case of temporary workers or contractors, the respective access privile es shall have an automatic termination date where possible. 1./ Net$or- Access Control A Oetwork'&ystem administrator0s1 under the overall control of the controllin authority in respective !overnment "r anizations will mana e the $T $nfrastructure in his'her or anization as per the uideline provided at %mail 6 $nternet Policy for the #ederal !overnment + Anne/+%.
7(ef: %mail 6 $nternet Policy for the #ederal !overnment+ :d; VERSION: 1.3 ISSUE: MARCH 2013 PAGE 3
OF

PROPRIETARY & CONFIDENTIAL

THE INFORMATION CONTAINED IN THIS DOCUMENT IS SENSITIVE AND INTENDED FOR AG OFFICES/AGPR/PIFRA INTERNAL DISTRIBUTION ONLY. NOT %E COP&E' OR '&STR&% TE'

1./.1 A*t+entication )or &nbo*nd Connections A! "##$C%&'A!P('P$#(A throu h the Oetwork and PA&$& team shall ensure that authorized e/ternal sources or users outside of the A! "##$C%&'A!P('P$#(A network are appropriately identified and authenticated before their session is connected into the network. 1./.2 A*t+entication )or O*tbo*nd Connections A! "##$C%&'A!P('P$#(A mana ement shall ensure that all e/ternal network destinations with which a connection is re)uired is identified, documented, and authenticated, prior to establishin a connection into such e/ternal networks. This is essentially important to prevent any potential threat that e/poses A! "##$C%&'A!P('P$#(A to si nificant operational risk. 1./.3 Re#ote 'ia"nostic Port Protection A! "##$C%&'A!P('P$#(A mana ement shall ensure that only the network ports documented as necessary for its operations are opened. All the ports that permit remote access for administrator or dia nostic use shall have more strin ent security mechanisms to prevent unauthorized access. All the open ports shall re)uire prior formal authorization from the owner of the information related asset or the relevant competent authority. The level of security applied shall commensurate with the risks involved. 1./.( Se"re"ation in Net$or-s A! "##$C%&'A!P('P$#(A mana ement shall ensure that se ments of the A! "##$C%&'A!P('P$#(A network are lo ically separated to implement the se re ation of incompatible duties and access privile es of users, both internal and e/ternal to A! "##$C%&'A!P('P$#(A. $n consideration of access control policies, access re)uirements, and risk assessments, the A! "##$C%&'A!P('P$#(A network shall be divided into appropriate domains, zones or <+MAOs. As applicable, these zones ' <+MAOs shall include: 9. Application development F. "perations G. %/tranet &ervices H. Oetwork perimeter 1./., Net$or- Connection Control The access capabilities of users connectin across the shared network are limited to only those capabilities defined by their user privile es. The access of services is identified and monitored and is controlled where necessary. These services may include, but are not limited to: a1 Oetwork applications, such as email2 b1 #ile transfer facilities 0#TP12 and c1 $nteractive access 0e. . command line1. 1./.. Net$or- Ro*tin" Control The network routin from a userIs ateway to the userIs intranet destination 0local ' remote offices1 ensures that the userIs network traffic remains within the same network

VERSION: 1.3 ISSUE: MARCH 2013

PAGE 4

OF

PROPRIETARY & CONFIDENTIAL

THE INFORMATION CONTAINED IN THIS DOCUMENT IS SENSITIVE AND INTENDED FOR AG OFFICES/AGPR/PIFRA INTERNAL DISTRIBUTION ONLY. NOT %E COP&E' OR '&STR&% TE'

se ment for which the user has been authorized to use. The controls to achieve this include but are not limited to: a1 -isablin of unlimited network roamin 0the user will have access to a specific <MAO unless authorized2 b1 Mo ical <MAOs to isolate se ments of the network and the implementation of ateways 0e. . routers and firewalls12 and c1 Pre+definin the userIs network path, to prevent any user intervention and eliminate the opportunity to e/plore the network. 1././ Sec*rity Net$or- 'evices and Services The owner of a network device is aware of its security features and limitations. Appropriate measures are implemented to mana e the risk of the assetIs security limitations. a1 The security features and limitations of the asset are reviewed and documented before the asset is deployed into production2 and b1 The asset 0network device i.e. router and firewall1 is kept up to date with its respective patches and updates. 1.0 A11lication and &n)or#ation Access Control 1.0.1 &n)or#ation Access Restriction A! "##$C%&'A!P('P$#(A mana ement shall ensure that access to applications and the data therein is provided only in accordance with the direct needs and re)uirements of the individual and their position. Access to applications shall be ranted only in a manner that supports the appropriate se re ation of duties within functional responsibilities. Application access control shall be supported at a minimum, by the followin principles: a1 (estriction of menus on a need to know basis2 b1 (estriction of user knowled e relatin to aspects and functionality of applications that they are not authorized to access2 and c1 (ead, write, delete and e/ecute access is assi ned as appropriate in accordance with information classification and user need. 1.0.2 Sensitive Syste# &solation A! "##$C%&'A!P('P$#(A mana ement shall ensure that sensitive applications are specifically identified throu h the risk assessment process. &ensitive applications and systems shall be lo ically and physically se re ated where information re)uirements dictate special handlin and protection. 1.2 T+ird Party Access Control A! "##$C%&'A!P('P$#(A mana ement shall ensure that where access to A! "##$C%&'A!P('P$#(A information systems and resources is re)uired by or anizations e/ternal to A! "##$C%&'A!P('P$#(A, the risks of rantin such access are identified, documented, authorized, and controlled. 1.2.1 Ris- &denti)ication and Control A! "##$C%&'A!P('P$#(A mana ement shall ensure that authorization for third party access into the A! "##$C%&'A!P('P$#(A information systems ' network re)uires a risk assessment be performed on the third party connection. Controls to address the
VERSION: 1.3 ISSUE: MARCH 2013 PAGE 5
OF

PROPRIETARY & CONFIDENTIAL

THE INFORMATION CONTAINED IN THIS DOCUMENT IS SENSITIVE AND INTENDED FOR AG OFFICES/AGPR/PIFRA INTERNAL DISTRIBUTION ONLY. NOT %E COP&E' OR '&STR&% TE'

identified risks and how A! "##$C%&'A!P('P$#(A information assets are affected by the access shall be protected and documented in the contract with the third party. The contract at a minimum shall address: a1 All parties involved with the outsourcin a reement includin made aware of their security responsibilities2 subcontractors, are

b1 The relevant le al and re ulatory re)uirements of A! "##$C%&'A!P('P$#(A2 c1 The physical and lo ical security controls used by the outside party to control access to A! "##$C%&'A!P('P$#(A information assets are specified by the outside party and approved by the Chief &ecurity "fficer2 d1 The processes used by the outside party to protect the availability, inte rity and confidentiality of A! "##$C%&'A!P('P$#(A information assets are specified by the outside party and approved by the appropriate Chief &ecurity "fficer2. e1 A! "##$C%&'A!P('P$#(A reserves the ri ht to audit the contractual responsibilities of the parties involved with the outsourcin a reement2 f1 Controls are established to restore A! "##$C%&'A!P('P$#(A information assets to their ori inal state upon termination of the access a reement. This will also cover the destruction of sensitive information no lon er re)uired2 1 (eports on performance, system faults, and security incidents are provided to A! "##$C%&'A!P('P$#(A as and when needed2 and h1 (easonable access for testin "##$C%&'A!P('P$#(A. 1.2.2 Li#itation o) Access A! "##$C%&'A!P('P$#(A mana ement shall ensure that the third party is ranted the minimum de ree of access re)uired for its desi nated and authorized purposes strictly on a need to know basis. 1.2.3 Pro)essional Cond*ct A! "##$C%&'A!P('P$#(A mana ement shall ensure that the third party is bound to conduct its business with A! "##$C%&'A!P('P$#(A consistent to A! "##$C%&'A!P('P$#(A de ree of ethical standards and professional conduct and as per the A! "##$C%&'A!P('P$#(A information security policy. 1.13 General Con)i"*ration Policy A! "##$C%&'A!P('P$#(A mana ement shall ensure that a strict confi uration policy is developed and enforced. The followin aspects shall be taken into consideration: a1 Qardware, operatin systems, services, and applications shall be approved by A! "##$C%&'A!P('P$#(A $T win 2 b1 All patches'hot+fi/es recommended by "##$C%&'A!P('P$#(A shall be installed2 the e)uipment vendor and A! or review third party will be available to A!

c1 &ervices and applications not servin operational re)uirements shall be disabled2 d1 &ervices and applications not for eneral access shall be restricted via access control lists2 e1 &ecurity+related events and audit trails shall be lo
VERSION: 1.3 ISSUE: MARCH 2013 PAGE 6
OF

ed and saved2 and

PROPRIETARY & CONFIDENTIAL

f1 &ecurity+related events shall include, but not limited to, the followin :
9
THE INFORMATION CONTAINED IN THIS DOCUMENT IS SENSITIVE AND INTENDED FOR AG OFFICES/AGPR/PIFRA INTERNAL DISTRIBUTION ONLY. NOT %E COP&E' OR '&STR&% TE'

9. F.

.ser lo in failures2 and #ailure to obtain privile ed access.

1.11 4ardenin" t+e O1eratin" Syste# and A11lications A! "##$C%&'A!P('P$#(A mana ement shall ensure that it creates a -e+Rilitarized Sone within its technical infrastructure. &pecial considerations shall be made in terms of the followin : a1 All systems to be placed in the -RS shall be *hardened, 8 a process of shuttin off unnecessary protocols and services and applyin necessary security patches to the operatin system and applications on the system2 b1 &ystems to be placed in the -RS shall be scanned for vulnerabilities2 c1 &cannin shall be done in such a manner that the systems shall not be interrupted2 and d1 .pon identification of a vulnerability or threat in the network, the respective file server shall be temporarily disconnected from the network until security risks are miti ated. 1.12 O1eratin" Syste# Access Control "peratin systems on all A! "##$C%&'A!P('P$#(A assets shall be appropriately confi ured and subject to access controls to prevent unauthorized modification or access to information. 1.12.1 Sec*re Lo"5on Proced*res Mo on procedures are customized wherever possible to provide the minimum amount of information needed by the user to properly authenticate. Nhere possible, the followin controls are implemented: a1 &ystem or application identifiers are not be displayed until the lo +on process has been successfully completed2 b1 Mo on information is validated only upon correct completion of all input data and no indications as to which portion of the authentication information is incorrect will be iven on unsuccessful lo in attempts2 and c1 The number of unsuccessful system lo +on attempts is limited. A time limit between unsuccessful system lo +on attempts is enforced to prevent brute force attacks on the systems. 1.12.2 ser &denti)ication and A*t+entication a1 $dentification and authentication of a user is established prior to the user obtainin the ability to access an application account after an account lockout, or when establishin a new account2 b1 Access to computin resources is only initiated with appropriate authorization from A! "##$C%&'A!P('P$#(A and from the system owner2 c1 Authorized users are uni)uely identified and verified by the system before access to its resources is permitted2 d1 An uni)ue user $- is assi ned to each employee, contractor or consultant re)uirin access to A! "##$C%&'A!P('P$#(A application to allow for appropriate monitorin of access and activities under that $-2 and
VERSION: 1.3 ISSUE: MARCH 2013 PAGE
OF

PROPRIETARY & CONFIDENTIAL

THE INFORMATION CONTAINED IN THIS DOCUMENT IS SENSITIVE AND INTENDED FOR AG OFFICES/AGPR/PIFRA INTERNAL DISTRIBUTION ONLY. NOT %E COP&E' OR '&STR&% TE'

e1 Nhere deemed necessary, additional uni)ue user $-Is are assi ned for sensitive applications to help prevent system breach in the event of other user $- compromise. 1.12.3 se o) Syste# tilities a1 Access to system tools that have the capability to override system and application control are restricted from all users, e/cept those with documented authorization. &ystem tools shall be protected a ainst unauthorized access2 b1 Access to system utilities is limited to the minimum practical number of trusted and authorized individuals2 c1 All access to system utilities is lo use2 and ed to facilitate the identification of inappropriate

d1 Ad hoc use of system utilities is not allowed unless specifically authorized by the Chief &ecurity "fficer. 1.12.( Session Ti#e O*t After a defined period of inactivity, access to information services is locked and the display of information is cleared. (e+authentication to the information service is needed to unlock access. Time out periods are set based upon risk assessment. $f terminal time out or workstation lockin is not available at a minimum, password protected screen savers are deployed. $f employees are re)uired to leave their machines unattended for e/tended periods they will lo off or shut down. 1.12., Li#itation o) Connection Ti#e Nherever possible, for hi h risk systems or for users or systems where access is only re)uired durin business hours, active sessions shall be limited to a specified timeframe. Qi h risk systems shall be identified throu h an asset classification and risk assessment. 1.12.. !onitorin" Syste# Access and se Appropriate levels of monitorin will be performed to ensure that only authorized users are accessin the systems and that they are only performin duties authorized for their roles and responsibilities. &ystems shall be monitored to identify suspicious activity, unauthorized access or use, and other non+standard events such that incidents can be investi ated and evidence can be athered for internal or le al use. 1.12./ Syste# se !onitorin" and Event Lo""in" &ystem monitorin is performed to a level commensurate with the risk assessment of the systems under e/amination2 Audit lo s are maintained for operatin systems and for all applications that contain sufficient information to identify unauthorized events2 &ufficient information is lo ed to allow for appropriate investi ation of the events. Access lo s will capture at a minimum: a1 All privile ed operations 0e. . use of administrator accounts, system start+up and stop, and device attachment'detachment12 and b1 Authorized access information 0e. . user $-, date and time of lo +on and lo +off, terminal identity or location, and failed access attempts1. Audit lo s are retained for a period of at least 34 days to support business needs for investi ation into past activities.
VERSION: 1.3 ISSUE: MARCH 2013 PAGE !
OF

PROPRIETARY & CONFIDENTIAL

THE INFORMATION CONTAINED IN THIS DOCUMENT IS SENSITIVE AND INTENDED FOR AG OFFICES/AGPR/PIFRA INTERNAL DISTRIBUTION ONLY. NOT %E COP&E' OR '&STR&% TE'

After 34 days the lo are achieved and retained in a secondary backup media such as tapes. Mo information shall be protected a ainst tamperin ' modification and unauthorized access. "ut of Oormal Pusiness Qours workin to be lo ed and reviewed ne/t day. 1.13 !obile Co#1*tin" All mobile computin devices storin ' carryin sensitive information i.e. laptop computer, notebooks, mobile phones and black berry devices shall ensure secure communication. #urther, all mobile computin devices shall be encrypted to ensure confidentiality.

VERSION: 1.3 ISSUE: MARCH 2013

PAGE 9

OF

PROPRIETARY & CONFIDENTIAL

THE INFORMATION CONTAINED IN THIS DOCUMENT IS SENSITIVE AND INTENDED FOR AG OFFICES/AGPR/PIFRA INTERNAL DISTRIBUTION ONLY. NOT %E COP&E' OR '&STR&% TE'