Access Control Policy/Chính sách Kiểm soát Truy cập

Policy Owner: Lucas

Effective Date: 01/03/2025

Purpose/Mục đích

To limit access to information and information processing systems, networks, and facilities to authorized parties in accordance with business objectives.

Để hạn chế quyền truy cập vào thông tin, hệ thống xử lý thông tin, mạng lưới và cơ sở vật chất chỉ dành cho các bên được ủy quyền phù hợp với mục tiêu kinh doanh

Scope/Phạm vi

All Tekai information systems that process, store, or transmit confidential data as defined in the Tekai Data Management Policy. This policy applies to all employees of Tekai and to all external parties with access to Tekai networks and system resources.

Tất cả các hệ thống thông tin của Tekai xử lý, lưu trữ hoặc truyền tải dữ liệu được định nghĩa bảo mật theo quy định trong Chính sách Quản lý Dữ liệu của Tekai. Chính sách này áp dụng cho tất cả nhân viên của Tekai và tất cả các đối tác bên ngoài có quyền truy cập vào mạng và tài nguyên hệ thống của Tekai.

Policy/Chính sách

Access to information computing resources is limited to personnel with a business requirement for such access. Access rights shall be granted or revoked in accordance with this Access Control Policy.

Quyền truy cập vào các hệ thống thông tin được giới hạn cho những nhân sự có nhu cầu nghiệp vụ cần thiết. Quyền truy cập sẽ được cấp hoặc thu hồi theo Chính sách Kiểm soát Truy cập.

Business Requirements of Access Control Access Control Policy

...

The following security standards shall govern access to Tekai networks and network services:

•  Technical access to Tekai networks must be formally documented including the standard role or approver, grantor, and date
•  Only authorized Tekai employees and third-parties working off a signed contract or statement of work, with a business need, shall be granted access to the Tekai production networks and resources
•  Tekai guests may be granted access to guest networks after registering with office staff without a documented request
•  Remote connections to production systems and networks must be encrypted

Customer Access Management

...

User IDs shall be promptly disabled or removed when users leave the organization or contract work ends in accordance with SLAs. User IDs shall not be re-used.

User Access Provisioning

•  New employees and/or contractors are not to be granted access to any Tekai production systems until after they have completed all HR on-boarding tasks, which may include but is not limited to signed employment agreement, intellectual property agreement, and acknowledgement of Tekai's information security policy
•  Access should be restricted to only what is necessary to perform job duties  No access may be granted earlier than official employee start date
•  Access requests and rights modifications shall be documented in an access request ticket or email. No permissions shall be granted without approval from the system or data owner or
• management
•  Records of all permission and privilege changes shall be maintained for no less than one year

Management of Privileged Access

...

Where feasible, passwords for confidential systems shall be configured for at least the following requirements:

•  At least eight (8) or more characters, with high complexity (letters, numbers, special characters)
•  Initial passwords must be set to a unique value and changed after first log in
•  For manual password resets, a user's identity must be verified prior to changing passwords  Do not limit the permitted characters that can be used
•  Do not limit the length of the password to anything below 64 characters
•  Do not use secret questions (place of birth, etc) as a sole password reset requirement  Require email verification of a password change request
•  Require the current password in addition to the new password during password change
•  Store passwords in a hashed and salted format using a memory-hard or CPU-hard one-way hash function

System and Application Access Information Access Restriction

...

Prior to implementation, evaluation criteria are to be applied to application software to determine the necessary access controls and data policies. Assessment criteria include, but are not limited to:

•  Sensitivity and classification of data.
•  Risk to the organization of unauthorized access or disclosure of data
•  The ability to, and granularity of, control(s) on user access rights to the application and data stored within the application
•  Restrictions on data outputs, including filtering sensitive information, controlling output, and restricting information access to authorized personnel
•  Controls over access rights between the evaluated application and other applications and systems
•  Programmatic restrictions on user access to application functions and privileged instructions  Logging and auditing functionality for system functions and information access
•  Data retention and aging features

All unnecessary default accounts must be removed or disabled before making a system available on the network. Specifically, vendor default passwords and credentials must be changed on all Tekai systems, devices, and infrastructure prior to deployment. This applies to ALL default passwords, including but not limited to those used by operating systems, software that provides security services, application and system accounts, and Simple Network Management Protocol (SNMP) community strings where feasible.

...

Any known violations of this policy should be reported to the IT Manager. Violations of this policy can result in immediate withdrawal or suspension of system and network privileges and/or disciplinary action in accordance with company procedures up to and including termination of employment.

APPENDIX A - Access Management Procedure

...