Purpose
The purpose of this policy is to implement strong access control measures across WeThrive’s network, information systems and premises. This will provide appropriate, authorised, and auditable user access control, whilst ensuring the confidentiality, integrity and availability of information.
Scope
The scope of this policy applies to all WeThrive employees, customers, vendors, and anyone else with any form of access to WeThrive information, information systems and premises.
Responsibilities
The Data Protection Officer is responsible for:
Creating, documenting, and maintaining individual user/user group profiles that meet the requirements of the Access Control Policy.
The administration of allocated and authorised user/user group access rights in conformity with the policy.
The initiation and administration of new and changed user access requests and user training.
Reviewing user access rights .
The Commercial Director and CEO are responsible for:
Authorising access requests, in line with business and security policies and procedures.
Asset owners are responsible for authorising access requests to their information assets in line with conformity to the security requirements of the asset.
Access Control Policy
The control of access to WeThrive’s information assets is a fundamental part of a defence in-depth strategy to information security. If WeThrive is to effectively protect the confidentiality, integrity, and availability of classified data then a comprehensive mix of physical and logical controls must be in place.
WeThrive’s policy regarding access control must ensure that the measures implemented are appropriate to the business requirements for protection and are not unnecessarily strict. The policy therefore must be based upon a clear understanding of the business requirements as specified by the owners of the assets involved. These requirements may depend on factors such as:
The security classification of the information stored and processed by a particular system or service.
Relevant legislation that may apply such as the Data Protection Act / General Data Protection Regulation (GDPR).
The regulatory framework in which the organisation and the system operates.
Contractual obligations with external third parties.
The threats, vulnerabilities and risks involved.
The organisation’s appetite for risk.
This Access Control Policy is designed to consider the business and information security requirements of WeThrive and is subject to regular review to ensure that it remains appropriate.
This control applies to all systems, people and processes that constitute the organisation’s information systems, including board members, directors, employees, suppliers and other third parties who have access to the WeThrive’s systems.
User Registration, De-Registration and Access Provisioning
A request for access to WeThrive’s systems must first be submitted to the Commercial Director or CEO, for approval. The principle of segregation of duties will apply so that the creation of the user account and the assignment of permissions are performed by different people.
Each user account will have a unique username that is not shared with any other user and is associated with a specific individual and not by role or job title. Generic user accounts should not be created as they provide insufficient allocation of responsibility.
An initial strong password should be created on account setup and communicated to the user via secure means. The user is required to change this password on first use of the account.
When an employee leaves WeThrive under normal circumstances, their access to systems and data must be suspended at the close of business on the employee’s last working day. It is the responsibility of the line manager to request the suspension of the access rights via the Data Protection Officer.
In exceptional circumstances, where there is perceived to be a risk that the employee may take action that may harm WeThrive prior to, or upon termination, a request to remove access may be approved and actioned in advance of notice of termination being given. This precaution should especially apply in the case where the individual concerned has privileged access rights, such as domain admin.
User accounts should be initially suspended or disabled only and not deleted. User account names should not be reused as this may cause confusion in the event of a later investigation.
User reports provide detailed information on inactive accounts, which are suspended after 30 days automatically and require re-activation by the CEO or Commercial Director should they still be required.
Each user must be allocated access rights and permissions to systems and data that commensurate with the tasks they are expected to perform. Typically, this should be role-based. Group roles should be maintained in line with business requirements and any changes to them should be formally authorised and controlled via the change management process.
Additional, ad-hoc permissions should not be granted to user accounts outside of the group role. If such permissions are required, this should be addressed as a change and formally requested.
Management of Privileged Access Rights
Privileged access rights, such as those associated with administrator-level accounts must be identified for each system or network and tightly controlled. In general, technical users, such as IT support staff should not make day to day use of user accounts with privileged access. Separate “admin” user accounts should be created and used only when the additional privileges are required. These accounts should be specific to an individual. Generic admin accounts should not be used as they provide insufficient identification of the user.
Vendor provided systems must have initial passwords changed from default to complex passwords that should only be accessed by users with Privileged Access Rights.
The use of user accounts with privileged access in automated routines, such as batch or interface jobs should be avoided where possible. Where this is unavoidable the password used should be protected and changed on a regular basis.
Access to admin level permissions should only be allocated to individuals whose roles require them and who have received sufficient training to understand the implications of their use. The following is the process which must be followed when granting privileged access rights, such as ‘Admin’ permissions:
Line Manager identifies requirement for privileged access rights.
Line Manager requests and obtains written approval from Data Protection Officer.
If Line Manager is the DPO, the DPO will request and obtain written approval from the Commercial Director or CEO.
The DPO will email the Commercial Director or CEO with the Line Manager’s request.
Commercial Director/CEO will review reasons for admin access and approve or decline in writing to DPO.
DPO confirms approval of access or declines in writing to Line Manager.
Management of Secret Authentication Information of Users
The Commercial Director sets the initial passwords. These will be strong passwords according to the Password Policy. Passwords will be set to expire upon first logon at which point users will define new ones, which are only known to them, and which meet the parameters defined for each system.
If additional authentication tools are to be used, such as a two-factor authentication method, the appropriate procedure for the setup of these items will be followed as detailed during the guided setup procedures.
Review of User Access Rights
On a regular basis, at least every six months, asset and system owners will be required to review who has access to their areas of responsibility and the level of access in place to identify:
Individuals who should not have access, such as leavers.
User accounts with more access than required by the role.
User accounts with incorrect role allocation.
User accounts that do not provide adequate identification, such as generic or shared accounts.
Any other issues that do not comply with this policy.
A review of user accounts with privileged access will be carried out by the Data Protection Officer on an annual basis to ensure compliance.
Removal or Adjustment of Access Rights
Where an adjustment of access rights or permissions is required, such as an individual changing role, this should be carried out as part of the role change. It should be ensured that access rights no longer required as part of the new role are removed from the user account. If a user is taking on a new role in addition to their existing one, then a new composite role should be requested. Due consideration of any issues of segregation of duties should be given.
Use Of Secret Authentication Information
Users are required to follow the Organisation’s Password Policy. Subsequently users shall be responsible for the following:
Where access to a facility is protected by an authentication method such as a password, the user must not make it available to any other person. If they do so, they will be responsible for all the activities originating from that account.
A user shall not use another user’s account nor make any attempts to find out the password of the resource they are not entitled to use.
All users while using their account, are responsible for:
Using their account to conduct their assigned responsibilities only.
All activities that originate from their account.
All information sent from, intentionally requested, solicited, or viewed from their account.
Publicly accessible information placed on a computer using their account.
Not revealing their account information to any other individual.
User accounts to access business information will be given as authorised by their Line Manager.
All users shall be responsible for maintaining the confidentiality of the password and account and shall be fully responsible for all activities that occur under their account. They shall immediately notify the Data Protection Officer of any unauthorised use of their password or account or of any other breach of security.
Users shall ensure that their passwords shall be complex even though application/information system does not enforce password complexity. This way the password security will not be completely dependent on the system.
Information Access Restriction
The following general principles have been used when designing access controls and restrictions for WeThrive’s systems and services:
Defence in Depth – security should not depend upon any single control but be the sum of many complementary controls.
Least Privilege – the default approach taken should be to assume that access is not required, rather than to assume that it is.
Need to Know – access is only granted to the information required to perform a role, and no more.
Need to Use – Users will only be able to access physical and logical facilities required for their role.
Adherence to these basic principles will help to keep systems secure by reducing vulnerabilities and therefore the number and severity of security incidents that occur.
As part of the selection of cloud service providers specifically, the following access-related considerations should be considered:
User registration and deregistration functions provided.
Facilities for managing access rights to the cloud service.
To what extent access to cloud services, cloud service functions and cloud service customer data can be controlled on an as required basis?
Availability of multi-factor authentication for administrator accounts.
Procedures for the allocation of secret information such as passwords.
Storage of passwords for support purposes in highly secure, audited, and robust vaults.
Addressing these requirements will ensure that the provisions of this policy can be met in the cloud as well as within on premises systems.
Secure Log-On Procedures
Screens do not display any system or application identifiers until the logon has been successfully completed. The screen provides no help messages during the logon procedure.
The system validates the logon data only on completion of input and then, if there is an error, the system requires the user to try again. The logon procedure limits the number of unsuccessful attempts allowed to ten, and then the machine is locked.
The system limits the maximum time allowed for the logon attempt to 15 minutes. When the limit is exceeded, the system terminates logon.
Multi Factor Authentication
Strong passwords are essential against unauthorised access however, a variety of ways to improve the security of user authentication are available, including various forms of two factor authentication and strong password techniques.
The Organisation’s policy is to make use of additional authentication methods based on risk, considering:
The value of the assets protected.
The degree of threat believed to exist.
The cost of the additional authentication method(s).
The ease of use and practicality of the proposed method(s).
Any other relevant controls in place.
The use of multi-factor authentication methods should be justified based on the above factors and securely implemented and maintained where appropriate.
The quality of user passwords should be enforced in all networks and systems in accordance with the Password Policy.
Use of Privileged Utility Programs
Most Operating Systems (OS) have one or more system utility program and commands that can override system and application controls. The use of such critical system utilities and OS commands shall be tightly controlled by disallowing privileged access of the OS to users who do not need it.
Segregation of utility programs from the application software is maintained and the limitation of the use of utility programs to the minimum practical number of trusted, authorised users is managed. The availability of utility programmes is limited and logged. Should utility programmes be unnecessary they are removed or disabled.
Access to Program Source Code
Where bespoke software development is undertaken, program source code is protected from unauthorised access. Effective version control and software configuration management procedures are implemented from the start of the development including measures for source code check in/check out.
Physical Access
WeThrive employees work remotely full-time so do not have an office space to keep secure.