9-4 Information Technology Professionals Policy -Section III: Access Control Policy
Return to Information Technology Professionals Policy Table of Contents
What’s on this Page
III. Access Control Policy
Read next: Section IV: Business Continuity Management Policy
III. Access Control Policy
This Policy establishes logical access controls Local Information Service Providers must implement to secure Local Agency IT resources and data.
- Secure Log-On Procedures
Access to Local Agency IT resources and data must be controlled by secure log-on procedures.- Logon Banners
When technically feasible, logon warning banners must be displayed on any information system that hosts nonpublic services. Logon warning banner content must inform Users that Local Agency IT resources are for authorized County/Local Agency business only, User activities may be monitored, and Users have no expectation of privacy. - Unsuccessful Login Attempts
The number of consecutive attempts to enter an incorrect password must be limited. User IDs must be temporarily disabled (locked out) after a prescribed number of unsuccessful access attempts have been made as determined by Local Information Service Provider standards.
- Logon Banners
- Password Management
Password standards must be developed and implemented to ensure all Users follow proven password management practices. These password standards must be mandated by automated controls when technically feasible and include but are not limited to the following:- Prohibiting the storage and transmission of passwords in clear text;
- Prohibiting use of default vendor passwords;
- Changing temporary password at the first login and reset;
- Changing passwords at regular intervals;
- Development of procedures to verify a User’s identity prior to providing a replacement password (i.e., password reset); and
- Enforcing choice of strong passwords.
- Use of System Utilities
Use of system utilities that are capable of overriding other controls must be restricted.- Access to system utilities must be limited to Users and Administrators with an approved need to run or use those utilities.
- Temporary access may be granted only after a business requirement for access has been documented and approved.
- When technically feasible, unneeded system utilities, options, and/or services must be removed or disabled.
- Session Time-Out
As determined by Local Information Service provider standards, security measures must be implemented to require authentication or re-authentication after a prescribed period of inactivity for desktops, laptops, or any other Local Agency IT resources where authentication is required. - Connection Limitation
Restrictions on connections must be used to provide additional security for high-risk application or remote communication capabilities. As determined by Local Information Service Provider standards, the following controls must be applied and maintained:- Connection time (e.g., office hours);
- Connection location; and
- Requiring re-authentication at timed intervals.
- Application Access Control
To prevent unauthorized access to information stored in Local Agency application systems, access must be restricted to Users and support personnel whose work assignment requires access to those applications.