Access Control Policy
TABLE OF CONTENTS
- Access Control Policy
- Access Authorization and Workforce Clearance
- Invalid Login Attempts and Inactivity Lock
- Remote Access (VPN)
- User Access Reviews
- Suspension and Termination
To protect the confidentiality, integrity, and availability of information, by establishing technical safeguards to control and restrict access to the network to persons who are authorized to have such access.
This policy applies to all Brado applications or systems which store, maintain, create, or transmit information, including, but not limited to Quickbooks, NetSuite, Mavenlink, Polly, Sharepoint, and Microsoft Teams. It also applies to the Brado Windows Active Directory environment and client files retained according to the Data Retention Policy.
Network access privileges include, but are not limited to:
- Workstations and server access
- Access to data contained within or available through the network
- Access to any network that Brado uses
- Email accounts and inclusion on group email lists
Employees, contractors, and other authorized individuals (users) who use Brado equipment or resources and/or log into Brado’s network are required to follow this policy. It addresses new hires, new engagements, changes in job functions and terminations.
Brado will implement appropriate technical security controls and methods that permit only authorized persons to access the network. Such controls and methods may include, but are not limited to, the following:
- Issuance of unique user identifications (user IDs) for each user to be entered in conjunction with passwords and a second authentication method as part of dual-factor authentication measures,
- Emergency access procedures that enable authorized users to obtain access to the network during a disaster or other emergency,
- Activation of password-protected screensavers on workstations after a designated period of inactivity,
- Automatic log-off after a designated period of inactivity,
- Requiring users to logoff or lock workstations upon leaving their work areas. and
- Encryption, when appropriate, of protected data exchanged through the network.
Violations of this policy should be reported to the user’s supervisor or Human Resources (HR). Brado employees who violate this policy may be subject to disciplinary action, up to and including termination. Other users in violation of this policy and the related procedures may be subject to loss of visitor privileges, termination of services and/or termination of engagement from Brado.
This policy is to ensure (a) that each user’s access to information is appropriate for their job function and (b) proper documentation is maintained.
The hire of a new employee and/or contractor, or the change in job function or duties may call for a grant of access or a change in the level of access to a specific application or system, in accordance with the Access Control Policy. Any change in access rights is initiated by HR and documented on the Access Control User Review Checklist. IT makes the modifications, signs off, and returns the form to HR for retention.
When there is a request for granting or changing access, the user’s supervisor will email the Director of Technology describing the individual’s new position and all system access changes required. Once approval is given, the change is recorded and logged by the Director of Technology.
Please reference the Suspension and Termination Procedures for processes on eliminating access upon an individual’s termination.
Passwords are the front line of protection for user accounts. A poorly chosen password may result in the compromise of Brado’s network or workstations. As such, all persons with network access are responsible for taking the appropriate steps, as outlined below, to select and secure their passwords. Passwords should be changed on a regular frequency.
Passwords must meet the following complexity requirements, lockout periods and change intervals at a minimum. These parameters have been established in conjunction with Brado’s use of multifactor authentication for access to critical systems and data.
Account Lock Out Parameters
In addition to the above, users are reminded to follow the below guidelines to secure their passwords:
- Do not write down any password.
- Do not put passwords on sticky notes, affix to a workstation or otherwise make publicly visible.
- Passwords should not be given to anyone or shared for any reason.
- Change passwords immediately if they have been compromised.
- Do not save passwords on servers or workstations. Some dialog boxes, such as those for remote access, present an option to save or remember a password. Selecting this option poses a potential security threat in the event physical access to a server or workstation is attained.
- Password resets can be performed by Brado IT Staff on user accounts if the requesting user can be positively identified.
- If passwords are kept in digital form (e.g. Excel sheet, Word document, etc.) these files should be either encrypted or password protected and stored in a highly secured area with limited access.
Brado will control access to its workstations through credentialed login procedures and automatic inactivity lock functionality. Brado will use similar login monitoring and automatic inactivity lock functionality for those components of the network that are accessed through a web-based user interface.
- After a five (5) consecutive, unsuccessful attempts to log-on to a Brado workstation, the user’s account will be disabled.
- If a user account is disabled due to unsuccessful log-on attempts, the user should contact Brado’s Service Desk.
- Brado IT Staff will verify the user’s identity and determine whether the access was disabled because of five (5) consecutive, unsuccessful attempts to logon, or for another reason.
- After verifying the user’s identity and that access was disabled because of unsuccessful logon attempts, the IT Staff Member will issue the user a new, temporary password. The user will then use the temporary password to log onto the Workstation and reset his/her own individual password in accordance with the Password Policy.
- Each workstation will be configured to lock the screen after 15 minutes of inactivity.
- To resume activity, or start a new session, the user will have to enter valid login credentials.
- Where feasible, Brado will configure vendor hosted applications containing sensitive information to lock the application or end the session after 15 minutes of inactivity.
To establish standards for remote accessibility to Brado’s corporate network.
Brado employees are permitted to access a Virtual Private Network (VPN) to connect to Brado’s private, internal network. They are provided with remote access to facilitate business continuity procedures (e.g. work from home). Contractors and other third-party individuals (e.g. vendors) may be provided with remote access based on a business need which has been approved by Brado’s Director of Technology.
Brado employees are only able to connect to the VPN using a Brado-issued device (e.g. laptop). Contractors and other third-party individuals may use their own devices to connect to Brado’s VPN if first authorized by the Director of Technology and once the device has been white listed within the VPN configuration. Each remote access user is responsible for selecting an Internet Service Provider (ISP), coordinating installation of the Internet connection, installing any required software, and paying associated fees.
Individuals accessing the Brado VPN do so with the understanding they agree to the following conditions:
- It is the responsibility of users with VPN privileges to ensure that unauthorized persons are not allowed access to Brado’s internal network.
- VPN use is controlled through two-factor authentication.
- The VPN tunnel is encrypted using a minimum of 128-bit encryption.
- When actively connected to the corporate network, VPNs will force Brado network and Internet traffic to and from the device over the VPN tunnel.
- Users of devices which are not Brado owned equipment shall work with Brado to ensure such equipment meets Brado’s security standards.
Brado will ensure sensitive information is encrypted in transit and at rest for data under its control.
The following encryption methods are utilized by Brado:
- Hard drive encryption on all user workstations and network servers.
- VPN tunnel encryption.
- File sharing between Brado and clients occurs via encrypted Microsoft OneDrive connections.
- Brado provides employees with the option to manually encrypt sensitive emails as necessary.
To establish the frequency of formal review of user access rights and permissions for applications and the Active Directory network to ensure that Brado’s guidelines regarding minimum necessary access are being met.
On at least an annual basis, Brado IT shall coordinate a review of all Windows Active Directory accounts to verify that each account is required for business purposes. On at least a quarterly basis, IT shall coordinate a review of all accounts within applications that store, maintain, create, or transmit protected data.
Any accounts deemed no longer needed shall be disabled or deleted. IT shall maintain evidence of each review along with any documentation used to support the reviews.
When an employee’s employment ends, due either to termination or resignation, Brado will void the employee’s access to company information and resources. When a contractor’s agreement ends, Brado will void the contractor’s access to company information and resources. If job duties or responsibilities change, and specific access privileges are altered, then Brado will immediately modify network and physical access privileges to match the new job criteria.
When an employee or contractor is to be terminated, Brado will immediately remove or disable network and physical access privileges prior to the notification of termination, when feasible.
When an employee or contractor provides notice of resignation, their job duties change, or a termination is intended, the supervisor will notify Human Resources (HR). HR will give reasonable notice to the Director of Technology who will be responsible for ensuring access to all services is terminated.
- HR will complete the section of the Access Control Termination Checklist regarding the departing employee or contractor and forward it to the Director of Technology. This detail is provided by HR:
- Contact Information,
- Dates and times of notice, effective termination and systems access termination, with the understanding that these dates may differ for various reasons,
- Brado employee to whom e-mails are to be transferred, and
- Date and time of physical access termination.
- The Director of Technology will complete the following actions and return the completed Access Control Termination Checklist to HR.
- Terminate access to services and systems, as appropriate, and
- Document the date, time and description of the actions taken to terminate access,
- HR will:
- Terminate, as appropriate, physical access rights,
- Collect any equipment, property or resource that may contain, allow, or enable access to company information including, but not limited to computers, identification badges, security tokens, facility access cards, cell phones or keys to the building, office, or desks, and
- Document, and securely maintain such documentation:
- Name of user,
- Date, time and location the equipment and property were returned, and
- Description of returned items.