3.07 – LITS Access Control and Log Management Policy

Purpose of Document:

To establish guidelines for user access in order to protect information resources. 

Scope: 

This policy applies to the LITS Department.

Policy:

LITS must ensure that the following access controls are implemented for any information resource: 

  1. Procedures for (a) establishing and describing different levels of user access, (b) authorizing user access and (c) granting, revising, and terminating user access are documented, periodically reviewed, and revised as required so that access is granted only when necessary for users to accomplish the intended and approved purpose of the use.
  2. The information resource is protected by authorization (access control) technology that employs User IDs and secret passwords unique to each User. Password management procedures include the protections described in Section B below. Use of a generic group identifier is not recommended for access to a system that contains sensitive data or confidential data. 
  3. No unnecessary accounts are created on the information resource beyond those needed for administration, operation, and testing. 
  4. Unnecessary or unused accounts are disabled and removed. 
  5. Access to any resource must be approved by HR (in the case of staff turnover) or by a full-time staff supervisor, Dean, or Vice-President. In some instances, additional permission by data owner (e.g. Registrar) or committee (e.g. Academic Council) may also be necessary.
  6. User access to any system that uses, stores, or transmits sensitive data is reviewed regularly. 

Additional Protection for Sensitive Data

Systems responsible for sensitive data require a higher level of protection. LITS must ensure that the following protections are implemented for each information resource that processes, transmits, or stores sensitive data (see Data Classification Policy): 

  1. Logging is activated on each server. 
  2. Logging is configured to keep track of access to Systems, Data and the Server itself. 
  3. Logs are retained for as long as it is operationally necessary; 29 days is recommended. 
  4. A Syslog or similar function is used to store logs on a separate system. 
  5. Logs are reviewed by LITS on a regular basis for unusual activity. 
  6. A process is established so that log monitoring software is installed where available. 
  7. Logs generate the following data:  
    1. Date and time of activity;  
    2. Description of attempted or completed activity;  
    3. Identification of User performing activity; 
    4. Origin of activity (i.e., IP address, workstation identifier, etc.) 
  8. Logs have audit mechanisms that generate reports of auditable events such as:  
    1. Failed authentication attempts;  
    2. Use of audit software programs or utilities (i.e., System logs);  
    3. Access to the System;  
    4. System startup or shut down;  
    5. Use of privileged accounts (i.e., System administrator accounts);  
    6. Security incidents;  
    7. Change of User’s security information (i.e., User privileges); and  
    8. Vendor and temporary account activities. 

It is recommended, but not required, that the foregoing protections be implemented for information resources other than those that process, transmit, or store sensitive data. 

Password Standards

LITS must ensure that the following additional password protections are implemented for each information resource that processes, transmits, or stores sensitive data: 

  1. Passwords should be changed regularly but minimally on an annual basis. Passwords may not be reused until two additional passwords have been used. 
  2. Users select and change their own passwords. 
  3. Passwords meet secure password standards, including:  
    1. Passwords must be at least 8 alpha and numeric characters long. Passwords for System Administrators or Service Accounts must be at least 16 characters long.
    2. Dictionary words or commonly known proper nouns are not used unless the password has more than 12 characters.  
    3. Passwords include mixed case letters and numbers or special characters.  
    4. Users are encouraged to use a passphrase such as a sentence that contains the above requirements. In this case, dictionary words may be used. 
  4. Passwords are not displayed in clear text when being input into the System. 
  5. Default vendor or other pre-installed passwords are changed immediately following the installation of a system. 
  6. Users are trained on good password practices. It is recommended, but not required, that the foregoing password procedures be implemented for Information Resources other than those that process, transmit or store sensitive data. 

LITS Staff reserve the right to modify this policy at any time.

Approvals: 

  • LITS: October 11, 2019
  • Provost: February 2020