Department of Corrections and Rehabilitation - Operations Manual

Cancel

Chapter 4 – Information Technology

Article 54 – Access Control Policy

Effective March 14, 2022

View All Sections >

49110.4  Policy Directives 

  • Before department ITInformation Technology infrastructure network access, users shall be identified and authenticated.

  • Users accessing sensitive or confidential information shall be appropriately provisioned before accessing department owned or operated information assets and associated facilities.
    In the case of physical access to facilities, where access control is a manual process, authentication shall be accomplished by manual verification of an identity (e.g., photoID).

  • Access to department information assets and associated permissions shall be approved by the respective department information asset owner.

  • Records of all user account creations, deletions, and changes to user access and permissions shall be maintained for a period of at least twelve (12) months.

  • The department shall develop a comprehensive identity and access management strategy based on statutory and organizational business requirements, including:

    • Supporting unique identification, individual user types and groups, job roles and access methods.

    • Limiting access to information assets and associated facilities to authorized users, processes, or devices, and to authorized activities and transactions.

    • Defining roles and assigning responsibilities pertaining to access control tools, technologies and processes.

    • Developing and implementing standards, technologies and processes to support its access control strategy.

    • Formally defining and documenting user account types and groups, and access use cases, commensurate with employment responsibilities.

    • Employing multi-factor authentication for remote access, and risk-based user authentication methods to accommodate approved logical access use cases.

    • Publicly available or published access and authentication credentials, such as default credentials, anonymous credentials and guest credentials, shall not be reused, and shall be replaced as a matter of standard procedure.

    • Display a notification of system use or security warning banner message on each system that requires affirmative acknowledgement by the user before authentication.

  • The department shall ensure that access to non-active personnel is deactivated before or immediately after termination, as appropriate.

  • The department shall review and validate user access and associated access permissions and privileges at least every twelve (12) months to ensure alignment with individual job roles and functions.

  • Certain department information technology support personnel and network administrators shall require specific privileges to perform their duties.

    • For all Administrators and Privileged Account holders, the department shall: 

      • Identify and document all Administrator and Privileged Account holders. 

      • Ensure that administrative and privileged accesses are granted to users through established or approved local provisioning processes.

      • Ensure that such users acknowledge the privileges and only use those accounts to fulfill the specific job responsibilities for which the privileges apply.

      • Ensure automated processes including service accounts with privileged access to information systems shall follow established standards for password rotation, limited access and auditing.

      • Review and validate the continued business need for all Administrator and Privileged Accounts on an annual basis or when staffing, resource, or job function changes occur.

  • User access and permissions shall be based on the principles of least privilege and separation of duties. 

  • The department shall define and document all auditable system events related to data and information access that shall be recorded. 

  • The department shall ensure access control management systems are configured to capture and record audit and security information related to access events.  

  • Audit and security records shall be securely stored and protected against tampering; audit and security records shall be maintained for the period defined in the records retention schedule.  

  • Monitoring and alerting of anomalous or suspicious activities and events is most effectively accomplished through automated and real-time reviews of audit and security logs. 

  • The department shall implement suitable controls to monitor for unauthorized changes to user access. Where feasible, unauthorized changes shall generate automated alerts to notify responsible department individuals. 

  • In the absence of automated monitoring and alerting, the department Information Security Officer (ISOInformation Security Officer) shall review access record reports on a quarterly basis. Access records include: new user account creation requests, user access revocation requests, active user lists, and user termination lists.