Article 63 – Identification and Authentication Policy
49200.4 Policy Directives
-
The department shall ensure that a department identity and access management (IAM) strategy is developed, clearly defined, documented, and implemented.
-
The department IAM strategy shall include the following:
-
Requirements to meet all State and Federal requirements.
-
The unique identification of all authorized personnel or processes acting on behalf of the department that access department information assets prior to being granted access.
-
The use of appropriate credentials for the identification of non-State personnel.
-
Implement methods that enable non-repudiation of access requests to information assets containing sensitive and confidential data, and protect related audit logs for a period of no less than 6 months.
-
Implementation of a suitable IAM infrastructure supporting department requirements.
-
Implementation of safeguards to protect the confidentiality, integrity, and availability of the supporting IAM infrastructure.
-
Definition and implementation of authentication mechanisms based on the type and method of access and the inherent risks associated with each access use case.
-
Control and management of access by administrative and privileged users, including the ability to immediately revoke access when necessary.
-
Requirement to implement application level identification and authentication in addition to platform level access to provide additional security, as appropriate by Owners of Information Assets.
-
Definition, documentation, and implementation of audit and security activity and event logging requirements for privileged use.
-
Identification, development, and implementation of supporting identity and access management processes and procedures.
-