Access¶

2020.1

Access to Changineers systems and application is limited for all users, including but not limited to workforce members, volunteers, business associates, contracted providers, consultants, and any other entity, is allowable only on a minimum necessary basis. All users are responsible for reporting an incident of unauthorized user or access of the organization’s information systems. These safeguards have been established to address the HIPAA Security regulations and industry best practices.

Policy Statements¶

Access Control Policy¶

Changineers policy requires that

(a) Access to all computing resources, including servers, end-user computing devices, network equipment, services and applications, must be protected by strong authentication, authorization, and auditing.

(b) Interactive user access must be associated to an account or login unique to each user.

(c) All credentials, including user passwords, service accounts, and access keys, must meet the length, complexity, age, and rotation requirements defined in Changineers security standards.

(d) Use strong password and multi-factor authentication (MFA) whenever possible to authenticate to all computing resources (including both devices and applications).

(e) MFA is required to access any critical system or resource, including but not limited to resources in Changineers production environments.

(f) Unused accounts, passwords, access keys must be removed within 30 days.

(g) A unique access key or service account must be used for different application or user access.

(h) Authenticated sessions must time out after a defined period of inactivity.

Access Authorization and Termination¶

Changineers policy requires that

(a) Access authorization shall be implemented using role-based access control (RBAC) or similar mechanism.

(b) Standard access based on a user’s job role may be pre-provisioned during employee onboarding. All subsequent access requests to computing resources must be approved by the requestor’s manager, prior to granting and provisioning of access.

(c) Access to critical resources, such as production environments, must be approved by the security team in addition to the requestor’s manager.

(d) Access must be reviewed on a regular basis and revoked if no longer needed.

(e) Upon termination of employment, all system access must be revoked and user accounts terminated within 24 hours or one business day, whichever is shorter.

(f) All system access must be reviewed at least annually and whenever a user’s job role changes.

Shared Secrets Management¶

Changineers policy requires that

(a) Use of shared credentials/secrets must be minimized and approved on an exception basis.

(b) If required by business operations, secrets/credentials must be shared securely and stored in encrypted vaults that meet the Changineers data encryption standards.

(c) Usage of a shared secret to access a critical system or resource must be supported by a complimenting solution to uniquely identify the user.

Privileged Access Management¶

Changineers policy requires that

(a) Users must not log in directly to systems as a privileged user.

A privileged user is someone who has administrative access to critical systems, such as a Active Directory Domain Administrator, root user to a Linux/Unix system, and Administrator or Root User to an AWS account.

(b) Privilege access must only be gained through a proxy, or equivalent, that supports strong authentication (such as MFA) using a unique individual account with full auditing of user activities.

(c) Direct administrative access to production systems must be kept to an absolute minimum.

Endpoint Management and Software Installation¶

Changineers policy requires that

(a) Users should refer to the Approved Software when installing software on their machines, and should seek approval for any software not on the approved list prior to installation.

(b) Users should remove software from machines when licenses expire or their approved status is revoked.

(c) Periodic audits of installed software may be conducted to ensure compliance with licensing and approved software usage.

Controls and Procedures¶

Employee Workstation / Endpoints Access and Usage¶

All workstations at Changineers are company owned, using one the following approved hardware vendors and operating systems:

Apple, Dell, or Lenovo
macOS, Linux (Ubuntu or Debian), or Windows 10

Workstations may not be used to engage in any activity that is illegal or is in violation of organization’s policies.
Access may not be used for transmitting, retrieving, or storage of any communications of a discriminatory or harassing nature or materials that are obscene or “X-rated”. Harassment of any kind is prohibited. No messages with derogatory or inflammatory remarks about an individual’s race, age, disability, religion, national origin, physical attributes, sexual preference, or health condition shall be transmitted or maintained. No abusive, hostile, profane, or offensive language is to be transmitted through organization’s system.
Information systems/applications also may not be used for any other purpose that is illegal, unethical, or against company policies or contrary to organization’s best interests. Messages containing information related to a lawsuit or investigation may not be sent without prior approval.
Solicitation of non-company business, or any use of organization’s information systems/applications for personal gain is prohibited.
Users may not misrepresent, obscure, suppress, or replace another user’s identity in transmitted or stored messages.
Users should refer to the Approved Software when installing software on their machines, and should seek approval for any software not on the approved list prior to installation.
Workstation hard drives will be encrypted using FileVault (macOS), BitLocker (Windows) or equivalent.
All workstations must have host firewalls enabled to prevent unauthorized access unless explicitly granted.
All workstations must have endpoint security software installed and actively running, if supported by the operating system.