11.1 Business requirement for access control Objective
To control access to information Policy
11.1.1 Access control policy
An access control policy shall be established, documented, and reviewed based on business and security requirements for access.
11.2 User access management Objective
To ensure authorised user access and to prevent unauthorised access to information systems.
Policy
11.2.1 User registration
There shall be a formal user registration and de-registration procedure in place for granting and revoking access to all information systems and services.
11.2.2 Privilege management
The allocation and use of privileges shall be restricted and controlled.
11.2.3 User password management
The allocation of passwords shall be controlled through a formal management process.
11.2.4 Review of user access rights
Management shall review users‟ access rights at regular intervals using a formal process.
11.3 User responsibilities Objective
To prevent unauthorised user access, and compromise or theft of information and information processing facilities.
Policy
11.3.1 Password use
Users shall be required to follow good security practices in the selection and use of passwords.
Passwords are required to be at least eight characters in length and be an alpha numeric mix.
Network passwords must be changed at least every 42 days with re-use prohibited.
Passwords must be kept confidential, not shared with others and not written down. If problems are experienced with passwords and access to the network, contact either the local or Auris Helpdesk who will follow approved MRC procedures.
11.3.2 Unattended user equipment
Where a computer is logged into the MRC network but inactive for more than 10 minutes, an inactivity lock must be automatically applied.
In line with Corporate and local environmental & sustainability policies, Staff should logout and switch off workstations and monitors before leaving the office at the end of each working day.
However, they must remain plugged into the mains to allow for remote updates to be applied.
11.3.3 Clear desk and clear screen policy
All staff must handle information in accordance with the MRC‟s Protective Marking and Handling Scheme. Where possible, it is recommended to implement a general clear desk policy.
11.4 Network access control Objective
To prevent unauthorised access to networked services.
Policy
11.4.1 Policy on use of network services
Users shall only be provided with access to the services that they have been specifically authorised to use.
11.4.2 User authentication for external connections
Appropriate authentication methods shall be used to control access by remote users.
11.4.3 Equipment identification in networks
Automatic equipment identification shall be considered as a means to authenticate connections from specific locations and equipment.
11.4.4 Remote diagnostic and configuration port protection
Physical and logical access to diagnostic and configuration ports shall be controlled.
11.4.5 Segregation in networks
Groups of information services, users, and information systems shall be segregated on networks.
11.4.6 Network connection control
For shared networks, especially those extending across the organisation‟s boundaries, the capability of users to connect to the network shall be restricted, in line with the access control policy and requirements of the business applications (see 11.1.1).
11.4.7 Network routing control
Routing controls shall be implemented for networks to ensure that computer connections and information flows do not breach the access control policy of the business applications.
11.5 Operating system access control Objective:
To prevent unauthorised access to operating systems.
Policy
11.5.1 Secure log-on procedures
Access to operating systems shall be controlled by a secure log-on procedure.
All users shall have a unique identifier (user ID) for their personal use only, and a suitable authentication technique shall be chosen to substantiate the claimed identity of a user.
11.5.3 Use of system utilities
The use of utility programs that might be capable of overriding system and application controls shall be restricted and tightly controlled.
11.5.4 Session time-out
Inactive sessions shall shut down after a defined period of inactivity.
11.5.5 Limitation of connection time
Restrictions on connection times shall be used to provide additional security for high-risk applications.
11.6 Application and information access control Objective
To prevent unauthorised access to information held in application systems.
Policy
11.6.1 Information access restriction
Access to information and application system functions by users and support personnel shall be restricted in accordance with the defined access control policy.
11.6.2 Sensitive system isolation
Sensitive systems shall have a dedicated (isolated) computing environment.
11.7 Mobile computing and teleworking Objective
To ensure information security when using mobile computing and teleworking facilities.
Policy
11.7.1 Mobile computing and communications
This includes equipment such as laptop computers, personal digital assistants (PDAs), smart phones and BlackBerrys.
It is expected that staff will be vigilant and take care of MRC property at all times. For example, equipment must not be left near open windows or in view of the public, and equipment such as laptops, PDAs and smart phones must be locked away in a secure place when not in use and overnight, or be taken off site for added security. Unauthorised persons must be prevented from using MRC equipment.
Data should be copied and backed up from laptop computers on a regular basis in case of loss or theft.
Laptops must be protected with disk encryption software. For MRC issued laptops, the disk encryption software will be provided by the local IT support team. Partner, collaborator and other third party-owned laptops containing MRC data and information, must be protected with their own Disk Encryption software. Contact the local IT Helpdesk or Information Security team for further guidance.
Use of wireless internet hotspots is allowed from MRC laptops (provided by the MRC and commercial companies, for example BT Openzone). To avoid unauthorised access to information on MRC laptops in a wireless area, “Computer to Computer” access (access via another workstation), and unsecured access (where no password is required) is not permitted.
Staff have personal accountability for the information held and accessed from their PDA. If staff lose their PDA, or have it stolen, this must be immediately reported to the local IT Security Officer or the MRC‟s Corporate Information Security team. The backup of the PDA data is the responsibility of the user.
Staff using MRC supplied portable IT equipment should note that in addition to monitoring undertaken as part of information security, the MRC monitors the use of this equipment.
Where there is doubt that the equipment is not being used regularly and there is a
requirement elsewhere within the MRC for such equipment, then the equipment may be re-allocated.
11.7.2 Teleworking
A policy, operational plans and procedures shall be developed and implemented for teleworking activities.