The purpose of this policy is to establish guidelines and procedures for implementing logical access control measures to protect sensitive information and resources within the organization. This policy covers access control, authentication, and auditing requirements.
This policy applies to all employees, contractors, vendors, and third-party users who have access to the organization’s information systems, networks, applications, and data.
Access to information systems, networks, applications, and data shall be granted based on the principle of least privilege. Users shall only be given access rights necessary to perform their assigned duties.
User accounts shall be created for authorized individuals and assigned unique identifiers. User account creation, modification, and termination shall follow the organization’s defined procedures.
Users shall be responsible for maintaining the confidentiality and integrity of their credentials (e.g., passwords, tokens). Sharing of user accounts or credentials is strictly prohibited.
Access to administrative or privileged functions shall be restricted to authorized personnel only. Privileged accounts shall be carefully managed, and their usage shall be monitored.
Remote access to organizational resources shall be protected using secure mechanisms such as virtual private networks (VPNs) or secure remote access solutions. Remote access privileges shall be granted based on business needs and subjected to strict authentication requirements.
User passwords shall be complex, unique, and periodically changed.
We have the following password/passphrase policy:
- Length: 10 characters
- at least one Upper case character
- at least one lower case character
- at least one Number or Special character
Multi-Factor Authentication (MFA)
MFA shall be implemented for all critical systems and sensitive data access. It requires users to provide multiple forms of authentication, such as passwords, tokens, or biometrics.
Account lockout mechanisms shall be implemented to prevent brute-force attacks. After a defined number of failed login attempts, the user account shall be temporarily or permanently locked.
User sessions shall be automatically terminated after a period of inactivity. Users shall be required to re-authenticate when accessing resources after a session timeout.
Information systems shall generate and store audit logs to track user activities, system events, and security-related incidents. The logs shall capture relevant details such as user ID, date and time, and actions performed.
Monitoring and Analysis
Audit logs shall be regularly reviewed to detect unauthorized access attempts, unusual activities, or policy violations. Automated monitoring tools are employed to facilitate timely detection and response.
Any security incidents or suspected breaches shall be reported promptly to the appropriate personnel or designated incident response team. Incident response procedures shall be followed to investigate and mitigate any identified issues.
Staff members found in policy violation may be subject to disciplinary action, up to and including termination.
This policy is to be distributed to all Ambassify staff using, supporting, and configuring desktop workstations.