Available Policies
last updated: 11 September 2023
TeamKinetic will establish specific requirements for protecting information and information systems against unauthorized access. TeamKinetic will effectively communicate the need for information and information system access control.
Information security is the protection of information against accidental or malicious disclosure, modification, or destruction. Information is an important, valuable asset of TeamKinetic that must be managed with care. All information has value to the Organization. However, not all of this information has equal value or requires the same level of protection. Access controls are put in place to protect information by controlling who has the right to use different information resources and by guarding against unauthorized use. Formal procedures must control how access to information is granted and how such access is changed. This policy also mandates a standard for the creation of strong passwords, their protection, and frequency of change.
This policy applies to all TeamKinetic Organization, Committees, Departments, Partners, Employees of the Organization (including system support staff with access to privileged administrative passwords), contractual third parties and agents of the Organization with any form of access to TeamKinetic's information and information systems.
Access control rules and procedures are required to regulate who can access TeamKinetic information resources or systems and the associated access privileges. This policy applies at all times and should be adhered to whenever accessing TeamKinetic information in any format and on any device.
On occasion, business information may be disclosed or accessed prematurely, accidentally, or unlawfully. Individuals or companies, without the correct authorization and clearance, may intentionally or accidentally gain unauthorized access to business information which may adversely affect day-to-day business. This policy is intended to mitigate that risk. Non-compliance with this policy could have a significant effect on the efficient operation of the Organization and may result in financial loss and an inability to provide necessary services to our customers.
Passwords are the first line of defense for our ICT systems and together with the user ID helps to establish that people are who they claim to be. A poorly chosen or misused password is a security risk and may impact the confidentiality, integrity, or availability of our computers and systems.
A weak password is one that is easily discovered, or detected, by people who are not supposed to know it. Examples of weak passwords include words picked out of a dictionary, names of children and pets, car registration numbers, and simple patterns of letters from a computer keyboard. A strong password is a password that is designed in such a way that it is unlikely to be detected by people who are not supposed to know it, and is difficult to work out even with the help of a computer. We enforce password length as the main deterrent against brute force cracking. We do not encourage hard-to-type or remember passwords, length is the key component to improving strength.
It is of utmost importance that the password remains protected at all times. The following guidelines must be adhered to at all times [amend the list as appropriate]:
All user-level passwords must be changed at a maximum of every 90 days, or whenever a system prompts you to change it. Default passwords must also be changed immediately. If you become aware or suspect, that your password has become known to someone else, you must change it immediately and report your concern to [Name a department – e.g. IT Helpdesk]. Users must not reuse the same password within 20 password changes [amend as appropriate].
The password administration process for individual TeamKinetic systems is well-documented and available to designated individuals. All TeamKinetic IT systems will be configured to enforce the following:
7.1.1 User access provisioning
Each user must be allocated access rights and permissions to computer systems and data that are commensurate with the tasks they are expected to perform. In general, this will be role-based, in which a user account will be added to a group that has been created with the access permissions required by that job role. Group roles must be maintained in line with business requirements and any changes to them must be formally authorized and controlled via the change management process. Ad-hoc additional permissions must not be granted to user accounts outside of the group role; if such permissions are required this must be addressed as a change and formally requested. They must cover all stages of the life cycle of user access, from the initial registration of new users to the final de-registration of users who no longer require access. These must be agreed upon by TeamKinetic. Each user must be allocated access rights and permissions to computer systems and data that:
User access rights must be reviewed at regular intervals to ensure that the appropriate rights are still allocated. System administration accounts must only be provided to users that are required to perform system administration tasks.
7.1.2 Removal or adjustment of access rights
Where an adjustment of access rights or permissions is required, for example due to an individual changing role, this must be carried out as part of the role change. It must be ensured that access rights no longer required as part of the new role are removed from the user account. If a user is taking on a new role in addition to their existing one (rather than instead of) then a new composite role must be requested via change management. Due consideration of any issues of segregation of duties must be given.
Under no circumstances will administrators be permitted to change their own user accounts or permissions.
7.1.3 Management of privileged access rights
Privileged access rights such as those associated with administrator-level accounts must be identified for each system or network and tightly controlled. In general, technical users (such as IT support staff) will not make day to day use of user accounts with privileged access, rather a separate “admin” user account must be created and used only when the additional privileges are required. These accounts must be specific to an individual, for example “Pretesh Biswas Admin”; generic admin accounts must not be used as they provide insufficient identification of the user. Access to admin level permissions must only be allocated to individuals whose roles require them and who have received enough training to understand the implications of their use. The use of user accounts with privileged access in automated routines such as batch or interface jobs must be avoided where possible. Where this is unavoidable the password used must be protected and changed on a regular basis.
7.1.4 User authentication for external connections
In line with the Network Security Policy the use of modems on non-organization owned devices connected to the organization’s network can seriously compromise the security of the network. Specific approval must be obtained from the IT Service Desk before connecting any equipment to the organization’s network. Where remote access to the network is required via VPN, a request must be made via the IT Service Desk. A policy of using multifactor authentication for remote access will be used in line with the principle of “something you have and something you know” in order to reduce the risk of unauthorised access from the Internet. For further information please refer to the Mobile Device Policy and Remote Working Policy.
7.1.5 Supplier remote access to the organization network
Partner agencies or 3rd party suppliers must not be given details of how to access the organization’s network without permission from the IT Service Desk. Any changes to supplier’s connections (for example on termination of a contract) must be immediately sent to the IT Service Desk so that access can be updated or ceased. All permissions and access methods must be controlled by the IT Service Desk. Partners or 3rd party suppliers must contact the IT Service Desk on each occasion to request permission to connect to the network and a log of activity must be maintained. Remote access software and user accounts must be disabled when not in use.
7.1.6 Review of user access rights
On a regular basis (at least annually) asset owners must review who has access to their areas of responsibility and the level of access in place. This will be to identify:
This review will be performed according to a formal procedure and any corrective actions identified and carried out. A review of user accounts with privileged access will be carried out by the Information Security Manager on a quarterly basis to ensure that this policy is being complied with.
A request for access to the Organization’s computer systems must first be submitted to the [Name a department – e.g. Information Services Helpdesk] for approval. Applications for access must only be submitted if approval has been gained from [Name a role – e.g. your line manager].
When an employee leaves the organization, their access to computer systems and data must be suspended at the close of business on the employee’s last working day. It is the responsibility of the [Name a role – e.g. your line manager] to request the suspension of the access rights via the [Name a department – e.g. Information Services Helpdesk].
7.3 User Responsibilities
It is a user’s responsibility to prevent their userID and password is used to gain unauthorized access to Organization systems by:
7.4 Network Access Control
The use of modems on non-Organization-owned PCs connected to the Organization’s network can seriously compromise the security of the network. The normal operation of the network must not be interfered with. Specific approval must be obtained from the security officer before connecting any equipment to the Organization’s network.
Where remote access to the TeamKinetic network is required, an application must be made via the security officer. Remote access to the network must be secured by two-factor authentication consisting of a username, password, and a separate authentication device.
Partner agencies or 3rd party suppliers must not be given details of how to access the Organization’s network without permission from [Name a department – e.g. IT Helpdesk]. Any changes to supplier’s connections must be immediately sent to the [Name a department – e.g. IT Helpdesk] so that access can be updated or ceased. All permissions and access methods must be controlled by [Name a department – e.g. IT Helpdesk].
Partners or 3rd party suppliers must contact the security officer before connecting to the TeamKinetic network and a log of activity must be maintained. Remote access software must be disabled when not in use.
Access to operating systems is controlled by a secure login process. The access control defined in the User Access Management section (section 7.1) and the Password section (section 6) above must be applied. The login procedure must also be protected by:
All-access to operating systems is via a unique login id that will be audited and can be traced back to each individual user. The login id must not give any indication of the level of access that it provides to the system (e.g. administration rights). System administrators must have individual administrator accounts that will be logged and audited. The administrator account must not be used by individuals for normal day-to-day activities.
Access within software applications must be restricted using the security features built into the individual product. The owner of the software application is responsible for granting access to the information within the system. The access must [amend the list as appropriate]:
If any user is found to have breached this policy, they may be subject to TeamKinetic's disciplinary procedure. If a criminal offense is considered to have been committed further action may be taken to assist in the prosecution of the offender(s). If you do not understand the implications of this policy or how it may apply to you, seek advice from [name appropriate department].
This policy will be reviewed as it is deemed appropriate, but no less frequently than every 12 months. The policy review will be undertaken by [Name an appropriate role].
Suite 5, Parkway Five,
Manchester.
M14 7HR
UK
