Glemnet Ltd will establish specific requirements for protecting information and information systems against unauthorised access.
Glemnet Ltd will effectively communicate the need for information and information system access control.
Purpose
Information security is the protection of information against accidental or malicious disclosure, modification or destruction. Information is an important, asset of Glemnet which must be managed with care. All information has a value to the organisation. However, not all of this information has an equal value or requires the same level of protection.
Access controls are put in place to protect information by controlling who has the rights to use different information resources and by guarding against unauthorised use.
Formal procedures must control how access to information is granted and how such access is changed.
This policy also mandates a standard for the creation of strong passwords, their protection and frequency of change.
1 Scope
This policy applies to all Glemnet’s Directors, Departments, Partners, and Employees (including system support staff with access to privileged administrative passwords), contractual third parties and agents of the organisation with any form of access to Glemnet’s information and information systems.
2 Definition
Access control rules and procedures are required to regulate who can access Glemnet’s information resources or systems and the associated access privileges. This policy applies at all times and should be adhered to whenever accessing Glemnet information in any format, and on any device.
Information security management has three basic components;
3 Risks
On occasion business information may be disclosed or accessed prematurely, accidentally or unlawfully. Individuals or companies, without the correct authorisation and clearance may intentionally or accidentally gain unauthorised access to business information which may adversely affect day to day business. This policy is intended to mitigate that risk.
Non-compliance with this policy could have a significant effect on the efficient operation of the organisation and may result in a breach of data, financial loss and an inability to provide necessary services to our customers.
4 Applying the Policy - Passwords
4.1 Choosing Passwords
Passwords are the first line of defence for our ICT systems and together with the user ID help to establish that people are who they claim to be.
A poorly chosen or misused password is a security risk and may impact upon the confidentiality, integrity or availability of our computers and systems.
4.1.1 Weak and strong passwords
A weak password is one which is easily discovered, or detected, by people who are not supposed to know it. Examples of weak passwords include words picked out of a dictionary, names of children and pets, car registration numbers and simple patterns of letters from a computer keyboard.
A strong password is a password that is designed in such a way that it is unlikely to be detected by people who are not supposed to know it, and difficult to work out even with the help of a computer.
Everyone must use strong passwords with a minimum standard of:
4.2 Protecting Passwords
It is of utmost importance that the password remains protected at all times. The following guidelines must be adhered to at all times:
4.3 Changing Passwords
All user-level passwords must be changed at a maximum of every 90 days, or whenever a system prompts you to change it. Default passwords must also be changed immediately. If you become aware, or suspect, that your password has become known to someone else, you must change it immediately and report your concern to Senior IT Engineer.
Users must not reuse the same password within password changes.
4.4 System Administration Standards
The password administration process for individual Glemnet systems is well-documented and available to designated individuals.
All Glemnet IT systems will be configured to enforce the following:
5 Applying the Policy – Employee Access
5.1 User Access Management
Formal user access control procedures must be documented, implemented and kept up to date for each application and information system to ensure authorised user access and to prevent unauthorised access. They must cover all stages of the lifecycle of user access, from the initial registration of new users to the final de-registration of users who no longer require access. These must be agreed by Glemnet . Each user must be allocated access rights and permissions to computer systems and data that:
User access rights must be reviewed at regular intervals to ensure that the appropriate rights are still allocated. System administration accounts must only be provided to users that are required to perform system administration tasks.
5.2 User Registration
A request for access to the organisation’s computer systems must first be submitted to the Senior IT Engineer.
When an employee leaves the organisation, their access to computer systems and data must be suspended at the close of business on the employee’s last working day. It is the responsibility of the Manager to request the suspension of the access rights via the Support Team or directly to the Senior IT Engineer.
5.3 User Responsibilities
It is a user’s responsibility to prevent their user ID and password being used to gain unauthorised access to the organisations systems by:
5.4 Network Access Control
The use of USB’s and Remote Login methods on non-organisational owned PC’s connected to the organisation’s network can seriously compromise the security of the network. The normal operation of the network must not be interfered with. Specific approval must be obtained from Senior IT Engineer before connecting any equipment to Glemnet’s network. Use of Removable Media including USB sticks is not permitted by the Company.
5.5 User Authentication for External Connections
Where remote access to the Glemnet network is required, an application must be made via the Support Team. Remote access to the network must be secured by two factor authentications consisting of a username and one other component.
5.6 Supplier’s Remote Access to the Organisations Network
Partner agencies or 3rd party suppliers must not be given details of how to access the organisations network without permission from Senior IT Engineer. Any changes to supplier’s connections must be immediately sent to Support Team so that access can be updated or ceased. All permissions and access methods must be controlled by Senior IT Engineer.
Partners or 3rd party suppliers must contact the Senior IT Engineer before connecting to the Glemnet network and a log of activity must be maintained. Remote access software must be disabled when not in use.
5.7 Operating System Access Control
Access to operating systems is controlled by a secure login process. The access control defined in the User Access Management section (section 7.1) and the Password section (section 6) above must be applied. The login procedure must also be protected by:
All access to operating systems is via a unique login id that will be audited and can be traced back to each individual user. The login id must not give any indication of the level of access that it provides to the system (e.g. administration rights).
System administrators must have individual administrator accounts that will be logged and audited. The administrator account must not be used by individuals for normal day to day activities.
5.8 Application and Information Access
Access within software applications must be restricted using the security features built into the individual product. The access must:
6 Contingency and Disaster Recovery Planning
Plans are in place to ensure the availability of essential IT systems to cover:
When possible, Plans will be tested to ensure that they are operational for each department. These planes will be regularly reviewed and maintained by the Senior IT Engineer.
Specific plans can be found within the Business continuity plan.
7 Policy Compliance
If any user is found to have breached this policy, they may be subject to Glemnet disciplinary procedure. If a criminal offence is considered to have been committed further action may be taken to assist in the prosecution of the offender(s).
If you do not understand the implications of this policy or how it may apply to you, seek advice from your manager or HR.
8 Policy Governance
The following table identifies who within Glemnet is Accountable, Responsible, Informed or Consulted with regards to this policy. The following definitions apply:
Responsible: Paul Thornton, Senior IT Engineer
Accountable: Kam Benning, Operations Director
Consulted: Management Team
Informed: All Staff
9 Review and Revision
This policy will be reviewed as it is deemed appropriate, but no less frequently than every 12 months.
Policy review will be undertaken by Neil Linter, Managing Director.
Version 2.3
25/02/2021
We use necessary cookies to make our site work. We'd also like to set analytics cookies that help us make improvements by measuring how you use the site. These will be set only if you accept.
For more detailed information about the cookies we use, see our Cookies page.
Necessary cookies enable core functionality such as security, network management, and accessibility. You may disable these by changing your browser settings, but this may affect how the website functions.