Access Controls: Difference between revisions
(Created page with "==== Network Access Philosophy ==== The Bloomex network consists of various hardware components including computing devices, routers, switches, and cables that transmit all forms of information. To protect both the equipment and the information it transmits, access to the network is restricted to users who have undergone appropriate training and agree to adhere to proper usage guidelines. This training, which is approved by the IT Enterprise Security Department, focuses...") |
|||
| Line 1: | Line 1: | ||
==== Network Access Philosophy ==== | ==== Network Access Philosophy ==== | ||
The Bloomex network consists of various hardware components including computing devices, routers, switches, and cables that transmit all forms of information. To protect both the equipment and the information it transmits, access to the network is restricted to users who have undergone appropriate training and agree to adhere to proper usage guidelines. This training, which is approved by the IT | The Bloomex network consists of various hardware components including computing devices, routers, switches, and cables that transmit all forms of information. To protect both the equipment and the information it transmits, access to the network is restricted to users who have undergone appropriate training and agree to adhere to proper usage guidelines. This training, which is approved by the IT Department, focuses on information security awareness and recognition of Bloomex's security policies. | ||
==== Network Access Approval Process ==== | ==== Network Access Approval Process ==== | ||
| Line 13: | Line 13: | ||
==== Information Access Approval Process ==== | ==== Information Access Approval Process ==== | ||
The manager of an employee must initiate the access control approval process. The privileges granted remain active until the employee’s job function changes or the employee leaves Bloomex. If either of these events occurs, the manager must promptly inform the IT | The manager of an employee must initiate the access control approval process. The privileges granted remain active until the employee’s job function changes or the employee leaves Bloomex. If either of these events occurs, the manager must promptly inform the IT Department to update or revoke the employee’s access. Non-employees, such as contractors or consultants, must be authorized in the same manner. The department manager must review the access privileges of non-employees every three months to determine if continued access is necessary. | ||
==== Departures from Bloomex ==== | ==== Departures from Bloomex ==== | ||
| Line 22: | Line 22: | ||
==== Privilege Deactivation ==== | ==== Privilege Deactivation ==== | ||
Online sessions on multi-user machines must automatically terminate after a period of inactivity, as defined by the IT | Online sessions on multi-user machines must automatically terminate after a period of inactivity, as defined by the IT Department. Users should log off when stepping away from their desks for more than a few minutes. User IDs that have been inactive for a defined period must have their privileges revoked. | ||
==== User Authentication ==== | ==== User Authentication ==== | ||
All production system user IDs at Bloomex must be linked to a password or a stronger authentication mechanism to ensure that only the authorized user can access the account. Users are responsible for any activity associated with their user ID and must change their password immediately if they suspect it has been compromised. Any suspicion of broken or compromised access control mechanisms must be reported to the IT | All production system user IDs at Bloomex must be linked to a password or a stronger authentication mechanism to ensure that only the authorized user can access the account. Users are responsible for any activity associated with their user ID and must change their password immediately if they suspect it has been compromised. Any suspicion of broken or compromised access control mechanisms must be reported to the IT Department. | ||
These policies ensure that Bloomex maintains a secure and controlled environment for managing network and information access. | These policies ensure that Bloomex maintains a secure and controlled environment for managing network and information access. | ||
Revision as of 19:05, 2 September 2024
Network Access Philosophy
The Bloomex network consists of various hardware components including computing devices, routers, switches, and cables that transmit all forms of information. To protect both the equipment and the information it transmits, access to the network is restricted to users who have undergone appropriate training and agree to adhere to proper usage guidelines. This training, which is approved by the IT Department, focuses on information security awareness and recognition of Bloomex's security policies.
Network Access Approval Process
The Human Resources (HR) Department is responsible for initiating the network access approval process for all new employees. The steps required for network access are as follows:
- HR notifies the IT Department (including the IT Enterprise Security Department) that a new employee has been hired.
- The new employee is assigned a Bloomex email account. The IT Department assigns standard basic information security awareness training based on the employee’s role. Additional training may be assigned by the Data Steward, the employee’s manager, or the Data Owner depending on the sensitivity of the information related to the employee’s role.
- Once the new employee completes the assigned training, the IT Department grants the necessary network access, which remains in effect until the employee leaves Bloomex.
Information Access Philosophy
Access to "Public" information at Bloomex is not restricted, allowing for broad availability, such as content on the Bloomex website. Access to "Confidential" or "Restricted" information, however, is only granted when a legitimate business need is demonstrated and the access is approved in advance by the relevant Information Owner. Access to specialized hardware and software is similarly restricted based on business needs and job functions.
Information Access Approval Process
The manager of an employee must initiate the access control approval process. The privileges granted remain active until the employee’s job function changes or the employee leaves Bloomex. If either of these events occurs, the manager must promptly inform the IT Department to update or revoke the employee’s access. Non-employees, such as contractors or consultants, must be authorized in the same manner. The department manager must review the access privileges of non-employees every three months to determine if continued access is necessary.
Departures from Bloomex
When a user leaves Bloomex, all system privileges and access to Bloomex information must be terminated immediately. The user must return all information and work products associated with Bloomex. For example, if a software component was developed during the user’s employment, it remains the property of Bloomex and must be retained by the company.
Unique User IDs
Each Bloomex user is assigned a unique user ID, which follows them throughout their tenure with the company. User IDs must be decommissioned permanently when a user departs, and re-use of user IDs is not allowed. User IDs and related passwords are for the exclusive use of the assigned individual. Passwords must never be shared, even with IT personnel, who have the necessary privileges to perform their duties without accessing a user’s password.
Privilege Deactivation
Online sessions on multi-user machines must automatically terminate after a period of inactivity, as defined by the IT Department. Users should log off when stepping away from their desks for more than a few minutes. User IDs that have been inactive for a defined period must have their privileges revoked.
User Authentication
All production system user IDs at Bloomex must be linked to a password or a stronger authentication mechanism to ensure that only the authorized user can access the account. Users are responsible for any activity associated with their user ID and must change their password immediately if they suspect it has been compromised. Any suspicion of broken or compromised access control mechanisms must be reported to the IT Department.
These policies ensure that Bloomex maintains a secure and controlled environment for managing network and information access.