Policy 7230A - Department of Administration
Policy 7230A - Department of Administration
Policy 7230A - Department of Administration
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
4 Access Control<br />
Sections 4.1, 4.2, and 4.3 constitute the State <strong>of</strong> Kansas’ Access Control <strong>Policy</strong>. By definition,<br />
access control includes Identification and Authentication. This policy is accompanied by<br />
defined Access Control Mandatory and Non-Mandatory Procedures and Baselines that are<br />
distributed in a companion document.<br />
Mandatory<br />
Non-Mandatory<br />
Procedures Baselines Procedures Baselines<br />
4. Access Control <br />
4.1. Identification and Authentication<br />
4.1.1. Manage Identification and Authentication (6 sets) (4 sets)<br />
4.2. Account Management<br />
4.2.1. Configure User Accounts (4 sets) (2 sets)<br />
4.3. Session Management<br />
4.3.1. Configure Systems for Secure Access (6 sets) (3 sets)<br />
4.3.2. Configure Systems for Secure Communications (3 sets) (1 set)<br />
4.1 Identification & Authentication<br />
The State <strong>of</strong> Kansas requires that all approved information system users must be given<br />
authorization to access information systems, must be uniquely identified within those<br />
information systems and must present some form <strong>of</strong> acceptable identity<br />
authentication to be allowed to use any information system that houses privileged<br />
information.<br />
The use <strong>of</strong> authorization, identification and authentication controls ensures that only<br />
known users make use <strong>of</strong> the information system. Without authorization,<br />
identification and authentication controls, the potential exists that information<br />
systems could be accessed illicitly and the confidentiality, integrity and availability <strong>of</strong><br />
those information systems be compromised.<br />
Prior to being granted access to an information system, users must be provided with<br />
formal authorization by an appropriate <strong>of</strong>ficial (i.e., the owner <strong>of</strong> the information<br />
system, the custodian <strong>of</strong> the data housed within the information system or a designee<br />
<strong>of</strong> these individuals). This authorization will be based on definitive and verifiable<br />
identification <strong>of</strong> the user. Further, this authorization will be logged by the authorizing<br />
<strong>of</strong>ficial and shared with systems and user management departments <strong>of</strong> the body that<br />
employs that user.<br />
Once authorization has been granted, the user will be provided with a unique<br />
information system identifier. Examples <strong>of</strong> identifiers include user ids and smart cards.<br />
This identifier will be delivered to the authorized user in such a manner as to ensure<br />
that it is received only by the authorized user. Additionally, the user will be provided<br />
with a unique information system authenticator that is tied to the assigned identifier.<br />
Examples <strong>of</strong> authenticators include passwords, tokens and certificates. This<br />
authenticator will also be delivered to the authorized user in such a manner as to<br />
ensure that it is received only by the authorized user. To minimize risk, identifiers and<br />
11