Policy 7230A - Department of Administration
Policy 7230A - Department of Administration
Policy 7230A - Department of Administration
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
potential exists that legitimate users can use these accounts for illegitimate purposes.<br />
Additionally, the potential exists that these accounts can be usurped and used<br />
illegitimately to access State information systems.<br />
Information system accounts are to be constructed such that they enforce the most<br />
restrictive set <strong>of</strong> rights/privileges or accesses required for the performance <strong>of</strong> tasks<br />
associated with that account. Further, accounts shall be created such that no-one<br />
account can authorize, perform, review and audit a single transaction to eliminate<br />
conflicts <strong>of</strong> interest.<br />
Information system accounts are to be reviewed to identify accounts with<br />
inappropriate privileges (either too high or too low) on at least an annual basis. Should<br />
information system accounts be discovered with inappropriate privileges those<br />
privileges will be manually reset to the established level.<br />
Information systems accounts are to be reviewed to identify inactive accounts. Should<br />
information system accounts that are associated with an employee or third party be<br />
discovered that have been inactive for a significant period <strong>of</strong> time, the owners <strong>of</strong> the<br />
account will be notified <strong>of</strong> pending disablement. Should the account continue to<br />
remain inactive it will be manually disabled. Inactive accounts that are not associated<br />
with an employee or third party but are associated with a system process (such as<br />
inter-system information transfer) that has been explicitly logged will not be disabled<br />
but will be reviewed on an annual basis. Inactive accounts that are not associated with<br />
employees, third parties, or system processes (including those that have not been<br />
explicitly logged) will be manually disabled.<br />
Login attempts to information systems will be restricted such that after a set number<br />
<strong>of</strong> failed attempts within a pre-defined period <strong>of</strong> time, they will be locked out. Lockout<br />
will be automatically lifted after a pre-defined period <strong>of</strong> time or may be manually<br />
lifted through a pre-defined process.<br />
4.3 Session Management<br />
The State <strong>of</strong> Kansas requires that all communications sessions with information<br />
systems be both authenticated and actively managed by administrative staff. Active<br />
management includes the acts <strong>of</strong> monitoring, suspending, disabling and terminating<br />
communications to and from information systems.<br />
Communications between components <strong>of</strong> information systems or between<br />
information systems themselves involve the transmission <strong>of</strong> information making that<br />
information susceptible to attack. Without session management, the potential exists<br />
that communications can be established or used illegitimately thereby exposing State<br />
information to an increased likelihood <strong>of</strong> loss or corruption.<br />
All State information systems will display a system use notification that indicates that<br />
the user is accessing a State <strong>of</strong> Kansas information system; that system usage is<br />
monitored, recorded and subject to audit; that unauthorized use is prohibited and<br />
subject to punitive action; that use <strong>of</strong> the information system implies consent to these<br />
13