Policy 7230A - Department of Administration
Policy 7230A - Department of Administration
Policy 7230A - Department of Administration
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
4. Access Control<br />
These Assessment and Planning Non-Mandatory Baselines support the Enterprise Security<br />
<strong>Policy</strong> (ITEC 7230 Rev 1) and the Default Security Requirements (ITEC <strong>7230A</strong>).<br />
Mandatory<br />
Non-Mandatory<br />
Procedures Baselines Procedures Baselines<br />
4. Access Control <br />
4.1. Identification and Authentication<br />
4.1.1. Manage Identification and Authentication (6 sets) (4 sets)<br />
4.2. Account Management<br />
4.2.1. Configure User Accounts (4 sets) (2 sets)<br />
4.3. Session Management<br />
4.3.1. Configure Systems for Secure Access (6 sets) (3 sets)<br />
4.3.2. Configure Systems for Secure Communications (3 sets) (1 set)<br />
4.4. Maintain Records <br />
4.1. Identification and Authentication<br />
No applicable Non-Mandatory Baselines.<br />
4.2. Account Management<br />
The following are the Non-Mandatory Baselines that support the Account<br />
Management section <strong>of</strong> the Default Security Requirements:<br />
4.2.1. Configure User Accounts<br />
Agencies should establish the system accounts that will be used to access the<br />
system in a manner that promotes and enhances security while maintaining<br />
business functionality:<br />
4.2.1.a Account Permissions and Restrictions Scheme<br />
• Accounts should be created with the following restrictions, by<br />
position, where applicable:<br />
o System administrative access (install, configure, modify<br />
and patch system s<strong>of</strong>tware).<br />
o Account administrative access (create, delete, modify<br />
accounts and permissions).<br />
o Review administrative access (review activities <strong>of</strong> other<br />
administrators).<br />
o Full content access (read, write, edit and delete data).<br />
o Limited content access (read, write and edit data).<br />
o Restricted content access (read and write data).<br />
o Minimal content access (read data).<br />
4.2.1.b Account Review Scheduling and Frequency<br />
• Accounts should be reviewed to determine appropriateness <strong>of</strong><br />
the accounts and the permissions <strong>of</strong> those accounts on a tri-<br />
7