Information Resource Access Control and Log Management Policy
Published: March 2010
Revised: March 2018
This Policy describes the process of authorizing, establishing, documenting, reviewing and modifying appropriate access to OMG Information Resources that process, transmit and/or store Data (as each term is defined in OMG’s Information Security Charter (the “Charter”) [https://www.omahamediagroup.com/isc]. Such access is limited to, staff and contractors of OMG who have been properly authorized to carry out legitimate business tasks.
Capitalized terms used herein without definition are defined in the Charter.
II. Policy History
- The effective date of this Policy is March 30, 2010.
- Reviewed and/or revised March 14, 2018.
III. Policy Text
A. Requirements for System Owners and IT Custodians
Each System Owner and IT Custodian must ensure that the following access controls are implemented for any Information Resource:
- Procedures for (a) establishing and describing different levels of User access, (b) authorizing User access and (c) granting, revising and terminating User access are documented and periodically reviewed and revised as required so that access is granted only to Users who are necessary to accomplish the intended and approved purpose of the use.
- The Information Resource is protected by authorization (access control) technology that employs unique User IDs and secret passwords unique to each User and password management procedures include the protections described in Section B below. Use of a generic group identifier is not recommended and is prohibited for access to a System that contains Sensitive Data or Confidential Data.
- Each Information Resource has a different administrative account and password and access to the password is restricted to as few people as possible. No unnecessary accounts are created on the Information Resource beyond those needed for administration and operation.
- Access to the Information Resource locks after no more than 15 minutes of inactivity through an automatic locking mechanism, such as the use of a password protected screen saver or an equivalent alternative mechanism, unless the immediate area surrounding the Information Resource is physically secured or a waiver has been granted by the applicable Information Security Office.
- All unnecessary or unused accounts are disabled and removed.
- User access to any System that uses, stores or transmits Sensitive Data is reviewed on an annual basis.
B. Password Requirements
Each System Owner and IT Custodian must ensure that the following password protections are implemented for each Information Resource that processes, transmits or stores Sensitive Data:
- Passwords may not be reused until two additional passwords have been used.
- Users select and change their own passwords.
- Passwords meet good password criteria, including:
- Passwords must be at least 8 alpha and numeric characters long. Passwords for System Administrators or Service Accounts must be at least 12 characters long.
- Dictionary words or commonly known proper nouns are not used unless the password has more than 12 characters.
- Passwords include mixed case letters and numbers or special characters.
- Users are encouraged to use a passphrase such as a sentence that contains the above requirements. In this case, dictionary words may be used.
- Passwords are not displayed in clear text when being input into the System.
- Default vendor or other pre-installed passwords are changed immediately following installation of a System.
- The System “save password” feature is disabled.
- Users are trained on good password practices. It is recommended, but not required, that the foregoing password procedures be implemented for Information Resources other than those that process, transmit or store Sensitive Data.
C. Log-In Requirements
Each System Owner and IT Custodian must ensure that the following log-in protections are implemented for each Information Resource:
- System identifying information is minimized prior to successfully completing the log-in process.
- The log-in process can (a) record failed log-in attempts and (b) upon completion of a successful log-in, record the date and time of the previous successful log-in.
- Each OMG System that processes, transmits or stores Sensitive Data or Confidential Data has a login banner that states the following:
The information in OMG Systems at OMG is private and confidential and may be used only on a need-to-know basis. All access is logged. Unauthorized or improper use of a OMG System or the data in it may result in dismissal and/or civil or criminal penalties.”
D. Log Management
Each System Owner and IT Custodian must ensure that the following protections are implemented for each Information Resource that processes, transmits or stores Sensitive Data:
- Logging is activated on each Server.
- Logging is configured to keep track of access to Systems, Data and the Server itself.
- Logs are retained for as long as it is operationally necessary; 29 days is recommended.
- A Syslog or similar function is used to store logs on a separate System.
- Logs are reviewed by the IT Custodian on a regular basis for unusual activity.
- A process is established so that Log monitoring software is installed where available.
- Logs generate the following Data:
- Date and time of activity;
- Description of attempted or completed activity;
- Identification of User performing activity; and
- Origin of activity (i.e., IP address, workstation identifier, etc.)
Logs have audit mechanisms that generate reports of auditable events such as:
- Failed authentication attempts;
- Use of audit software programs or utilities (i.e., System logs);
- Access to the System;
- System startup or shut down;
- Use of privileged accounts (i.e., System administrator accounts);
- Security incidents;
- Change of User’s security information (i.e., User privileges); and
- Vendor and temporary account activities.
It is recommended, but not required, that the foregoing protections be implemented for Information Resources other than those that process, transmit or store Sensitive Data.
E. Remote Access
Each User must ensure that the following controls are implemented to remotely connect to OMG’s Information Resources:
- The controls meet or exceed the controls described in the OMG Registration and Protection of Endpoints Policy [https://www.omahamediagroup.com/isc].
- OMG’s approved VPN is used, or the Information Resource is configured for remote access in a manner approved by the applicable Information Security Office.
F. OMG Emergency Access
In an OMG Clientele Healthcare Component situation, in a clinical emergency (reasonably determined) at OMG, if a health care professional who is treating the patient does not have access to a System storing ePHI relating to such patient, another health care professional who is able to access such ePHI from the System may do so on behalf of the treating health care professional.
IV. Cross References to Related Policies
The Information Security Policies referred to in this Policy are listed in Appendix A hereto.
- Information Security Charter
- Registration and Protection of Endpoints Policy