System Access Control Policy

Purpose

Protecting access to Northeast Data’s Information Technology systems and application is critical to maintain the integrity of Northeast Data technology and data and prevent unauthorized access to such resources.

Access to Northeast Data systems must be restricted to only authorized users or processes, based on the principal of strict need to know and least privilege.

Background

Access controls are necessary to ensure only authorized users can obtain access to Northeast Data’s information and systems.

Access controls manage the admittance of users to system and network resources by granting users access only to the specific resources they require to complete their job-related duties.

Policy Objective

The objective of this policy is to ensure the institution has adequate controls to restrict access to systems and data.

Scope

This policy applies to:

• All Officers / employees / subcontractors / agents and authorized users accessing Northeast Data Information Technology systems and applications.

Guiding Principles – General Requirements

Northeast Data will provide access privilege (including network systems, application, computers, and mobile devices) based on the following principles:

• Need to know – users and resources will be granted access to systems that are necessary to fulfill their roles and responsibilities.
• Least privilege – users and resources will be provided with the minimum privileges necessary to fulfill their roles and responsibilities.

Requests for user account and access privileges must be formally documented and appropriately approved.

Requests for special accounts and privileges (such as vendor accounts, application and service accounts system administration accounts, shared / generic accounts, test accounts and remote accounts) must be formally documented and approved by the system owner.

Application and service accounts must only be used by application components requiring authentication; access to the passwords must be restricted to authorized IT administrators or application developers only.

Where possible, Northeast Data will set user accounts to automatically expire at a pre-set date. More specifically:

• When temporary access is required, such access will be removed immediately after the user has completed the task for which the access was granted.
• User accounts assigned to contractors will be set to expire according to the contract’s expiry date.
• User accounts will be disabled after 3 months of inactivity.

Access rights will be immediately disabled or removed when the user is terminated or ceases o have a legitimate reason to access Northeast Data Systems.

A verification of the user’s identity must be performed by the Network Integration Manager before granting a new password.

Exiting user accounts and access rights will be reviewed at least annually to detect dormant accounts and accounts with excessive privileges. Examples of accounts with excessive privileges include:

• An active account assigned to external contractors, vendors or employees that no longer work for Northeast Data.
• An active account with access rights for which the user’s role and responsibilities do not require access. For example, users that do not have authority or responsibility to approve expenses should not have access with approval permissions within a financial system.
• System administrative rights or permissions (including permissions to change the security settings or performance settings of a system) granted to a user who is not an administrator.
• Unknown active accounts

All access requests for system and application accounts and permissions will be documented using the support ticket system in place.

Guiding Principles – Privileged Accounts

A nominative and individual privileged user account must be created for administrator accounts, instead of generic administrator account names.

Privileged user accounts can be requested by managers or supervisors and must be appropriately approved.

Guiding Principles – Shared User Accounts

Where possible, the use of specific network domain “security groups” should be used to share common accesspermissions across many users, instead of shared accounts.

Shared user accounts are only to be used on an exception basis with the appropriate approval. This includes general user accounts such as “guest” and “functional” accounts.

When shared accounts are required:

• Passwords will be stored and handled in accordance with the password policy
• The use of shared accounts will be monitored where possible, including the recording of time of access, the reason for accessing the shared user account, and the individual accessing of the account. When the shared user account has administrative privileges, such as procedure is mandatory and access to the monitoring logs must be protected and restricted.

Default User Accounts

Where possible, all default user accounts will be disabled or changed. These accounts include “guest”, “temp”, “admin”, “Administrator”, and any other commonly known or used default accounts, as well as related default passwords used.

Test Acounts

Test accounts can only be created if they are justified by the relevant business area or project team and approved by the application owner, through a formal request to the IT Director or the help desk.

Test accounts must have an expiry date (maximum of 6 months). Maintaining test accounts beyond this date must be re-evaluated every 90 days and approved appropriately.

Test accounts will be disabled / deleted when they are no longer necessary.

Access Control Requirements

All users must use a unique ID to access Northeast Data systems and applications. Passwords must be set in accordance with the Password Policy.

Alternative authentication mechanisms that do not rely on a unique ID and password must be formally approved.

Remote access to Northeast Data systems and applications must user two-factor authentication where possible.

System and application sessions must automatically lock after 15 minutes of inactivity.

Exceptions to the Policy

Exceptions to the guiding principles in the policy must be documented and formally approved by the IT director.

Policy exceptions must describe

• The nature of the exception
• A reasonable explanation for why the policy exception is required
• Any risks created by the policy exception
• Evidence of approval by the IT Director

Note: Northeast Data reserves the right to modify this policy at any time.