Identity Policy
1. Purpose
The policy defines rules and practices for protecting YOUR COMPANY’s network from unauthorized access. These practices help reduce the potential for identity information getting into the wrong hands. Damages may include the loss of sensitive or company confidential data or intellectual property, damage to public image, damage to critical YOUR COMPANY internal systems, etc.
2. Train Your Employees
One of the most important and often overlooked elements of a successful information security program is having employees trained to a higher degree of security awareness. Employees should be trained to appreciate the importance of data that they handle daily and not be lulled into a sense of ambivalence based on the routine of working with such information. Formal information security awareness training should be provided that reinforces the need to keep all information on your company's information assets confidential – even data that appears the most innocuous. Workers should be further trained to not reveal this information until the requesting party is identified and their need to know authenticated.
An important follow-up measure is to have written information security policy that explains the company's security philosophy and the business rationale behind it. This policy should be imparted to all new employees as a part of new-hire orientation.
How can having security savvy employees help protect your organization? Many hackers make ample use of «social engineering» skills in which they attempt to convince employees that they have a legitimate right to obtain and know information about your company. For example, a clever intruder may call your information services department claiming to be an outside vendor and simply ask for the name of your systems and what operating system they are running. He may follow up by asking for the names of key employees at your company. Armed with that basic information, this unwelcome visitor now knows how to identify your systems, what operating system holes they may be able to exploit and what potential user IDs they can try to use to access those systems.
3. Watch Your Visitors
Temporary workers, contractors and consultants represent a unique security threat in that they are generally not subject to the same scrutiny as a firm's full-time employees but may be granted the same high levels of system access. In addition, they will sometimes know the applications and operating systems running on your network better than your own employees will.
Watch these ad-hoc employees closely until you are familiar with their qualifications, the caliber of their work and, most importantly, the degree of trust that it is safe to allow.
Though usually honest and competent, these outside resources must be monitored closely to ensure that their work is sound and that they are truly working in your company's interest. Vendors, for example, will sometimes leave behind trap doors into your systems with the purest intentions of using them only to protect you from yourself or to make future modifications or updates guard against this and make it expressly known that these mechanisms will not be tolerated.
4. Policy
- Workstations must be logged off to a point that requires a new log-on whenever employees leave their work area.
- Any employee who does not access an administrative system in a six months time period will have his/her access removed and must be reauthorized for access.
- Sharing of IDs is prohibited.
- Access managers will (immediately) delete the access of employees who have terminated the institution and will modify the access of ones who transfer to (remove capabilities dependent on the previous position).
- Computer installations running administrative applications will, where possible, provide a mechanism that records and logs off a user ID after a specified period of time of inactivity; they will also provide a mechanism that locks a user logon ID after multiple unsuccessful attempts to log on.
See also