Difference between revisions of "Internal:Technology access policy amendment"
Jump to navigation
Jump to search
James Hare (talk | contribs) m (ce.) |
(Adopted) |
||
(8 intermediate revisions by 3 users not shown) | |||
Line 1: | Line 1: | ||
+ | {{draft|historical}} |
||
− | {{header title|title=Amendment to the Technology Access Policy|status=review}} |
||
− | The [[Technology Access Policy]] is amended: |
+ | The [[Technology Access Policy]] is amended by striking Article III, Paragraph 2 and inserting: |
+ | |||
− | :(a) By striking Article III, Paragraph 3, and inserting the following as Paragraph 3: |
||
+ | 2. <u>Standards for Tools</u>. Software platforms used by the Corporation to collect or store Sensitive PII ("Sensitive PII Tool") shall adhere to the following standards: |
||
− | :: 3. <u>Access</u>. Individuals shall only be granted access to a Sensitive PII Tool on a need-to-know basis and with the approval of the President. Shared accounts shall be prohibited. |
||
+ | : (a) <u>Individual Access</u>. Access shall be allocated to individual user accounts, not accounts shared among individuals. The President may make exceptions for specific tools if the President determines that no feasible alternative exists. |
||
− | : (b) By striking Article III, Paragraph 4. |
||
+ | : (b) <u>HTTP Connection</u>. Web-based tools shall only be accessed over HTTPS. Tools that do not support access over HTTPS shall not be used by the Corporation. |
||
− | : (c) By inserting the following as Article V – Offboarding: |
||
+ | : (c) <u>Two-Factor Authentication</u>. It is the policy of the Corporation to prefer tools that support two-factor authentication. |
||
− | :: 1. <u>Use of Protocol</u>. The offboarding protocol as defined in this Policy shall be used when an Officer, Director, employee, contractor, or volunteer is no longer serving in any role in the Corporation, and when access to Corporation systems is no longer warranted. Those who are subject to access removal pursuant to this Policy are considered "offboarded individuals." |
||
+ | : (d) <u>Public-Key Authentication</u>. Accounts on Corporation servers shall only be accessed through public-key authentication. |
||
− | :: 2. <u>Email Access</u>. The Secretary shall terminate access to any email accounts in use by the offboarded individual. To maintain continuity, it is recommended that terminated email accounts have incoming mail forwarded to a new email address, provided that no emails are sent from the terminated account. |
||
− | :: 3. <u>Removal from Sensitive PII Tools</u>. The President shall remove access of an offboarded individual from any Sensitive PII Tools. |
||
− | :: 4. <u>Removal from Servers</u>. The President shall terminate the shell accounts of an offboarded individual. The President at his or her discretion may delete the offboarded individual's home directory and files. |
Latest revision as of 20:13, 10 December 2016
Status: Historical
The Technology Access Policy is amended by striking Article III, Paragraph 2 and inserting:
2. Standards for Tools. Software platforms used by the Corporation to collect or store Sensitive PII ("Sensitive PII Tool") shall adhere to the following standards:
- (a) Individual Access. Access shall be allocated to individual user accounts, not accounts shared among individuals. The President may make exceptions for specific tools if the President determines that no feasible alternative exists.
- (b) HTTP Connection. Web-based tools shall only be accessed over HTTPS. Tools that do not support access over HTTPS shall not be used by the Corporation.
- (c) Two-Factor Authentication. It is the policy of the Corporation to prefer tools that support two-factor authentication.
- (d) Public-Key Authentication. Accounts on Corporation servers shall only be accessed through public-key authentication.