Difference between revisions of "Internal:Technology access policy amendment"
Jump to navigation
Jump to search
(Working) |
(Adopted) |
||
| (5 intermediate revisions by 3 users not shown) | |||
| Line 1: | Line 1: | ||
| + | {{draft|historical}} |
||
| − | {{header title|title=Amendment to the Technology Access Policy|status=review}} |
||
| − | The [[Technology Access Policy]] is amended: |
+ | The [[Technology Access Policy]] is amended by striking Article III, Paragraph 2 and inserting: |
| + | |||
| − | : (a) By replacing Article II, Paragraph 4 with the following: |
||
| + | 2. <u>Standards for Tools</u>. Software platforms used by the Corporation to collect or store Sensitive PII ("Sensitive PII Tool") shall adhere to the following standards: |
||
| − | :: 4. <u>Continued Access</u>. No later than thirty (30) days after an individual who has been assigned a Corporation Email Address ceases to meet the criteria for access defined in Paragraph 3 of this Article, the President shall evaluate the individual's anticipated involvement in the Corporation's future activities and determine whether continued access to a Corporation Email Address should be granted. If such access is granted, it will be retained indefinitely unless revoked by the President. |
||
| + | : (a) <u>Individual Access</u>. Access shall be allocated to individual user accounts, not accounts shared among individuals. The President may make exceptions for specific tools if the President determines that no feasible alternative exists. |
||
| − | : (b) By replacing Article III, Paragraph 3 with the following: |
||
| + | : (b) <u>HTTP Connection</u>. Web-based tools shall only be accessed over HTTPS. Tools that do not support access over HTTPS shall not be used by the Corporation. |
||
| − | :: 3. <u>Access</u>. Individuals shall only be granted access to a Sensitive PII Tool on a need-to-know basis and with the approval of the President, who shall report such approval to the Board. Shared accounts shall be prohibited. |
||
| + | : (c) <u>Two-Factor Authentication</u>. It is the policy of the Corporation to prefer tools that support two-factor authentication. |
||
| − | : (c) By striking Article III, Paragraph 4. |
||
| + | : (d) <u>Public-Key Authentication</u>. Accounts on Corporation servers shall only be accessed through public-key authentication. |
||
| − | : (d) By replacing Article IV, Paragraph 2 with the following: |
||
| − | :: 2. <u>Shell Accounts</u>. Shell access to any Corporation Server shall only be granted with the approval of the President, who shall report such approval to the Board. |
||
| − | : (e) By inserting the following as Article V – Termination of Access: |
||
| − | :: 1. <u>Application</u>. Any person who has been granted access to an information technology resource pursuant to this Policy, and who ceases to meet the criteria for such access as defined in this Policy, shall have such access terminated as described in this Article. |
||
| − | :: 2. <u>Termination of Email Access</u>. The Secretary shall terminate, or cause to be terminated, access to any Corporation Email Address. |
||
| − | :: 3. <u>Termination of Sensitive PII Tool Access</u>. The President shall terminate, or cause to be terminated, access to any Sensitive PII Tool. |
||
| − | :: 4. <u>Termination of Server Access</u>. The President shall terminate, or cause to be terminated, access to any Corporation Server. |
||
Latest revision as of 20:13, 10 December 2016
Status: Historical
The Technology Access Policy is amended by striking Article III, Paragraph 2 and inserting:
2. Standards for Tools. Software platforms used by the Corporation to collect or store Sensitive PII ("Sensitive PII Tool") shall adhere to the following standards:
- (a) Individual Access. Access shall be allocated to individual user accounts, not accounts shared among individuals. The President may make exceptions for specific tools if the President determines that no feasible alternative exists.
- (b) HTTP Connection. Web-based tools shall only be accessed over HTTPS. Tools that do not support access over HTTPS shall not be used by the Corporation.
- (c) Two-Factor Authentication. It is the policy of the Corporation to prefer tools that support two-factor authentication.
- (d) Public-Key Authentication. Accounts on Corporation servers shall only be accessed through public-key authentication.