Content

Access Control Policy

Purpose:

Access controls are designed to minimize potential exposure to LightForce resulting from unauthorized use of resources and to preserve and protect the confidentiality, integrity and availability of LightForce networks, systems and applications.

Scope:

This policy applies to LightForce, staff, contractors and vendors that connect to servers, applications or network devices that contain or transmit LightForce Data, per the Data Classification in the Information Security Policy.

Policy:

Segregation of Duties

Access to Critical and Restricted Systems will only be provided to users based on business requirements, job function or responsibilities. All additions, changes, and deletions to individual system access must be approved by the appropriate supervisor and IT personnel, with a valid business justification. Account creation, deletion, and modification as well as access to protected data and network resources is completed by the IT Department or Select Systems Administrators.. On an annual basis, The LightForce IT Department will audit all user and administrative access to Critical and Restricted Systems. Discrepancies in access will be reported to the appropriate supervisor in the responsible unit, and remediated accordingly.

User Access

  • All users of LightForce Systems will abide by the following set of rules:
  • Users with access to Critical and Restricted Systems will utilize a unique account. This account will conform to the following standards:
  • The password will conform, at a minimum, to the published Information Security Policy.
  • Inactive accounts will be disabled after 90 days of inactivity.
  • Access will be enabled only during the time period needed and disabled when not in use.
  • Access will be monitored when the account is in use.
  • Repeated access attempts will be limited by locking out the user ID after a set number of attempts
  • Lockout duration must be set to a minimum of 30 minutes or until an administrator enables the user ID.
  • If a session has been idle for more than 15 minutes, the user is required to re-authenticate to re-activate the terminal or session.
  • Users of Critical and Restricted Systems will not login using generic, shared or service accounts.
  • Service providers with remote access to customer premises (for example, for support of POS systems or servers) must use a unique authentication credential (such as a password/phrase) for each user.

    Administrative Access

  • Administrators will abide by the Access Control Policy
  • Administrators will immediately revoke all of a user’s access to LightForce Systems when a change in employment status, job function, or responsibilities dictate the user no longer requires such access.
  • All service accounts must be used by no more than one service, application, or system.
  • Administrators must not extend a user group’s permissions in such a way that it provides inappropriate access to any user in that group.
  • All servers, applications and network devices shall contain a login banner that displays the following content: “This computer and network are provided for use by authorized members of the LightForce community. Use of this computer and network are subject to all applicable LightForce policies, including Information Technology Services policies https://it-security.lightforceortho.com/ and any applicable LightForce Handbooks. Any use of this computer or network constitutes acknowledgment that the user is subject to all applicable policies. Any other use is prohibited. Users of any networked system, including this computer, should be aware that due to the nature of electronic communications, any information conveyed via a computer or a network may not be private. Sensitive communications should be encrypted or communicated via an alternative method.”

    Remote Access

  • All users and administrators accessing Critical and Restricted Systems must abide by the following rules:
  • All remote access to LightForce Data Centers must be authenticated and encrypted through the LightForce VPN
  • All remote access will be accomplished through the use of two factor authentication; a username and password or PIN combination, and a second method not based on user credentials, such as a certificate or token, provisioned to the user.
  • Any machine used for remote access must have antivirus and host-based firewall software installed, running, and enabled. This requirement is enforced by a host checker component of the LightForce VPN software, and remote access to the Critical and Restricted Network is only possible after a machine has passed these configured checks.
  • Any third party, non-LightForce affiliate that requires remote access to Critical and Restricted Systems for support, maintenance or administrative reasons must designate a person to be the Point of Contact (POC) for their organization. In the event the POC changes, the third party must designate a new POC.
  • All third party access to Critical and Restricted Systems must be approved by the Information Security Officer or their designee.
  • Third parties may access only the systems that they support or maintain.
  • All third party accounts on Critical and Restricted Systems will be disabled and inactive unless needed for support or maintenance. Requests for enabling access must follow the Access Request procedure. Requests for access outside of this policy are expressly denied. The IT Administrator will be responsible for enabling/disabling accounts and an appointed Systems Administrator will be responsible for monitoring vendor access to said systems. All third parties with access to any Critical and Restricted Systems must adhere to all regulations and governance standards associated with that data (e.g. PCI security requirements for cardholder data, HIPAA requirements for Protected Health Information). Third party accounts must be immediately disabled after support or maintenance is complete.
  • Data must not be copied from Critical and Restricted systems to a user’s remote machine.
  • Users will abide by the above user access guidelines.

    Physical Access

  • All LightForce data centers will abide by the following physical security requirements:
  • Access to LightForce data centers will be accomplished through the use of electronic badge systems.
  • Only the Facilities Department and the Information Security Officer will have physical key access.
  • Physical access to LightForce data centers is limited to IT personnel, designated approved LightForce employees or contractors whose job function or responsibilities require such physical access.
  • Visitors accessing LightForce data centers will be accompanied by authorized LightForce personnel, and all access will be logged via the LightForce Visitor Access Log.
  • Each visitor must sign into the data center.
  • Modification, additions or deletions of physical access to LightForce data centers will be accomplished by utilizing the ITHD Incident Request Process.
  • All terminated onsite personnel will have their access revoked immediately.
  • Physical access to Data Centers requires the approval of the Information Security Officer.
  • The Information Security Officer and the IT Manager will audit physical access to LightForce data centers on an annual basis.

Policy adherence:

Failure to follow this policy can result in disciplinary action as provided in the Employee Handbook. Disciplinary action for not following this policy may include termination.