Professional Documents
Culture Documents
Management will:
• Work along with the eInsurance vendor in order to assess the possibility to implement the security module on the
system that includes the password controls;
• Assess along with the eInsurance vendor, the possibility to implement a control/feature to maintain a proper
accountability of the user´s accesses (userID, date and time logs) on this application, Create and assign individual
login accounts to the helpdesk team in order to maintain a proper accountability of the actions performed by each
user.
• Management must implement audit trails to keep accountability on the changes performed on the client data and
also to the policy issuance functionality.
• Implement logs on the eInsurance database in order to maintain a proper liability of the accesses and changes
made on this level. Furthermore, request GIS to perform a full review of newly implemented and pre-existing
applications on a regular basis.
Consolidated
IT
Controls
Catalog
AC
-
Access
Control
Ref.
#
Controls
Evidence
Requirements
AC2.1
User
authentication
must
use
automated
Evidence
of
system
password
policies
(i.e.
means
to
enforce
the
following:
configuration
parameters)
must
be
available
a.
authentication
by
a
PIN,
password,
or
to
demonstrate
password
length,
complexity,
token
(e.g.
smartcard,
one-time-use
and
change
requirements.
Systems
must
be
password).
able
to
demonstrate
authentication
b.
passwords
must
not
be
displayed
on
functionality
consistent
with
documented
screen
or
on
printed
materials.
requirements.
c.
unique,
temporary
passwords
must
be
issued
for
new
or
reset
accounts
that
require
change
on
first
use.
d.
passwords
must
be:
1)
minimum
length
of
8
characters
2)
different
from
the
associated
UserIDs.
3)
Composed
of
a
mix
of
at
least
three
of
the
following
complexity
requirements:
upper
case
characters,
lower
case
characters,
numeric
and
special
characters
(or
maximum
complexity
options
supported
by
the
underlying
system).
4)
changed
at
least
every
90
days.
5)
restricted
so
the
same
password
cannot
be
used
again
within
8
changes.
e.
accounts
must
be
locked
after
5
incorrect
login
attempts.
f.
Account
lockout
duration
must
be
set
to
30
minutes
or
longer
or
until
an
administrator
re-enables
the
user
ID.
g.
Identification
of
the
requestor
of
password
resets
through
a
specialized
question
set
or
independent
confirmation.
Weak user management and lack of Segregation of Duties controls
Management will:
• Create a process to periodically review the user access rights related to the eInsurance application and perform an
initial review; (Jose Felipe Diaz)
• Develop and implement a procedure to be notified about external leavers in order to remove/block their accesses in
the system at the moment of their contractual agreement termination. (Jose Felipe Diaz)
• Implement a formal workflow in order to record both the request and approvals around the creation of new login
accounts and profile/function changes of the users that already have access to the application. (Jose Felipe Diaz)
• Develop and implement a Segregation of Duties matrix for the eInsurance application system, including segregation
between the role that allows users to perform changes on the products parameters and the profile that grant the
users the permission to issue policies and also related to the procedure of changing customer data on the system.
(Heidi Blanco).
Consolidated
IT
Controls
Catalog
AC
-
Access
Control
Ref.
#
Controls
Evidence
Requirements
AC3.1
All
users
with
access
to
Zurich
networks
or
The
user
access
request
and
provisioning
applications
must
be:
process
must
include
documented
evidence
a.
provided
with
only
the
minimum
of
completed
request
forms,
appropriate
functionality
required
to
perform
their
approvals,
promptly
de-provisioning
of
job.
access
rights,
assignment
of
unique
UserIDs,
b.
approved
by
system
owners
and
Group
and
access
reviews
to
remove
unnecessary
or
Information
Security
for
non-standard
obsolete
access
permissions.
access
to
IT
systems
User
access
authorization
requests
must
exist
c.
assigned
unique
IDs
for
each
user
account
on
the
system
and
d.
subject
to
access
reviews
to
remove
must
match
the
access
privileges
on
the
unnecessary
or
obsolete
permissions
system.
e.
de-provisioned
in
a
promptly
fashion
using
a
defined
process
which
must:
1.
promptly
revoke
authentication
and
access
privileges
on
all
systems.
2.
disable
or
remove
components
dedicated
to
providing
access.
Weaknesses related to the Change Management process
Management will:
• Create a process to perform regular assessments on the changes made on the eInsurance system, in order to
ensure that it is in compliance with the local Change Management policy as well as to reinforce the communication
to the developers the about the importance of having all the required supporting documentation properly formalized
and available whenever needed.
• Create minimum technical/functional eInsurance documentation in order to provide continuous system maintenance
during its lifetime.
Weaknesses around external interface
Management will:
• Implement controls to manage both the completeness and integrity of the transmitted data.
• Restrict the access to the network folder where the files to be sent to the Bank are safeguarded as on an needed
basis; and
• Create a formal contract and/or a formal agreement with Banesco Bank over the interface that is maintained with
that entity and the contact must contain, among other, a specific clause about data confidentiality.