Professional Documents
Culture Documents
Version
Change reference
Reviewers
Name
Position
Information Security Manager
Copy No.
In Custody of
Information Security Management
location
*Documentation Server Of Group Risk Management. *Hard Copies were distributed to the related Dept.
TABLE OF CONTENTS
1. AUTHENTICATION & PASSWORD RULES. 2. ACCESS CONTROL 3. AUDIT TRAIL & LOGGING 4. AUDITING REPORTS 5. ON REQUEST REPORTS 6. SEGREGATION OF DUTIES & ENTITLEMENTS 7. ENCRYPTION
Comply
Clarification No one can know his/her password No one can know his/her password Password bust be complex Protect against failed logins . unauthorized Attempts No one can know password (Confidentiality ) Flexibility and level of protection If admin Forgot to disable or delete user ID. Another Protection Level.
Alerting Procedure and awareness. not to use the same passwords again To avoid sniffing cleared password. to ensure authentication
Comply
3. Users should not be allowed to access more than one terminal at the same time.
Non Repudiation
4. Login screens for productions and for developments must be different, the login screen for a production system or application must include a notification that it is a production environment.
Comply
Clarification Traceability
4. AUDITING REPORTS
Requirement questions
1. System Administrator changes (all activities add, modify, delete) showing time, date, terminal, type of action, changed data before and after, and user ID. 2. Security operation changes (all activities add, modify, delete) showing time, date, terminal, type of action, changed data before and after, and user ID. 3. Failed login attempt report showing: user ID, user name, data, time, terminal No. and IP address. 4.
Comply
unauthorized Attempts
5. ON REQUEST REPORTS
Requirement questions
1. All users and their authorities or privileges and limits if any which able to request, and according to each branch or department if any also. 2. All groups / profile and their functions and their transactions and privilege or entitlements. 3. All essential information on the users and their sorted by branch number (if the system within branches) & serial user ID.
Comply
Clarification
Requirement questions
1. It should be segregated authorities & duties between system administrator & security administrator of the effect that system administrator must not be able to maintain any users authorities/entitlements or passwords. 2. Auditing reports must available for all type of users (Security admin, system admin, users etc) 3. Double control and supervision must exist in a system.
Comply
Clarification
Availability
Double Check
Double Check
5. ENCRYPTION
Requirement questions
1. Encryption has to be used to ensure the confidentiality and integrity of its data during all phases of use. Encrypted must be available when transferring all transactions from clients to application servers. Passwords must be encrypted and in cipher text in the application servers and when transferring passwords, passwords must not be known by any staff even the administrator and must be encrypted in the database.
Comply