Heart-Healthy Insurance Information Security Policy
Western Governors University
A1. New User Section
The REVISED portions of the new user section now stipulates:
“(1) New users are assigned access with principle of least privilege. They will have a level of access commensurate with access required to do their job. This level will be predetermined by IT staff according to job title.
(2) An administrators account approval form with manager’s signature must be submitted to the IT department for a request for administrator access along with justification. The department will review for approval. (Perkins, 2014).
A2. Password Requirements
Password ...view middle of the document...
Software running with these privileges can:
* Install rootkits
* Access data belonging to other people
* Reset passwords
* Stop the machine from restarting.
The U.S. Defense Department’s Trusted Evaluation Criteria is an accepted standard for IT security requires that each node in a network be granted the least elevated set of privileges needed for adequate performance of needed jobs. The application of this principle limits the damage that can result from accident, or intentional malicious use (Steven, 2006). In summary, if a user system is compromised by malware, having limited privileges can aid in protecting the system or data on the machine. The approval form along with IT review helps to limit errors and giving end users excessive access.
Password Policy Change Justification:
Our old policy of 8 upper and lowercase letters was simply not complex enough. According to Mike Halsey, our current policy would allow for an attacker using modern password cracking tools 3 hours to correctly guess a password of mixed upper and lowercase characters. Increasing the minimum length to nine character with a combination of upper and lowercase letters, numbers and special characters increases this time to 12 years (Sherrill, 2012). NIST SP 800-53, ISO/IEC 27001 & 27002:2013 section 9 are industry standards that justify this policy change (Improving Critical Infrastructure Cybersecurity Executive Order 13636, 2013).
In summary, to help...