Schedule for password
Process for controlling minimum password
length and expiration periods.
Schedule for system password changes.
Procedure to grant accounts
on computer systems, for example, statement of need, signature of
requester, requester's manager, system manager, or person setting
up the account. (Accounts can never be shared.)
Procedure to deactivate accounts due
to organizational changes, for example, employee transfers or terminations.
Timetable for reauthorizing accounts,
usually once every 6 to 12 months.
Directive to deactivate accounts that
are not used on a regular basis.
Time periods for access.
Timetable for expiring accounts.
Procedure for requesting privileges that
rigorously controls allocation.
Requirement to use nonprivileged accounts
for privileged users performing normal system activity.
Schedule for verifying inactive accounts.
List of approved security tools.
events to audit
Logins from selected or all sources.
Changes to authorization file records.
Other uses of privilege and system management
Modifications to the known file list
through the Install utility.
Modification to the network configuration
database, using the network control program (NCP).
access to the computer room
A written list of authorized personnel with the reason for
access included. Typically, one person would be responsible for keeping
this list current.
Storage of a visitor log in a secure
Locked access doors and a documented
procedure for assigning keys, key cards, and combinations. (These
access controls change periodically and on transfer or termination
access to terminals and personal computers located outside the computer
Use of programs
to log out terminals that have not been used for a given period of
Security awareness programs for the organization
(beyond computer personnel); topics may include:
Maintaining a list of approved software.
Keeping desktops clear of hardcopy information relating
to the computer system, network passwords, and other system account
Locking disks and file cabinets.
Keeping diskettes inaccessible in or near workstations.
Keeping keys out of open view.
Schedule for changing numbers periodically
and procedures for notifying users of number changes.
A policy to minimize publishing dialup
Policy about changing passwords periodically
and when employees with access are terminated.
Password protection, either in the modems
or terminal servers, or system passwords on host dialup ports.
Documentation available about:
Details about the network
Terminal equipment installed
Terminal switching systems
Details about all terminal devices connected to the
Details about all dialup equipment
Denial of access into
privileged accounts if using passwords over TCP/IP, LAT, or Ethernet
Use of authentication cards for network logins into privileged