IV. Authority and Access Control Policy


Account Types – Definitions and usage of account types:

  • User Accounts

  • User accounts are unique accounts that are associated with an individual employee within Akwaaba. The rights and privileges of a user account will be tailored according to the role of the specific employee and the attributes of that role.

  • Privileged Accounts

  • Privileged accounts are granted root level access to systems and resources. These accounts should not be used as a primary account for individuals. Instead, administrators should only switch to privileged accounts from their user accounts when root access is needed.

  • Default Root Accounts

  • Accounts like ‘root’ on Linux systems and “Administrator” in Windows should be disabled. Privileged Accounts should be created and used in their place.

  • Service Accounts

  • These accounts are given to services and not users. Rights and permissions of these accounts should be defined as the least possible needed by the service.

  • Shared Accounts

  • Individuals in the organization should not be using shared accounts as this can hinder non-repudiation. All users should be using their assigned user accounts to ensure the accounting of every action done using that account.

Authentication

  • Credential Management

  • Passwords must be at least 12 characters long.

  • Passwords must have complex characters (#,&,$,@, etc.)

  • Passwords must have a mixture of uppercase and lowercase letters.

  • Passwords should never be reused after password change.

  • Accounts should be locked after 5 failed sign in attempts.

  • Two-Factor Authentication

  • Some form of Two-Factor Authentication should be used for all account access.

  • IP Blacklisting

  • IP addresses and domain names known to be malicious should be blocked from all systems and resources.

  • The Spamhaus Block List database will be used to identify malicious IP addresses and domains.

Account Management

  • Rights and permissions of every account should be set to the minimum required for the user to complete their tasks.

  • A standard naming convention should be used to ensure that account names are unique, consistent, and memorable.

  • Routine audits should be performed to ensure that the proper account permissions are assigned and non-compliance with policy is detected.

  • Group-based access control rules should be created to grant or disable permissions of accounts in an efficient manner.

  • Accounts should be disabled, not deleted, when off-boarding users