(First Tennessee Bank, written by Bob Wicksel)
All computer‑based data and programs are corporate assets and, as such, must be protected against unauthorized access, disclosure, and/or manipulation.
The Transaction and Information Group under the direction of the Priority Committee, as part of its custodial responsibility for the main computer data and programs, will assure that certain base security controls are defined, implemented, and administered for these corporate assets. The Transaction and Information Group also has responsibility for advising the user/owner of those additional controls that can be added to provide further security beyond the base controls. The user/owner of the respective application data and programs will assume the responsibility for determining which of these additional control features will be employed within their respective functional area and for assuring that the proper ongoing administrative procedures are observed.
Base security controls for the First Tennessee host computer environment are established by the security task force. These controls are monitored and administered via the CA Top Secret security software package.
The implementation of base security controls, with the framework of CA Top Secret, will be based upon the principle of “least possible privilege”. Under this principle, initial communication with the host computer, access to data/programs and the use of computing functions will be summarily denied unless specific authorization has been granted and is resident within the CA Top Secret Security File.
Base controls 1 through 3 deal with the initiation of communication between the user and the host computer; three control levels, access, identification, and authentication must be satisfied to establish this base linkage.
Base controls 4 and 5 determine the information resources (data/programs) and computing functions the user will have access to.
Base control 6 deals with the mandatory changing of user passwords at a regular, specified interval.
Base control 7 addresses the logging and reporting of security violations.
All computer terminals and card readers must have a unique, fixed hardware identification code known to the security system to communicate with the host computer. The Transaction and Information Group will assign this code to all existing devices, and, for any such devices added to the system. Attempts to gain access by any unknown device will be denied.
All authorized users must have a unique personal identification code. This code must be supplied immediately after the initial host communication link is established, or further access will be denied and the communication link will be terminated. The Transaction and Information Group will assign this code based upon appropriate authorization supplied by a recognized user/owner.
All authorized users must have a unique personal password that is associated with their personal identification code. This password must be supplied immediately after their identification is successfully validated, or further access will be denied and the communication link will be terminated. Each user is responsible for the selection and protection of their personal password.
All corporate information resources are owned and are identified by owner within the security system. Information resource owners must authorize access rights for each user requiring access to those resources. Access control will be automatically enforced by the security system. Attempted unauthorized access to owned resources will be denied.
All host computing functions (for example, the insertion, changing, or deletion of data; the execution of computer programs; the creation, copying, or deletion of data files/programs) will be protected by the security system. Resource owners must authorize computing function capability for each user with these requirements. Attempted unauthorized performance of computing functions will be denied.
Each authorized user must change his/her personal password every thirty days. The security system provides this capability directly to the user; therefore the responsibility for password security rests with each user. Passwords may be changed more often as necessary, but non‑observance of the 30‑day requirement will result in the automatic suspension of access rights.
All security violations, whether intentional or unintentional, will be logged when they occur. Security violation reports will be prepared and distributed to appropriate individuals, such as the security office, EDP Audit, and owner department manager.
Repeated intentional security violations by individuals may result in suspension of computer access rights, disciplinary action, and/or termination.
This control provides each user with the ability to lock their terminal, preventing unauthorized access, in the event the terminal is left unattended for a period of time. Attempts to gain access from a locked terminal will be denied.
Note: This control is recommended in place of an automatic time‑out feature that could cause loss of data or dysfunction within a particular application.
|
Copyright © 2010 CA Technologies.
All rights reserved.
|
|