Identification and Authentication Policy
Walter Kobus at TESS (http://www.tess-llc.com/) has made available his Identification and Authentication Policy here.
His policy covers the key elements required in any Authentication Policy. Here’s an excerpt:
Policy
Access to the [ORGANIZATION]’s information assets will be granted on different levels, based on the business rules established by data owner’s of that information, for an authorized user or entity to create, read, update, delete or transmit that information. Users will be provided access based on the concept of “least privilege.” Access will be managed and controlled through discretionary access controls, identification and authentication, and audit trails.Use of the [ORGANIZATION]’s information assets shall be restricted and shall be allowed only as necessary to support authorized business activities. The business rules currently in effect in conjunction with the [ORGANIZATION]’s user-based access controls shall be reviewed for
adequate security level access and protection, and may serve as the foundation for establishing compliance with this policy.Any effort to circumvent the [ORGANIZATION]’s information security mechanisms to gain access or to exploit any known or unknown vulnerabilities shall be perceived as a security incident, and shall be handled in accordance with established incident reporting guidelines and/or
appropriate human resources policies and procedures.All of the [ORGANIZATION] information is considered an asset and is protected, in all of its forms, from accidental or intentional but unauthorized, disclosure (confidentiality), modification or destruction (integrity), or the inability to process that information (availability).
Walter requires a $5 fee for using or adapting his copyrighted policy. That’s a bargain in my opinion.
Check it out!