Identity & Access Requirements

Introduction

This document establishes the minimum security requirements needed to identify users on systems and allocate access.

Scope

This policy applies to all individuals who access company-provided systems. Whether you’re an employee, contractor, or visitor, these guidelines govern your use of networks, devices, and software.

Requirements

Identify Verification

Identities are proofed and bound to credentials based on the context of interactions.

Logical Access

Access permissions, entitlements, and authorizations are defined in a policy, managed, enforced, and reviewed, and incorporate the principles of least privilege and separation of duties.

• Require that users (or roles) with privileged accounts use non-privileged accounts when accessing nonsecurity functions or nonsecurity information.

• Review the privileges assigned to roles or classes of users annually to validate the need for such privileges.

Physical Access

Physical access to assets is managed, monitored, and enforced commensurate with risk.