Skip to content

2.18-Review Organizational User Policies

Task Review Organizational User Policies

Conditions

Given an organization user policies and access to information security personnel and knowledge workers.

Standards

The team member reviews all written policies regarding users of information systems within a given organization. The policies should at a minimum address:
* Acceptable Use Policy
* Account request process
* Account creation/deletion/suspension procedures
* Access control methodology (e.g. group membership)
* Initial and periodic user training
* Process for elevated privilege request and reviewed
* Account audit process

The team member will interview information security personnel to ensure complete understanding of policies and technical implementation as necessary.
The team member interviews random knowledge workers to ensure user base has full understanding of user requirements and responsibilities.

Endstate

All user policies have been reviewed and shortfalls annotated and briefed to the system owner.

Notes

  • Acceptable Use Policy
    Will be tailored to the organization and include items such as social media, PII and email monitoring. Policy will fall in line with local provider or enclave.

  • Account Requests:
    Account forms can be found in a central digital location that is easily accessible for personnel to retrieve. The account request form needs to include information fields for name (first, last), rank/title, organization, reason for request, location/group. Digital copy of completed request forms should be kept in a central database with access restricted to those who need it (account creators, database administrators) Information Assurance (IA) training certification is required as part of account request packet. IA training can be found at https://ia.signal.army.mil. A passing score of 70% is required to gain an account and is an annual requirement to keep the account.

  • Account suspension:
    After a lack of use or non-use for 45 days or an AUP violation, user accounts will be placed in suspension (disabled) status. If suspension is in response to an AUP violation, the account will not be placed back into active status until after IA training has been redone and the certification is received by the account managers and noted on the account. If the account in is suspended status due to lack of use, the user will need to speak with the account managers to get it reactivated.

  • Account deletion:
    Reasons for account deletion include lack of use, repeat violations of the Acceptable Use Policy and job termination. Lack of use or non-use limit for user accounts is set at 90 days. For account deletion due to violations, users are granted two suspensions before resulting in deletion. All user violations should be noted on their account with the incident date, incident, response results, and date of completion of IA training from the new certification.

  • Access control methodology:
    Access to groups and elevated privileges are treated on an individual basis. Requesters will need to fill out a request form that includes information fields for name, rank/title, organization, requested groups/elevated privileges/access level, why they are requesting it and have supervisor approval to be given access to additional groups and privileges. Periodic review will be conducted to determine continued user access to the groups and privileges.

  • Initial and periodic review:
    IA and Information Assurance Security Officer (IASO) training will need to renewed on an annual basis. Any additional certifications will also be reviewed on an annual basis as part of the personnel performance review to ensure any continued education that is needed is being addressed and tracked.

  • Elevated privilege request/review:
    Elevated privileges will be addressed on an individual basis. The request will use the same form as the group membership request and follow the same process. Elevated privileges will be periodically reviewed for determination of continued usage. Privilege violations will result in one warning before removal. To get privileges returned will require review with the user’s supervisor to determine if privileges will be returned due to required job duties.

  • Account audit process:
    Accounts will be audited on a monthly schedule and compared against various variables to determine account usage, status and IA/IASO certification expiration.

References

NIST 800-53 Controls
DISA IAWIP Policy References

Revision History