Identity & Access Management

Reference: 01.21-32.47Version: 1.2 Effective Date: Dec 20, 2018Revision Date: July 21, 2021
Title: Mortgage Planners – Identity & Access Management Policy
DOMAIN: IDENTITY MANAGEMENTTYPE DE DOCUMENT: SECURITY POLICY
SECTION: SECURITY & COMPLIANCE

Mortgage Planners

This document was developed by TCPCOM Inc. and defines the requirements of the “Identity & Access Management Policy” applicable at Mortgage Planners.

2 GENERAL INFORMATION

2.1   Revision History

Version Date Summary Prepared by
1.0 2018-12-06 Initial versionMarc-Andre Heroux
1.12019-01-23Update Policy StatementMarc-Andre Heroux
1.22021-07-21Update Security RisksMarc-Andre Heroux

2.2 Related Documents

Type Security Requirements
Title Mortgage Planners – Registry of Security Controls

2.3 Information Security Responsibility

The senior management is responsible of the enforcement of the security policy. The security officer is responsible for ensuring the proper definition and implementation of the security policy.

3 SECURITY POLICY OBJECTIVE

3.1 Purpose of the security Policy

Establish requirements related to Identity & Access Management managements to prevent unauthorized access to information systems related to critical business activities of the company.

3.2 Scope of Security Policy

This policy applies to all employees of Mortgage Planners, services providers and/or employees of third parties performing work related to informational resources of Mortgage Planners.

The scope of cyber assets is as follows: servers and network systems as well as technical security controls and/or utilities supporting business functions and operations.

3.3 Managing Information Security

The senior management must ensure that a senior security officer (ciso, cso) review and defines effective controls. He must also collaborate and validate that controls are in place and properly implemented to limit access to information according to roles, need to know and need to use.

Processes, mechanisms and solutions to prevent the disclosure of information and to maintain the integrity and availability of informational resources must be defined and implemented.

3.4 Breach of Security Policy

An intentional or unintentional violation of policies, procedures or standards or security requirements of Mortgage Planners may be subject to disciplinary action and may result in termination of employment or contract and possibly civil/criminal justice prosecution.

Anyone suspected of a security breach or deviation will be treated fairly and a full investigation will be conducted to protect its legal rights.

3.5 Exceptions to the policy

Any exceptions related to this security policy must be approved by the senior management.

4 USER ACCOUNT MANAGEMENT

4.1 Policy Statement

A formal process of registration and de-registration of user accounts must be in place. Monitoring and logging of user activities must be enforced (e.g. access to AWS).

Security controls must be in place to apply adequate privilege management (e.g. locking or disabling a user account if unused for 90 days, multi-factor authentication for privileged access).

Clear requirements related to account provisioning as well as standard requirements for new accounts as well as account decommissioning must be defined.

4.2 Security Risks

If an incorrect provisioning process is in place, unauthorized access to systems or other resources could possibly be obtained (e.g. social engineering by performing a manual password reset request, such as via email or phone).

Unauthorized access to a cyber asset or to a Mortgage Planners resource may lead to the disclosure of sensitive information or to an unauthorized modifications of information or system.

If an employee has left the company and still has access to the network via their user account, unauthorized or malicious access to cyber assets and data could exist, either by the former employee or by a malicious user who operates former accounts and/or unused accounts.

To prevent unauthorized access, user credentials and other authentication methods must be revoked quickly from the employee (as soon as possible).

5 MANAGING PRIVILEGES

5.1 Policy Statement

Access to informational resources must be provided based on a need to know and use. It must allow only the required access to perform the work according to a role, activity and operational function.

Access privileges must be configured in an access control system to authenticate and authorize users in accordance with the management’s approval and must prevent/denied access, unless expressly authorized.

Clear requirements for privileges management must be defined and applied to ensure proper segregation of duties (e.g. a database administrator must not be authorized to delete database system log).

5.2 Security Risks

Improper management of privileges could lead to situation where users would access to cyber assets, management interfaces or applications they don’t have the need to know or use. This could lead to unauthorized access, disruption or modification of informational resources.

If privilege management is not applied per role with adequate segregation of duties, someone could, as an example, access information, or make a change and erase its traces from event log (like a database administrator with rights to delete logs).

6 PASSWORD MANAGEMENT

6.1 Policy Statement

The password must be provided through a formal and specific security process and controls must be in place to enforce requirements (e.g. strong password).

Clear requirements for the management of passwords must be defined and applied.

6.2 Security Risks

Inappropriate process for managing password could lead to unauthorized access to informational resources (e.g. cyber assets, applications) and unauthorized modification as well as disruption of critical services.

7 REVIEW OF ACCESS RIGHTS

7.1 Policy Statement

The system owner is solely responsible of the access control related to cyber assets and information systems. Periodic formal review of user access rights is required.

Clear requirements related to the revision of accounts and rights must be defined and applied.

7.2 Security Risks

If there is no formal periodic review of user access rights, an unauthorized use of an account could exist for an extended period of time while allowing to critical informational resources. In addition, changes to an account could be made and remain undetected (e.g. unused account by a previous user now under control of a threat agent).

8 SERVICE ACCOUNT AND VENDOR DEFAULT

8.1 Policy Statement

Default vendor users and passwords should be changed.

Clear requirements for vendor accounts and default service must be defined and applied.

Default admin account must be removed (or disabled when removal is not possible, in this case, if a password is used, the password must be change and the account disabled). To ensure continuity, a new admin account must be created with a different name prior removing or disabling an admin account; the new created account must be tested and confirmed as working properly.

8.2 Security Risks

If default vendor passwords are not changed, a threat agent may obtain authorized access to a cyber asset or an information system.

If requirements for default vendor and services account are not defined, informational assets could potentially be compromised/disrupted and/or accessed without authorization.

9 GENERIC ACCOUNT

9.1 Policy Statement

The group IDs, shared password or generic account are not used (removed or disabled).

Generic IDs can only be used optionally for recovery purposes to ensure the provision of a service.

Clear requirements for a generic account must be defined and applied.

9.2 Security Risks

When generic accounts are used, it is very difficult to manage, audit or apply responsibility and accountability principles. An account could be used for unauthorized purposes and it would be potentially impossible to attribute the action to anyone.

10 SESSION

10.1 Policy Statement

Session timeout must be controlled and inactive sessions must be closed after a period of inactivity (for example, closing a remote session after 15 minutes of inactivity).

10.2 Security Risks

Sessions must be closed primarily to prevent access by unauthorized users. Improper settings of cyber assets could allow a threat agent to access connect, modify, disrupt, execute or delete informational resources without authorization.

11 ACCESS CONTROL

11.1 Policy Statement

A formal approval process for accessing cyber assets and IT systems of Mortgage Planner must be followed by systems owners. They must ensure that the access requirement corresponds to a role having the need to know and need to use.

The system owner must ensure that the access provided meets an adequate level of security protection and does not affect the security of the IT infrastructure of Mortgage Planners (e.g., why, who, what, when, how and from where it’s possible to access a cyber asset or an information resource).

Access control requirements need cover internal and remote connections, and third-party access to Mortgage Planners cyber assets or information system. Security controls must be in place to ensure adequate protection of information in transit, in execution and at rest (e.g. encrypt information in transport, prevent/authorize execution access, encrypt information at rest, role base access access control (RBAC)).

When providing access to online and cloud informational resources, it must be standardized and kept as per a standard naming convention, this mainly apply to:

  • URL link to web development
  • URL link to web staging and integration
  • URL link to web production

The use of entry point must be kept to minimum (e.g. URL to test an application, URL to remotely connect a system).

11.2 Security Risks

Failure to develop and implement formal requirements for access control regarding internal, external and third connections could potentially compromise and/or lead to unauthorized access to information, cyber assets, applications, or critical services.

Not applying a standard to URL and regularly changing URLs pointing to various informational resources increase the complexity and likelihood of errors and a standardized approach is required. Having too many URLs for the same needs create complexity and sometimes, could even be forgotten, left actively operational and abused by a threat agent.