Data Security
Controls provide reasonable assurance that access to computer resources is secure from unauthorized access and that access to the production system and dada files are restricted to authorized employees with no incompatible duties.
- Users are identified and authenticated through unique User IDs, and passwords are masked on the screen during the sign-on process.
- Each User must be identified and authenticated before performing any actions on the system.
- The minimum length of collector passwords and change intervals are agreed to client requirements.
- For supervisors/managers and the IT department (individuals with greater access control), passwords are required to be a minimum length and contain at least one alphabetic and one non-alphabetic character, and passwords are changed periodically.
- User access capabilities must be removed immediately upon termination of employment; transfer, change of job responsibilities, or leave of absence.
- Server monitoring logs are reviewed, and unusual access attempts and activities are investigated.
- System security access levels are reviewed annually by the CITO to ensure individual security access rights are appropriate based on job information.
- Network User IDs are suspended after a prescribed number of invalid attempts and maintains a password history.
- The CITO and/or the Security Administrator review log-on violations periodically.
- Access to sensitive areas is limited to those with logical access.
- Remote access to the system requires proper authorization.
