Web Applications Security Policy

 

Effective:   March 14, 2001

 

 

Intent

 

This policy is intended to define the required Web applications security access controls to be used by anyone having access to the Web application. It is provided to communicate the requirements regarding the use of Web applications security controls and to protect the privacy of users and data. It may also be used as an audit to monitor user access to information resources while ensuring that only authorized users have access to certain application features and data.

 

Scope

 

This Policy is applicable to all users of the applications. All users of the applications must adhere to this Policy at all times.

 

Administration

 

The System Administrator(s) will be responsible for adding, changing and terminating users as required and in accordance with established procedures. Additionally, periodic audits will be performed by the System Administrators to verify the status of all users.

 

Policy

 

• Users shall not knowingly access the Web application without authorization.
• Users, having accessed a Web application with authorization, shall not use the opportunity such access provides for unauthorized purposes.
• Login Id’s will be automatically disabled after three unsuccessful logon attempts.
• Users shall not leave unattended a PC with an open Web application thereby allowing unauthorized persons to gain access.
• Users shall not access, modify, duplicate, destroy or disclose any information or software accessed through the Web application unless so authorized.
• Users shall select passwords as follows:

1.      Passwords must be a minimum of six (6) characters in length and in the range of a-z, 0-9, $, #, or @.

2.      Users shall avoid using obvious names or information in passwords. In particular, the following should be avoided:

• Name/nickname/initials
• Social Security number/license number
• Address
• Birthday
• Keywords such as “Systems”, “Test”, “Demo”
• Users shall not share their password with anyone else.
• Users shall not share their logon session with anyone else.
• After selecting a password, Users are responsible for:

1.      Exercising caution in the use of passwords. Passwords are designated as confidential and, as such, shall not be:

o       Disclosed to others.

o       Written down unless stored in a secure location.

o       Displayed anywhere that might allow others to copy or memorize them.

2.      Changing password(s) immediately if compromised or User is aware of potential compromise.

• Users shall notify their system administrator immediately of any known suspected violations of the above conditions and responsibilities.

 

Non-Compliance

 

Failure to comply with this policy may allow unauthorized access to the Web applications. Allowing unauthorized access can result in changes to data and to the applications. Violations of the Policy will result in revocation of access to the Web applications.