Everperform will establish specific requirements for protecting information and information systems against unauthorised access.
Everperform will effectively communicate the need for information system access control.
For the purposes of this document Information is defined as any data stored on Everperform systems or provided to Everperform as part of an engagement, this includes but is not limited to:
Instance and Account information
Application usage information (log data, device information, location information and page metadata)
Limited access to third party services and the data this entails when applicable (Customers must opt in to this option)
Additional information placed in the system by users (Feedback, KPI values and Goals)
Information security is the protection of information against accidental or malicious disclosure, access, modification or destruction. Information is the foundation of Everperform, and as such must be managed with care.
Access controls are put in place to protect information by controlling who has the rights to use different information resources and by guarding against unauthorised use.
Formal procedures must control how access to information is granted and how such access is changed.
This policy also mandates a standard for minimising the risk of accidental or malicious access to restricted information through industry standard policies such as password strength, age and instilling best practice behaviours in those involved.
This policy applies to all Everperform Employees, contractual third parties with any form of access to Everperform information and information systems.
Access control rules and procedures are required to regulate who can access Everperform information resources or systems. This policy applies at all times and should be adhered to whenever accessing Everperform information or information systems in any format, and on any device.
On occasion business information may be disclosed or accessed prematurely, accidentally or unlawfully. Individuals or companies, without the correct authorisation and clearance may intentionally or accidentally gain unauthorised access to business information, which may adversely affect day-to-day business. This policy is intended to mitigate that risk.
Non-compliance with this policy could have a significant effect on the efficient operation of Everperform and may result in financial loss and an inability to provide necessary services to our customers. Employees found failing to comply with this policy could face disciplinary action or termination.
Applying the Policy - Passwords
Passwords are the first line of defence for Information Security for our systems to establish that people are who they claim to be.
A poorly chosen or misused password is a security risk and may impact upon the confidentiality, integrity or availability of our computers and systems.
Weak and strong passwords
A weak password is one which is easily discovered, or detected, by persons other than the original creator.
A strong password is a password that is designed in such a way that it is unlikely to be detected by persons other than the original creator, and difficult to work out even with the help of a computer.
Everperform employees must meet the following minimum requirements for password strength:
It is of utmost importance that the password remains protected at all times. The following guidelines must be adhered to at all times:
Never reveal your passwords to anyone.
Never use the 'remember password' function.
Never store your passwords in a computer system without encryption.
Do not use any part of your username within the password.
Do not use the same password to access different systems.
Do not use the same password for systems inside and outside of work.
To assist with the protection of passwords and minimise the possibility of user error Everperform has incorporated a single sign-on, multi factor authentication system to ensure the safety of Everperform information. Everperform also logs, tracks and records all activities through this system to ensure the user access to Everperform related systems is completed in line with organisational policy.
Users must change passwords whenever the system prompts you to change it. Default passwords must also be changed immediately. If you become aware, or suspect, that your password has become known to someone else, you must change it immediately and report your concern to the Chief Security Officer.
System Administration Standards
The password administration process for individual Everperform systems is well-documented and available to designated individuals.
All Everperform IT systems will be configured to enforce the following:
Authentication of individual users, not groups of users - i.e. no generic accounts (exceptions to this rule can be made with express permission of the chief security officer).
Protection with regards to the retrieval of passwords and security details.
System access monitoring and logging - at user level.
Role management so that members only have access to their business critical functions.
Password administration processes must be properly controlled, secure and auditable.
Applying the Policy – Employee Access
User Access Management
Formal user access control procedures must be documented, implemented and kept up to date for each application and information system to ensure authorised user access and to prevent unauthorised access. They must cover all stages of the lifecycle of user access, from the initial registration of new users to the removal of users who no longer require access. These must be agreed to by the Chief Security Officer. Each user must be allocated access rights and permissions to computer systems and data that:
Are deemed to be business critical to their position at Everperform
Have a unique login that is not shared with or disclosed to any other user.
Have an associated unique password that is requested at each new login.
User access rights must be reviewed at regular intervals (or at time of change in employment/position) to ensure that the appropriate rights are still allocated. System administration accounts must only be provided to users that are required to perform system administration tasks.
A request for access to Everperforms computer systems must first be submitted to the Engineering department for approval. Applications for access must only be submitted if approval has been gained from the Chief Security Officer
If an employee is to leave Everperform, access to any Everperform computer systems and data must be suspended at the close of business on the employee’s last working day. It is the responsibility of the employees direct manager to request the termination of all user accounts by the Chief Security Officer.
It is a user’s responsibility to prevent their system credentials being used to gain unauthorised access to Everperform systems by:
Following the Password Policy Statements outlined above in Section 6.
Ensuring that any PC they are using that is left unattended is locked or logged out.
Leaving nothing on display that may contain access information such as login names and passwords.
Informing the Chief Security Officer of any changes to their role and access requirements.
Network Access Control
Any devices users wish to use to connect to Everperform associated networks must first be inspected by the Chief Security Officer to ensure adequate steps have been taken by the user to ensure the device offers no security risk to Everperform networks.
User Authentication for External Connections
Where remote access to the Everperform network is required, an application must be made via the Engineering department. Remote access to Everperform network and associated network infrastructure is limited to minimal users with business critical access requirements and enforced through multi-factor authentication.
Supplier’s Remote Access to the Everperform Infrastructure
Any contractors or service providers requiring or requesting access to any Everperform network or associated infrastructure must gain the approval of both the Chief Security Officer and the owner of Everperforms Information Security Management Policy. Access to these networks is heavily monitored and managed to ensure 3rd party access to sensitive information is for business critical reasons only.
Operating System Access Control
Access to operating systems is controlled by a secure login process. The access control defined in the User Access Management section (section 7.1) and the Password section (section 6) above must be applied. The login procedure must also be protected by:
Not displaying any previous login information e.g. username.
Limiting the number of unsuccessful attempts and locking the account if exceeded.
The password characters being hidden by symbols.
Displaying a general warning notice that only authorised users are allowed.
All access to operating systems is via a unique login id that will be audited and can be traced back to each individual user. The login id must not give any indication of the level of access that it provides to the system (e.g. administration rights).
System administrators must have individual administrator accounts that will be logged and audited.
Application and Information Access
Access within software applications must be restricted using the security features built into the individual product. The Chief Security Officer is responsible for granting access to the information within the system. The access must:
Be compliant with the User Access Management section (section 7.1) and the Password section (section 6) above.
Be separated into clearly defined roles.
Give the appropriate level of access required for the role of the user.
Be unable to be overridden (with the admin settings removed or hidden from the user).
Be free from alteration by rights inherited from the operating system that could allow unauthorised higher levels of access.
If any user is found to have breached this policy, they may be subject to disciplinary action. If a criminal offence is considered to have been committed further action may be taken to assist in the prosecution of the offender(s).
If you do not understand the implications of this policy or how it may apply to you, seek advice from either the Chief Security Officer or Chief Executive Officer.