octo

Office of the Chief Technology Officer
 

DC Agency Top Menu

-A +A
Bookmark and Share

Access Control Policy


Approved Date – 02/22/2021
Published Date – 02/22/2021
Revised Date – 05/25/2021

 

1. Purpose

Specify requirements for minimizing risks of unauthorized access to the District of Columbia Government’s (“District”) Systems and resources.

2. Authority

DC Official Code § 1-1401 et seq., provides the Office of the Chief Technology Officer (“OCTO”) with the authority to provide information technology (IT) services, write and enforce IT policies, and secure the network and IT systems for the District government. This document can be found at: https://code.dccouncil.us/dc/council/code/sections/1-1402.html.

3. Applicability

This policy applies to all District workforce members (including contractors, vendors, consultants, temporary staff, interns, and volunteers) performing official functions on behalf of the District, and/or any District agency or entity (e.g. subordinate and independent agencies, Council of the District of Columbia, D.C. Charter Schools, etc.) who receive enterprise services from OCTO. In addition, this policy applies to any providers and third-party entities with access to District information, networks, and applications.

4. Policy

All users of the District systems with access to the District sensitive data, as defined in the District Data Policy, must identify themselves and provide a means to authenticate their claimed identities.

System and Application administrators are responsible for the management of Privileged accounts. This responsibility includes user identification, authentication, authorization, and the assignment of the appropriate level of access to systems and applications. Privileged accounts include all Administrative, Service/Operational, and System accounts.

The District access controls will be determined with the requirements stated below:

4.1. Account Management

District agencies must:

  1. Identify and select the following types of system accounts to support the agency’s missions/business functions:
    1. Administrator
    2. Standard
    3. Guest
  2. Assign account managers for system accounts.
  3. Establish conditions for group and role membership.
  4. Specify authorized users of the system, group and role membership, access authorizations, and other attributes for each account.
  5. Require approvals by organization-defined personnel or roles, for requests to create system accounts.
  6. Create, enable, modify, disable, and remove system accounts per the District account management procedures.
  7. Monitor system account usage.
  8. Notify account managers:
    1. When accounts are no longer required.
    2. When users are separated or transferred; and
    3. When individual system usage or need-to-know changes.
  9. Authorize access to the system based on:
    1. Valid access authorizations.
    2. Intended system usage; and
    3. Other attributes as required by the organization or associated missions/business functions.
  10. Review accounts for compliance with account management requirements at least annually.
  11. Establish a process for reissuing shared/group account credentials when individuals are removed from the group.
  12. Align account management processes with personnel separation and transfer processes.

4.2. Access Enforcement

Access to the District's sensitive information must be based upon a valid access authorization and intended system usage.

4.3. Separation of Duties

District agencies must:

  1. Separate the roles and responsibilities to ensure that system administration and system auditing roles are not performed by the same personnel.
  2. Document separation of duties of individuals; and
  3. Define system access authorizations to support the separation of duties.

4.4. Least Privilege

District agencies must employ the concept of least privilege, allowing only authorized access for users only to accomplish assigned tasks.

4.5. Unsuccessful Login Attempts

District agencies information systems must:

  1. Enforce a limit of 5 consecutive invalid login attempts by a user during a 2 hour period.
  2. Automatically lock the account/node until released by an administrator when the maximum number of unsuccessful login attempts is exceeded.

4.6. System Use Notification

District agencies information systems must:

  1. Before granting access to the system, display an agency approved logon banner containing the District approved wording that provides privacy and security notices consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance which states:
    1. Users are accessing a District Government system.
    2. System usage may be monitored, recorded, and subject to audit.
    3. Unauthorized use of the system is prohibited and subject to criminal and civil penalties.
    4. Use of the system indicates consent to monitoring and recording.
  2. Retain the notification message on the screen until the user accepts the usage conditions and takes action to log on.
  3. For publicly accessible systems:
    1. Display system use information before granting further access.
    2. Display references to monitoring, recording, or auditing that are consistent with privacy accommodations that generally prohibit those activities.
    3. Describe the authorized uses of the system.

4.7. Device Lock

District agencies information systems must:

  1. Prevent system access by automatically initiating a device lock after 10 minutes of inactivity.
  2. Retain the device lock until the user reestablishes access using proper identification and authentication procedures; and
  3. During the period when a device is locked, conceal District information by displaying a publicly viewable image (e.g. District approved screen savers, solid colors, blank screen, etc.).

4.8. Session Termination

District agencies' information systems must be configured to automatically terminate a user session after 10 minutes of inactivity or network disconnection.

4.9. Permitted Actions Without Identification or Authentication

District agencies must:

  1. Identify agency user actions that can be performed on the system, without identification or authentication that is still consistent with the agency’s mission, (e.g. access to District publicly available information, public websites, etc.).
  2. Document and provide supporting evidence in the security plan for user actions not requiring identification or authentication.

4.10. Remote Access

District agencies must:

  1. Establish and document usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed.
  2. Authorize remote access to the system before allowing such a connection.
  3. Deploy the use of encrypted virtual private networks (VPNs) to enhance the confidentiality and integrity of remote connections (See OCTO Virtual Private Network Policy).

4.11. Wireless Access

District agencies must:

  1. Establish usage restrictions, configuration/connection requirements, and implementation guidance for wireless access.
  2. Authorize wireless access to the system before allowing connections.
  3. Protect wireless access to the system by deploying strong authentication of users and devices along with strong encryption that can reduce susceptibility to threats by adversaries involving wireless technologies.

4.12. Access Control for Mobile Devices

District agencies must:

  1. Establish usage restrictions, configuration requirements, connection requirements, and implementation guidance for organization-controlled mobile devices.
  2. Authorize the connection of mobile devices to organizational systems.
  3. Disable locked screen notification on Mobile devices used for Multifactor Authentication (MFA) to ensure MFA codes cannot be seen without requiring a passcode to unlock the screen.

4.13. Access Control for Mobile Devices | Full Device/ Container-Based Encryption

District agencies must employ container encryption to protect the confidentiality and integrity of information on agency-approved mobile devices.

4.14. Use of External Systems

District agencies must establish terms and conditions, consistent with any trust relationships established with other organizations owning, operating, and/or maintaining external systems, allowing authorized individuals to:

  1. Access any external systems.
  2. Process, store, or transmit agency-specific information using external systems.

4.15. Publicly Accessible Content

District agencies must:

  1. Designate individuals authorized to post information onto a publicly accessible system.
  2. Train authorized individuals to ensure that publicly accessible information does not contain nonpublic information.
  3. Review the proposed content of information before posting onto the publicly accessible system to ensure that nonpublic information is not included; and
  4. Review the content on the publicly accessible system for nonpublic information on an annual basis and remove information, if discovered.

5. Exemption

Exceptions to this policy shall be requested in writing to the Agency’s CIO and the request will be escalated to the OCTO Chief Information Security Officer (“CISO”) for approval.

6. Definitions

The definition of the terms used in this document can be found in the Policy Definitions website.