In accordance with the Weill Cornell Medical College (WCMC) Data Classification Policy, all information systems that create, receive, store, or transmit data classified as 'Confidential' must adhere to the authentication and authorization principles of this document.
Entities Affected By This Policy
The Weill Cornell Medical College and Graduate School of Medical Sciences
- Responsible Executives: WCMC Chief Information Officer
- Responsible Department: Information Technologies and Services
- Dates: Issued: Interim, October 1st, 2007. Final Issuance: January 31st, 2008
- Contact: Information Technologies and Services
Reason for Policy
State and federal regulations, as well as general best practices, shape the security and privacy protections that must be afforded to data classified as "Confidential". This policy addresses regulatory and best practice requirements to ensure proper authentication and authorization to Confidential data.
Information systems or applications that create, receive, store, or transmit Confidential data (hereafter "Confidential Systems" - see Data Classification policy) must, without exclusion, adhere to the following:
- Managers and administrators of Confidential systems are responsible for ensuring access to those systems is based on work function and is controlled using the minimum necessary standard. Documented procedures for ensuring appropriate access to Confidential Systems must include:
- Authorization methods (e.g. using a CWID), including manner and type of authorized administrative access
- Authentication methods (e.g. requiring passwords), including manner and type of authentication
- Methods for evaluating access to Confidential systems based on the need to fulfill an appropriate business purpose
- Documentation of each workforce member's and vendor's access rights to Confidential systems
- Acknowledgement forms, signed by the appropriate supervisors, which document that they have knowingly and willingly authorized access rights to Confidential systems to appropriate workforce members and vendors
- Acknowledgement forms, signed by the appropriate workforce members and vendors, which document that all appropriate parties are aware of their authorized access rights to Confidential systems
- A formal process for annually reviewing and revising workforce member and vendor access to Confidential systems
- A formal process for the timely termination of workforce member and vendor access to Confidential systems whenever appropriate (e.g. immediately upon end of employment).
- A formal process for the timely change of workforce member and vendor access to Confidential systems whenever appropriate (e.g. after a change in role or position).
- A formal process for regularly assessing effectiveness of access controls to Confidential systems
- A formal process for providing, and subsequently removing, electronic access to Confidential systems to appropriate workforce members and vendors during an emergency
- All electronic access to Confidential systems must be the result of using a unique identifier, such as a username and password. Users are only granted one unique WCMC CWID and password. Using another user's account (CWID) to access Confidential systems is prohibited. Violators will be subject to disciplinary action (see the WCMC Sanctions Policy).
- Managers and administrators of Confidential systems are responsible for ensuring that access technologies and methodologies for those systems incorporate the following:
- Usage of "strong" (difficult to guess) passwords that contain, at minimum, a combination of capital and lower-case letters, and numbers
- Usage of "unique" (not shared among multiple users) user ID's (e.g. CWID's) with appropriate authentication mechanism (passwords, tokens, biometrics, etc)
- Forced periodic password changes of, at minimum, every 180 days (at least every 90 days for users who handle credit card transactions)
- Enforced prohibition of password reuse
- Enforced prohibition of sharing or disclosing of password
- All access to Confidential systems and data must be electronically logged. Logged data must be audited on a predetermined basis; at least annually. Documentation of audits must be kept for at least 2 years. Discrepancies or access violations found through audits should be reviewed and remediated.
- Audit logging should be deployed in layers: at the network, application, back-end database, and system levels, and incorporate the following:
- Access logs - systems or security administrators must have procedures in place to log and review administrative and user access to IT resources.
- Activity logs - systems or security administrators should log and review user activity, such as data insertions, revisions, changes, or deletions
- Systems monitoring - systems or security administrators should monitor IT resources for anomalies such as changes in performance, network traffic, and intrusion detection.
- In accordance with industry security standards, user accounts will be locked out for a period of time after multiple incorrect login attempts to protect against brute-force attacks. Users will be able to attempt login again after the period of time has passed.