PROCEDURES
Access Control
- Need to Know
- Each of the policy requirements set forth in this document are based on the concept of need to
know. If an Decisive Analytical Systems employee is unclear how the requirements set forth in
this policy should be applied to any particular circumstance, he or she must conservatively
apply the need to know concept. That is to say that information must be disclosed only to those
people who have a legitimate business need for the information.
- System Access Control
- Proper controls shall be in place to authenticate the identity of users and to validate each
user’s authorization before allowing the user to access information or services on the system.
Data used for authentication shall be protected from unauthorized access. Controls shall be in
place to ensure that only personnel with the proper authorization and a need to know are granted
access to systems and their resources. Remote access shall be controlled through identification
and authentication mechanisms.
- Access Granting Decisions
- Access to sensitive information must be provided only after the written authorization of the
Data Owner has been obtained. Access requests will be presented to the data owner using the
Access Request template. Custodians of the involved information must refer all requests for
access to the relevant Owners or their delegates. Special needs for other access privileges will
be dealt with on a request-by-request basis. The list of individuals with access to Confidential
or Restricted data must be reviewed for accuracy by the relevant Data Owner in accordance with a
system review schedule approved by the VP or the Head of Infrastructure.
Information Classification
Owners and Production Information
All electronic information managed by Decisive Analytical Systems must have a designated Owner.
Production information is information routinely used to accomplish business objectives. Owners
should be at the VP level or above. Owners are responsible for assigning appropriate sensitivity
classifications as defined below. Owners do not legally own the information entrusted to their care.
They are instead designated members of the management team who act as stewards, and who supervise
the ways in which certain types of information are used and protected.
- Restricted
- This classification applies to the most sensitive business information that is intended for use
strictly within the organization. Its unauthorized disclosure could seriously and adversely
impact the organization, its customers, its business partners, and its suppliers.
- Confidential
- This classification applies to less-sensitive business information that is intended for use
within the organization. Its unauthorized disclosure could adversely impact the organization or
its customers, suppliers, business partners, or employees.
- Public
- This classification applies to information that has been approved by the management for release
to the public. By definition, there is no such thing as unauthorized disclosure of this
information and it may be disseminated without potential harm.
Owners and Access Decisions
Data Owners must make decisions about who will be permitted to gain access to information, and the
uses to which this information will be put. Data Owners must take steps to ensure that appropriate
controls are utilized in the storage, handling, distribution, and regular usage of electronic
information.
Object Reuse and Disposal
Storage media containing sensitive (i.e. restricted or confidential) information shall be completely
empty before re-assigning that medium to a different user or disposing of it when no longer used.
Simply deleting the data from the media is not sufficient. A method must be used that completely
erases all data. When disposing of media containing data that cannot be completely erased it must be
destroyed in a manner approved by the Head of Infrastructure of Decisive Analytical Systems.
- Removable Media
-
Decisive Analytical Systems staff may only use Decisive Analytical Systems removable media in
their work computers. Decisive Analytical Systems removable media may not be connected to or
used in computers that are not owned or leased by the Decisive Analytical Systems without
explicit permission of Decisive Analytical Systems InfoSec staff. Sensitive information should
be stored on removable media only when required in the performance of your assigned duties or
when providing information required by other state or federal agencies. When sensitive
information is stored on removable media, it must be encrypted in accordance with the Decisive
Analytical Systems Acceptable Encryption Policy.
Exceptions to this policy may be requested on a case-by-case basis by Decisive Analytical
Systems-exception procedures.
Physical Security
- Data Center Access
- Access to the data center must be physically restricted in a reasonable and appropriate manner.
- Facility Access
- All network equipment (routers,, etc.) and servers located in the corporate office and in all
facilities must be secured when no personnel, or authorized contractors, are present. Physically
secured is defined as locked in a location that denies access to unauthorized personnel.
Special Considerations for Restricted Information
If Restricted information is going to be stored on a personal computer, portable computer, personal
digital assistant, or any other single-user system, the system must conform to data access control
safeguards approved by Decisive Analytical Systems and Corporate senior management. When these users
are not currently accessing or otherwise actively using the restricted information on such a
machine, they must not leave the machine without logging off, invoking a password protected screen
saver, or otherwise restricting access to the restricted information.
- Data Encryption Software
- The Employees and vendors must not install encryption software to encrypt files or folders
without the express written consent of Decisive Analytical Systems Security.
Information Transfer
- Transmission Over Networks
- If Restricted data is to be transmitted over any external communication network, it must be sent
only in encrypted form. Such networks include electronic mail systems, the Internet, etc. All
such transmissions must use a virtual public network or similar software as approved by the
Information Security Team.
- Transfer To Another Computer
- Before any Restricted information may be transferred from one computer to another, the person
making the transfer must ensure that access controls on the destination computer are
commensurate with access controls on the originating computer. If comparable security cannot be
provided with the destination system access controls, then the information must not be
transferred.
Software Security
- Secure Storage of object and source code
- Object and source code for system software shall be securely stored when not in use by the
developer. Developers must not have access to modify program files that actually run in
production. Changes made by developers must be implemented into production by Technical
Operations. Unless access is routed through an application interface, no developer shall have
more than read access to production data. Further, any changes to production applications must
follow the change management process.
- Testing
- Developers must at least perform unit testing. Final testing must be performed by the Quality
Assurance team or the target user population.
- Backup
- Sensitive data shall be backed up regularly, and the backup media shall be stored in a secure
environment.
Key Management
- Protection of Keys
- Public and private keys shall be protected against unauthorized modification and substitution.
- Procedures
- Procedures shall be in place to ensure proper generation, handling, and disposal of keys as well
as the destruction of outdated keying material.
- Safeguarding of Keys
- Procedures shall be in place to safeguard all cryptographic material, including certificates.
Decisive Analytical Systems Security must be given copies of keys for safekeeping.
Last Modified: 1st January 2021